Trojan Horses and Stray Cats

Lessons on access control from Ancient Greece

[source]

I was fortunate enough to be able to go to Athens for a weeklong team meeting. This was only my second time in the Greek capital and I was eager to soak in the culture, the food, and of course 80°F temperatures. On day 3, I gave my audience an overview of the authorization landscape and intertwined quiz questions to keep things lively. I couldn’t help adding a question on the Trojan Horse, quite possibly one of the most famous access control breaches in the history of mankind. Odysseus and his men hid inside the horse and waited for the Trojans to bring the horse inside their town before overrunning the unsuspecting Trojans. In a single night, the Greeks unraveled 10 years of a stale war.

Another trademark of Athens is its population of cats. The furry critters know their way in and out of every nook and cranny the city has. The gates that guard the Acropolis and prevent tourists from visiting the historic site at night are not match for our four-legged friends.

And, on this note, let’s head on over to the AuthZ Headlines.

Upcoming Conferences & Webinars 🗣️

iC Consult, one of the leading German SIs are hosting a webinar on authorization, AI, and Zero Trust on Tuesday 9/24. Be sure to tune in to learn more about

• Zero Trust Challenges

• Authorization in Zero Trust

• Interoperability of Authorization Standards

• AI in Authorization Management

Later this week, my colleague Mark Berg (a BBQ master - ask him about his bacon glaze) will teach us everything there is to know about authorization policy modeling.

On the conference front, there are 3 upcoming ones during the month of October alone:

1. Nordic APIs Platform Summit is taking place 10 days from now. Be sure to check out their agenda for lots of talks on API Authorization.

2. Authenticate, FIDO Alliance’s conference: members of the OpenID AuthZEN Group will hold an interop and provide attendees with the latest on the proposed standard.

3. The Internet Identity Workshop (IIW) is back at the end of the Month. Get your tickets here.

Feeling creative? Check out this out-of-this-world unconference organized by UCL. Lots of thought-provoking, tongue-in-cheek content to keep us grounded.

Lastly, it’s that time of year for Demo Day: StartX Investor Demo Day Fall 2024 is on right now. Tune in right here.

A penny for your thoughts 🪙

Folks at 18F (a team of designers, software engineers, strategists, and product managers within the General Services Administration who collaborate with other agencies to fix technical problems, build products, and improve public service through technology) wrote a paper on rules and rules engines a few years ago. It provides good insights on requirements though it eventually recommends a DIY approach.

Did someone say AI? 👾

It was only a matter of time before a startup claimed AI could help with authentication. That’s exactly what Anon aims to do. In a recent Techcrunch article, they explain their use case which I cannot understand why OAuth cannot solve it.

LinkedIn is also turning to AI to provide better security. This article describes how the dev team developed SPP, detailing what they learned as they looked to streamline and automate the gathering and analysis of data across LinkedIn’s distributed security systems.

Cole Grolmus, founder of “Strategy of Security” is asking a fundamental question: who is building AI agents for cybersecurity? Chime in right here.

IAM Fundamentals 📚

Andrei Ștefănie, Cloud Architect at Cyscale, has been kind enough to put together A Comprehensive Guide Toward Least Privilege in AWS IAM.

And speaking of AWS, here’s a security-focused AWS vs. Azure showdown: AWS vs Azure: A “Secure by default” comparison.

In the works ⚙️

Rumor has it Open Policy Agent 1.0 is about to be released. The team behind OPA and the folks at Styra have been hard at work putting the final touches on the next version of the popular authorization engine. Read more here.

Axiomatics (my employer) has just released its own Policy Companion. Try out Policy Companion for yourself. Whether you’re new to the authorization space or curious about our new Generative AI friend, we encourage everyone to take it for a test drive.

My peer, Omri Gazitt of Aserto, wrote a great piece on the progress made in the OpenID AuthZEN working group. Check out his take on the OpenID AuthZEN Implementer's Draft and Why it Matters.

Conclusion

On my way home from Greece, on the plane, I watched the Matrix (1999) and couldn’t help analyzing each sequence as an example of failed access control. I suppose there wouldn’t be a movie at all if AI could squish out all the humans by making sure the right access rights are in place. I’m grateful Hollywood isn’t taking access control as seriously as we are.

As always, if you have a story to tell, please use this form to let us know.