Authorization, from Z to A
Starting from small events to grow into bigger ones…
At an Authorized Event in Mountain View…
While one of the highlights of last week’s first-ever in-person AuthZ subscriber social was an Authorization 101 talk (courtesy Dr. Steven Venema) that went forward in the usual fashion, from A(ccess controls) to Z(anzibar), that inaugural invitation was also an application of the Working Backwards process. Reversing course from Z to A was another way to grow the kind of community we want to convene at an industry conference, by starting out serving our community right away with events co-located with conferences that already attract some of our audience.
Last week, that was right after the Internet Identity Workshop, where the organizers’ generosity offered us a venue at the Computer History Museum right after wrapping up their 38th edition on Thursday. That was also where folks first wondered of a whimsical weekly news clipping service, in October 2023, at IIW #37; and where more may organize an even more substantial occupation in October 2024, at IIW #39. The next opportunity for a meetup may be in May, at RSAC in San Francisco; or at Identiverse in Las Vegas; or in July at IETF #120 in Vancouver.
Don’t just “stay tuned” — sign up (for this AuthZ newsletter), speak up (on the Authorize@ group mailing list), and volunteer to organize & sponsor support for the next AuthZ subscriber social!
News Clippings
Breaking AuthZ
We discovered an AWS access vulnerability | Stedi [Apr 9, 2024] Poetic justice:
It’s not AWS.
There’s no way it’s AWS.
It was AWS.
Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds | WIRED (IG) [Mar 21, 2024]
Simplifying AuthZ
Permify.co announced its path for developing policies in plain English: AI assistant powered by Groq to generate authorization models : r/webdev (Reddit) [Apr 12, 2024]
Don’t call it a Co-pilot… but Google has ways to make IAM talk: Next ‘24: Make Google part of your security team, supercharged by AI [Apr 9, 2024 ]
“Gemini Cloud Assist … can provide straightforward, contextual recommendations to … uplevel IAM posture and reduce risk exposure.”
Selling AuthZ
Silk Security acquired for $150M by Armis Security for its “comprehensive overview of vulnerabilities from all corporate alert tools” [Apr 17, 2024]
API startup Noname Security nears $500M deal to sell itself to Akamai | TechCrunch for its platform to detect “data tampering and leakage, policy violations, suspicious behavior and API attacks” [Apr 12, 2024]
Lacework, last valued at $8.3B, is in talks to sell for just $150M to $200M, [to Wiz] | TechCrunch as a similar security data lake to enable analysts to map out cloud resources [Apr 18, 2024]
The Security Data Fabric Shift Explained: Why Zscaler Paid $350M for Avalor [Apr 18, 2024 analysis of the Mar 14, 2024 deal]
Filtering AuthZ
Sometimes you don’t need all of the alphabet: a subset might bring order, at least partially:
OSO offers queries to take the partial evaluation route to reduce the impact of data loading and formatting using SQL WHERE clauses in Policies
Distributed Authorization | Oso (HN thread) [Apr 16, 2024]
Aserto went another way in Topaz, limiting data using graph connectivity in How ReBAC helps solve data filtering | Aserto [Apr 11, 2024]
Education First
Workshops
If you’re one of the lucky first few to open up this overture, you may still have a chance to win a ticket to fwd:CloudSec when the final tickets go on sale at Noon (Eastern) for the next one in North America, from June 17-18 in Arlington, VA. You can always find their talks online, but if you missed their CFP to “Declare Cyber Sovereignty” or preventing “A long train of abuses and usurpations,” then there’s also the next one in Europe, when your humble correspondent will be reporting from Brussels, Belgium on September 17, 2024.
Two weeks after that, there’s another infosec outing in Europe, at COSAC in Dublin, Ireland
Books
If you have access to O’Reilly Learning, you might also take on the opportunity to focus on proffering feedback for the fine writing in the early edition of Policy-as-Code (PaC) by Jimmy Ray, a Cybersecurity Architect at Boeing, and formerly at AWS evangelizing Kubernetes. It’s arriving in print in July, or available as an eBook right now from your local public library or employer.
Papers
New Authorization White Paper from SGNL.ai: “Prevent Catastrophe When Hackers Compromise Identities” (registration required)
Cedar: A New Language for Expressive, Fast, Safe, and Analyzable Authorization (Extended Version) [2403.04651] Mar 8, 2024 I believe we didn’t point at this in any prior issues.
Also cited by StrongDM back on Mar 11, 2024 when they open sourced Cedar Go Implementation: Simplifying Security for Developers | StrongDM
Courses
If you prefer to learn without real people breathing down your neck, NIST also has you covered with new Online Introductory Courses Available for NIST SP 800-53, SP 800-53A, and SP 800-53B:
“NIST has released three self-guided online introductory courses on the NIST Special Publication (SP) 800-53 security and privacy control catalog, the SP 800-53A control assessment procedures, and SP 800-53B control baselines.
Or if you’re just not feelin’ White & Nerdy enough to study any of this week’s Education First resources, perhaps a remedial seminar on l’œuvre de “Weird Al” might be in order? Vermont State University will teach students that even the master always asked for permission. Heck, he was such a mighty man, even his un-authorized trailers are authorized!
NeXTSteps
Start planning for IIW39 (Halloween) or even organizing a dedicated day after, as long as 1 November isn’t too close to IETF the following week.
More urgent, who can help plan an effective meetup for the AuthZ-orati at Identiverse?
Bar Talk
While attendance may have been measured by the dozens (OK, maybe only two), half of them arrived independently of IIW. Subscribers from the local community brought just as much expertise and passion for permissions as the speakers, which we hope will continue to be a hallmark for the future!
There was deep interest in the AuthZEN interop demo by Omri Gazitt and Atul Tulshibagwale newly joined by a fourth implementation, this one using a decision engine from a differnt paradigm, Kogito. My “PowerPoint Karaoke” riff on Steven Venema’s slides commissioned for IIW became a thought-povoking prompt for attendees to compare how they pitch these concepts in their own ways.
Overheard over beers, after the talks: Z3 vs CVC5 vs Vampire performance… the origin of ReBAC… Maude… Career-hoping up the CA chain… why robot accounts outlive humans… look for more notes on social media and bloggers next week.