It turns out Sgt. Joe Friday never said that in Dragnet; not on the radio, nor on TV, not even once between 1949 to 1970. That headline’s only a movie fact, from 1987 when Dan Aykroyd played Joe Friday’s nephew and recycled (incompletely!) Stan Freberg’s hit spoof from 1953.
“Facts are stubborn things.” So stubborn, that John Adams quote isn’t a fact, either… What is a fact, is that we’re a few hundred short of our thousand-subscriber target for our first year, so please spread the word to subscribe!
“Facts are stupid things,” too, like the fact this isn’t coming out on a Monday. At least next week’s issue will go out on a Tuesday by design (due to Labor Day in the US). Until then, here’s last week’s belated Authorization clippings, with no fat, just facts:
The first rule of Standards Fight Club is…
• New Digital Identity Guidelines | NIST is out for review, with comments due Oct 7, 2024 on the 2nd Public Draft of IST SP 800-63-4 (h/t Pam Dingle)
• New WIMSE Service to Service Authentication Protocol | IETF for harmonizing machine-to-machine trust relationships with human-to-machine ones (h/t Pieter Kasselman)
Go forth and authorize…
Go is a leading language in the Cloud-native world with Docker, Kubernetes, and many other CNCF projects written with it. Adding fine-grained ReBAC got a lot easier in Adding Authorization to a Go app with Topaz from Aserto.
For Go-grammers, cedar-go from StrongDM got a major upgrade in the 0.20 release that leverages a new internal Abstract Syntax Tree (AST) for translating policy languages back and forth from Cedar text to Go code to JSON format with ease.
…be fruitful and multiply
IndyKite boosts modern access offering with acquisition of 3Edges (Aug 26, 2024) to “leverage knowledge graph technologies to enable advanced authorization logic that reflects the real world” (h/t LinkedIn)
Ark Infotech Acquires Vantyr | PR (Aug 21, 2024) to combine Slauth.io, an IAM “Copilot,” with Vantyr for “securing non-human identities across cloud and SaaS environments.”
An ‘acqui-hire’ is more lucrative than it seems | TechCrunch especially if it comes with leadership roles in a reverse takeover like Steve at NeXT/Apple, Sridhar at Neeva/Snowflake, or perhaps Ermetic? Tenable appoints Shai Morag as CPO | Ctech May foretell more if there’s really a Silent Venture Capital & Startup Recession | Forbes
Of course, there’s still the plain-old-fashioned ‘hire’… like UberEther picking up Jon Lehtinen and Justin Richer as CTO.
Inevitability of Death and (SSO) Taxes
It’s a fact that nobody loves paying extra to authorize employees to authenticate into applications. There are even sites that measure how much, like SSO.Tax. What if that’s as good a way to segment markets as Saturday-night stayovers are for charging business travelers enough to fill the cheap seats in the back of the airplane? Read An Unpopular Perspective on the SSO Tax | SSOReady for one opinion — or this thread from Sean Fraser, Okta’s Federal CSO | LinkedIn for more
Zero trust needs verified facts
Zero standing privilege vs manual privilege management | SGNL compares two different access control strategies that can lead to vastly different outcomes. Regulations and critical market position make financial services particularly sensitive to unauthorized access, especially with EU’s Digital Operations Resilience Act (DORA) bearing down on the Finance and Insurance industries by Jan 17, 2025.
Zero standing privilege is a strategy that can dramatically reduce these cyber risks, but proving that could be harder than just putting all your eggs in one privileged basket and watching that one account like a hawk. Instead, auditors need new ways for Attesting to What’s Not There | From the CIDO
Facts from the Future
Sept 4th: StrongDM’s Policypalooza Summer series continues with Fine-grained Policies with Cedar for Database Security
Sept 17th, in Brussels, Belgium: 2024 Europe Schedule | fwd:cloudsec
Sept 19th: ACCESS: The Cloud Identity, Access, and Permissions Summit | Sonrai
Sept 19th, in Vienna, Austria: SOSS Community Day Europe | Open Source Security Foundation
Oct 8th: Beyond Identiverse: IAM Trends & Guidance for 2024-25 | SC Media
Oct 24th, in Silicon Valley: The Official Cybersecurity Summit | CyberRisk Alliance
As soon as you contribute: New Speaker Submissions | IDPro
Just wrapped (but register for recordings): Cloud Security Bootcamp | SentinelOne and Cloud Security Summit 2024 | Google Cloud