The Beat Goes On
With identity conference season wrapping up… What, you thought the ride was over?
Welcome to the “Authorize” clipping service, a precursor to an upcoming authorization-themed conference. This service is provided by volunteer authorization nerds who want more people to know about all the cool stuff that’s going on in the authorization world! Here’s all the news you need to know.
With identity conference season wrapping up… What, you thought the ride was over? All the adjacent conferences stepped into the breach (ha) and kept on generating massive authorization interest and insights! Many of our brethren and sistren just kept going. (Whereas I halted and caught Conference Crud™️ fire. Sigh.)
Deadlines coming up fast
Cloud security + fun: fwd:CloudSec North America will be held in Arlington, VA on June 17-18. A few of its authz-relevant sessions:
Intercloud Identities: The Risks and Mitigations of Access Between Cloud Providers
Hunting AWS Threat Actors with Access Analyzer Policy Suggestions (about which more see below)
The Oracle Awakens: Demystifying Privilege Escalation in the cloud
Cloud Service Provider Partnership Portals: A Perfect Storm Of Half-Baked IAM Controls, Non-Technical Users, And Permissions-Hungry Vendors (B2B seems to be getting ready for its close-up in the IAM world!)
Pinball, Pool, & Pints get-together hosted by Permiso Security on Monday night. Chance for an impromptu Authorize community meetup?
Continuous Identity Security: Join Gabriel Manor of Permit.io and Atul Tulshibagwale of SGNL on June 19 to learn about how to smooth out the bumps in identity security. CAEP, Zero Trust, and GenAI will be discussed. (Bingo! 😀)
IIWXXXIX: Internet Identity Workshop #39b, Halloween edition, will be held October 29-31. The Super Early Bird - Independent rate is still good through July 5!
Other recent events
Authz board gaming: Jeff Lombardo et al. of AWS got really creative at re:Inforce the week of June 10. They demonstrated a new authorization board game at re:inforce’24, where more than 71 participants had to quickly re-establish a fine-grained policy-based access control system to escape a spaceship before being caught up by an alien monster. I foresee a Sarah Cecchetti mashup that functions as a real-life escape room.
Access Control Is Broken: Omri Gazitt of Aserto addressed this glaring OWASP reality at AppSec PNW on June 15.
News and announcements
Stars on
451000: The Topaz project passed 1000 GitHub stars – congrats! – and Aserto celebrated by reviewing its favorite 10 new features from the last year.
Your bucket is showing: AWS announced a series of IAM Access Analyzer updates, including Check No Public Access, which “checks to see if the policy grants public access to a specified resource type. For example, you can check a policy to see if it allows public access to an S3 bucket by specifying the
AWS::S3::Bucketresource type.”
Explications and explorations
Policy workout: From re:Inforce, check out the IAM Policy Power Hour, an hour-long “exercise” covering AWS policies and access management.
CyberHut TV introduces SGNL: Simon Moffatt interviews Atul (in his second mention this week!) about SGNL. What is the problem they’re solving? Why is this a problem now? Why are they best placed to solve it? They discuss, in nine short and sweet minutes.
If you’re an authorization nerd and an IDPro member, join our discussions in the IDPro Slack #authorization channel! Want to help write this newsletter and organize authorization conference activities? Find Sarah Cecchetti on LinkedIn and ask for an invite.