The post-apocalyptic hellscape of I Am Legend emerges from a pandemic set a decade before COVID-19 (in the 2007 movie, at least; the vampiric MacGuffin of the original 1954 novel is a Bacillus averse to sunlight and garlic). Humanity’s final boy is the last uninfected New Yorker, roaming the streets attacking the “Darkseekers” by day, yet trapped in his fortress each night.
Will Smith’s character may have Zero-Trust in the inhuman hordes, but he’s reduced to old-fashioned perimeter defense and grueling daily routines to manually control access to his lab, all while searching for a “cure” that drives him to inhumane extremes. All in all, pretty much modern #IAM?
In addition to all-new Authorization articles this week, last week’s edition left off a bumper crop of IAM intelligence. There’s information about the permissions powering public Clouds, spanning sundry SaaS providers, and diving deep into databases.
All the AuthZ
Today on Identerati Office Hours #46, Omri Gazitt (Aserto) and Nicholas Hunt (HATSec) ask “Where should you enforce your authorization policy? Everywhere you can!” on Episode 46: Multi-layer authz? Yes please! on Sep 10, 2024 (LI)
Omri also blogged about Multi-tenant RBAC | Aserto on Sep 9, 2024 to introduce a new Topaz template for multi-tenant RBAC that addresses three common concerns that emerge right after isolating each tenant:
to “add another layer of containment” within tenants, like folders of photos;
to “support sharing of resources” between folders (or even other tenants); and
for “cross-cutting roles across tenants” like billing or support that won’t bypass AuthZ
Moderation is another real-world example of that third type of concern. Imagine how any responsible storage of, say, photos, ought to also account for misuse and even abuse. Who authorizes exceptional access? What gets logged? and Who could, should, or can’t be notified when that happens? Those are only a few of the authorization conundrums to consider at the second Trust and Safety Research Conference starting at the Stanford Internet Observatory on Sep 26, 2024.
Zombies deserve identities, too
International Identity Day on Sep 16, 2024 recognizes the “fundamental importance of having verifiable proof of identity.” The date is refers to UN Sustainable Development Goal 16.9, which calls for “providing legal identity, including birth registration, to all individuals by 2030.” According to IDPro | LI, “An estimated 850 million people worldwide lack proof of identity, with half of them in Africa.”
Subscriber social at Oktane?
Michael J. Fox at an IAM event? Not for “ABAC To The Future,” but as an inspiration for Embracing change: proving it's possible | Oktane in Las Vegas, NV on Oct 15, 2024
Any volunteers to organize an AuthZ Subscriber Social at the Okta event?
Cloud IAM
(With a tip o’ the hat to CloudSecList #253 for some of these)
Industrial IAM Service Role Creation | Rami McCarthy and revisiting his 2020 AWS IAM Security Tooling Reference [2024]. Rami will also be speaking at fwd:cloudsec Europe next week, on Sep 17, 2024
Yet still, Exposing Security Observability Gaps in AWS Native Security Tooling | SecurityRunners.io shows how hard it is even for Amazon to track the sprawl.
Complexity kills: My Methodology to AWS Detection Engineering| Chester LeBron, Part 1 and Part 2 Aug 26, 2024
And AI Is no alternative… yet: Provisioning cloud infrastructure the wrong way, but faster | Trail of Bits underscores the seductiveness of AI that appears to work, until you look an even closer look:
“combining automation with unchecked AI output […] 1) works and 2) has terrible security properties.” with great examples of “hard-coded credentials and weak random values”
Instead, we are still building firewalls: Replace SSH with Session Manager | Securosis Aug 29, 2024 and VPNs: AWS IAM without going over public Internet | AWS announced on Aug 22, 2024 (but only from us-east
and cn-north
!)
