We’re in the dead of summer. Many of us are bearing the brunt of unusually warm weather. There’s never been a better time to stay indoors, cool down, sip on iced tea, and read your favorite AuthZ newsletter. So, sit back, relax, and read on.
Authorization Architecture 📐
A few months ago, at IIW 37 (Internet Identity Week), Eve Maler of Venn Factory suggested we needed to bridge the P*P architecture we inherit from ABAC with the AS/RS architecture (OAuth). Today, Omri of Aserto asks: Where should I enforce my authorization policy? - His article covers policy enforcement points / scenarios, including the OIDC authN ceremony, the resource server, the API gateway, and service-to-service authZ.
A Selection of Identiverse Talks 📺
Some 140 videos have already been made available on Identiverse’s YouTube channel. Get access via this dedicated playlist. Here are a few authorization-related talks:
The Authorization Conversation
Navigating the Intersection: IAM and OWASP in the Cybersecurity Landscape
Closing Keynote: The Future of Authorization with Pieter Kasselman & Sarah Cecchetti
And speaking of Sarah, here’s her take on CIAM:
Hot From the IDPro Press
The IDPro newsletter is out and it contains several AuthZ nuggets. To start, here’s a summary of the flurry of activities OpenID AuthZEN has been involved in.
Security online is no longer a periodic snapshot of users and authorizations. We need an efficient architecture to respond to events and updates in real-time says Atul Tulshibagwale. Read more.
Cybersec 👩💻
Darwin Salazar of The Cybersecurity Pulse reviews the list of BlackHat startup finalists. Two address authorization specifically:
Knostic (“Need-to-know Based Access Control for LLMs”, or NtKBAC?)
Whoops? This blog will detail how an attacker can escalate their privileges in Google Cloud by leveraging weak group join settings for groups that have been granted roles in GCP. Opportunities for Hunting and Detection are provided towards the end of the blog. Read on if you dare: escalating Privileges in Google Cloud via Open Groups.
Cirrus: Open-source GCP forensic collection | Help Net Security. Cirrus is an open-source Python-based tool designed to streamline Google Cloud forensic evidence collection. It can streamline environment access and evidence collection in investigations involving Google Workspace and GCP. The tool simplifies incident response activities and enhances an organization’s security posture.
Record-Breaking $75 Million Ransom Paid To Dark Angels Gang | Forbes. Cybercriminals gravitate towards ransomware attacks for one simple reason: money. According to ransomware statistics compiled by Varonis, the largest ransom payout was in 2021 when insurance giant CNA Financial reportedly paid an astonishing $40 million. However, the latest Zscaler ThreatLabz ransomware report suggests that this deplorable record has now been broken. Coming in at nearly twice as much, the Zscaler researchers said they found evidence of a $75 million ransom paid by an undisclosed victim earlier this year. Say hello to the Dark Angels.
The biggest-ever global outage: lessons for software engineers. Cybersecurity vendor CrowdStrike shipped a routine rule definition change to all customers, and chaos followed as 8.5M machines crashed, worldwide. There are plenty of learnings for developers.
Upcoming Events 📅
There are many conferences to look forward to such as Gartner Identity & Access Management Summit 2024, December 9 – 11, in Grapevine, TX. Before that, fwd:cloudsec Europe 2024 will take place in September. Check out the Schedule for details. Authenticate and Nordic APIs Platform Summit both take place in October.
Vendor Updates
Veza, the access governance company, will be talking about just-in-time access together with Snowflake: Modernizing Identity with Just In Time Access.
Lock down the enterprise 🔐
The folks behind AccessOwl have released a new tool to help with leaks. Shadow IT Scan – Uncover SaaS Apps, Users and Risky OAuth Scopes | Hacker News.
Opal Security Expands Least Privilege Posture Management Capabilities. Originally launched in April, it consists of capabilities that enable security teams to better manage identity security in a standard security workflow by proactively, detecting, prioritizing and calibrating over-provisioned access across organizations.’
Clearly AI: Automate security and privacy reviews from first principles | Y Combinator. Clearly AI automates AppSec reviews and privacy assessments to provide a first line of defense, so that security and privacy engineers can focus on the most critical applications for their enterprise.
Enabling Security for Hadoop Data Lake on Google Cloud Storage | Uber Blog
Conclusion 🏕️🦟
I went camping with my little ones this weekend. It was the first time for my 4-year-old and one-year-old. They were thrilled and had a blast. My wife and I less so when we were viciously attacked by a well-armed horde of hungry mosquitoes. No amount of spray, citronella candles, or clothing were of any help for those bloodsuckers. I’m still counting the number of bites I succumbed to. So much for access control. I’m not sure what the lesson learned here is other than mosquitoes, like hackers, are smart, and will generally avoid all of the trappings you’ve laid out for them. Expect to be attacked and be ready with adequate protection and plan for mitigation.
Mosquitoes are my new favorite poster-child for the little-known and under-utilized “NoBAC” — a No-based access control that's just '''DENY *'''!
For an implementation using lasers, if not formal methods: https://nymag.com/intelligencer/2017/07/laser-shooting-mosquito-death-machine-nathan-myhrvold.html “the human war on mosquitoes is high-tech, high-concept, and without pity… use anti-missile laser technology against them”