And without full-fidelity simulation, we resort to crash-test dummies: Kubernetes Testing Environment | Orca for EKS, GKE and AKS, open-sourced on Aug 26, 2024
SaaS IAM
Reasoning about access is hard… and even harder if ACLs aren’t even documented. Each SaaS service has its own privileges and inconsistent definitions of groups or roles or policies. For example, a recent thread on IDPro’s #authorization Slack tried to decipher Workday’s IAM, when its own docs aren’t available publicly (beyond a datasheet) — and Web searches merely return other IGA vendors’ promises to manage it for you, like Reco.ai, Alacrity, Netskope, Popl, Sailpoint, Accenture, and public-sector users. At least we found flashcards!
Application IAM
Even OSS vendors that do document their own RBAC | Fossa.com aren’t stored in any standard, interoperable format like, say, OpenAPI | Swagger.io (or XACML, or others). Perhaps a product like Workspace Settings | Permit.io could even use Rego Inside™.
Industry IAM
Financial Engineering Permissions: slicing and tranching access into smaller slices?
Discussion after the debut of Wealthfolio: Private, open-source investment tracker | HN revealed a lot of nostalgia for Mint (and Yodlee before that). Hackers’ excitement over a desktop application for integrating personal financial information was immediately tempered by the well-known risks of giving any application access to an entire account. Password-phishing anti-patterns abound, even after the advent of OAuth and emerging mandates for portability and interoperability (which, even in the EU, apply to intermediaries rather than empowering individuals).
One specific IAM spotlight is how Plaid’s API aggregator smooths over the gaps with its own homologated permission layer to proxy its own finer-grained permissions. Instead of merely restricting bank account access to, say, read-only attributes, Plaid can refine that further down to current balance; balance limits; Know-Your-Customer (KYC) metadata; windowed access to past transactions; income verification; or different types of transfers. No one bank might offer any or all of these distinctions, but Plaid made life easier for new FinTech startups (and their customers) by adding another layer of indirection.
Database IAM
Meta released more information about the Policy Zones concept they described at USENIX PEPR earlier this year in a deep dive blog post, Enforce purpose limitation via Privacy Aware Infrastructure (PAI) at scale | Meta (HN):
Policy Zones provides a comprehensive mechanism for encapsulating, evaluating, and propagating privacy constraints for data both “in transit” and “at rest,” including transitions between different systems.
Their example, of excluding bananas from being used in banana bread recipes, explained how to automatically isolate code or queries that combined banana data with bread data into a privileged area or block it outright. That’s a toy example of much more complex real-world problems with contractual and regulatory limitations on log processing, data retention, sovereignty constraints, or even the right-to-be-forgotten. Their approach may seem like overkill for less-than-trillion-dollar companies today, but annotating data elements with privacy, security, and accounting policies at the point of capture may be the future for every enterprise…
Commenters also drew a connection to the open-source implementation of a similar automated enforcement approach in Authorization | Apache Accumulo. Another example of such thinking is Enhance data governance through column-level lineage in Amazon QuickSight | AWS Business Intelligence Blog
So what? New challenges crop up each time control crosses those borders between IAM silos, which prevent people from puzzling out which policies pertain to the same principals or privileges.
Q: Will Smith Live or Die?
A: Both — watch for the sequel, where the alternate ending becomes canon. They’d been trying to write a sequel as early as 2012; took another decade to strike a deal in 2023; and it remains in development in 2024.
Matheson’s initial screenplay for The Night Creatures (1957) was so shockingly bleak it was effectively censored. Perhaps unlike the heroes of prior movies like Vincent Price in The Last Man on Earth (1964), Charlton Heston in Omega Man (1971), or Will Smith in the theatrical ending, we might finally see Matheson’s actual intention on screen someday. After all, once vampires are the new normal, the uninfected serial-killer scientist is the abnormal one. Humans become the monsters of their nightmares daydreams. That is why the hero concludes “I am legend” — not in victory, but as valedictory…
(…since it wouldn’t be 2024 without an AI angle)
Or maybe the Rise of the Machines will mean there’s no posterity to pose for: ‘Never summon a power you can’t control’ | The Guardian excerpts the latest volume of Yuval Noah Harari’s Apocalyptic Vision | The Atlantic about “how AI could threaten democracy and divide the world.”
How’s that for a pre-apocalyptic perspective‽