IAM in the Spotlight - Kyler Middleton
We’re back with a new IAM in the Spotlight featuring one of our OG members, Kyler Middleton, who has been with us since the beginning. Kyler continues to play a key role (get it?!) as a top contributor to our IAM Pulse Community.
IAM called: Kyler Middleton (she/they)
IAM located in: Madison, Wisconsin, United States
IAM working on: Cloud automation tools at Veradigm
“IAM in particular is challenging – it's the cornerstone of all foundational security in AWS, yet it is complex, manual, and prone to errors. That makes it a ripe target for innovation and automation.” - Kyler
In this video Q&A, hear Kyler’s approach to writing and learning, tackling new puzzles and complexities in the IAM domain, and re-thinking the PR approval process. Kyler also reflects on syncing Azure DevOps to AWS and how growing up on a farm fixing the neighbors’ computers led to rewarding opportunities for professional growth - and payment in delicious brownies.
After viewing this Spotlight, you’ll understand why Kyler is such a valued member of this community and be sure to check out Kyler’s very detailed and helpful articles too!
How do you approach your writing process and topic selection?
I've been reading and writing my entire life – I noticed early on I could communicate much more clearly and precisely with written words than speaking. So it feels very natural to me to write! I write about the projects at work that interest me. If there's a challenging puzzle to solve, that piques my interest, and I dig into it until it's solved. Then I enjoy teaching others and sharing how I solved it. IAM in particular is challenging – it is the cornerstone of all foundational security in AWS, yet it is complex, manual, and prone to errors. That makes it a ripe target for innovation and automation. I hope I can help solve a tiny bit of this puzzle, and many, many smart people can help take their own bites out of it also!
In one of your articles, you talk about the challenge of syncing Azure DevOps to AWS. Any tips/tricks for the IAM Pulse Community?
That has been such a fun problem! Microsoft, of course, provides lots more guidance and tooling to help you integrate to their cloud – after all, that's where they make their money. But I've always been more of a "write it myself" person, so I didn't spend even a minute sad that there wasn't a built-in AWS authentication tool, I went out and wrote it myself. We use bash and AWS CLI calls to IAM to authenticate and assume any role we need.
It was a big project, and it helped me learn a ton about IAM. I'm a big proponent that the best way to learn anything, but particularly cloud, is to just. Go. Do it. That's why all my articles are focused on helping the reader "do" the work. I'm not trying to introduce abstract principles, or vague ideas about what you should build, rather, I'm helping you build whatever you want, using some of the tools and knowledge I've picked up along the way.
What's currently puzzling you as you work in IAM? If you could get community input on a tough question, what would you ask?
Why aren't there more tools and automation around IAM from cloud providers? This service is a huge part of cloud security. In the old days in a data center, we had layers of defense – firewalls used different authentication from routers, which were different from servers, which were different from databases. If you wanted to seriously cripple a company you had to compromise many systems.
Compare that to a cloud environment today – if you can compromise a single administrative IAM user or profile, you can literally delete every resource and all data contained everywhere in a couple of minutes. That's incredibly scary, and I wish cloud providers would confront IAM in a much more serious way. If the tool isn't easy to use, people will make mistakes. And mistakes here have huge consequences.
If you could wish a new IAM tool into existence, what would it do?
A tool that provides templates for common usage patterns. If you could describe in plain language that you want to access a container registry in a different account, and it would provide template IAM files to start with, that would be an amazing time-saver, and I don't think would be a huge uplift to build. Maybe that's the future of IAM Pulse and they'll be a library of common use cases and IAM Pulse could host them all for us. We'll just have to see!
Is there a commonly accepted best practice that you think adds more complexity than it is worth?
I think it's common to have an elite team of PR reviewers that control approvals and have memorized all the security, operational, and naming rules for an organization. Which works great, but there is always drift between team members, and what if those team members aren't available? I love to see new tooling coming out that permits automating this approval process.
I'm working hard to identify tooling and processes that can safely automatically approve PRs for our infrastructure to avoid this concentration of control into the hands of a few senior staff. This helps to standardize and democratize changes, not to mention potentially making approving much quicker and easier for our developers. This job will never be done - not until computers are more creative and smarter than people, and I don't expect we'll see that for a long, long time.
How did you get to the position you hold today? Were you always working in this space?
For people that have always known me as a DevOps engineer, it might surprise them to find out I grew up on a farm. Many people don't realize how technological farming has become - farmers are constantly challenged to adopt new technology and processes to improve the efficiencies of their farms. Most operate as independent businesses on the razor's edge of survival, so there's a ton of experimentation that happens.
They were among the first folks I knew that adopted home PCs. And of course, early home PCs broke - a lot! And they could hardly afford to have someone drive an hour or more to get to their farmhouse to fix it, and bill them however many dollars a mile or hour. Certainly not when there was this quirky kid nearby who'd love to click all the buttons on all their computers, and sometimes even fix things when doing so, and also took payment in brownies.
I was halfway through a library science degree in college when I found out that computers don't come naturally to everyone, which was shocking to me, which is funny in retrospect and that jobs in computer science pay really well and are a real adult job. I immediately switched my major to IT, but my small college in Nebraska cancelled the computer science program before I could finish.
I finished with a library science degree, chased my partner to a larger town, took a job at Best Buy, and worked my way into Geek Squad, and read every technical book I could find to get certs and move up jobs. I bounced around to lots of roles - telecommunications, systems, hosting providers, InfoSec. I did my best to understand all I could, automate my entire job away, and then leave to find new challenges.
I've been up-front with my current manager today - I'll leave when I automate my whole job and so far, I haven't managed to automate it away. But one day I will, or at least I'll try, and then I'll go find some more challenges.
Get the IAM Pulse Check Newsletter
We send out a periodic newsletter full of tips & tricks, contributions from the community, commentary on the industry, relevant social posts, and more.
Checkout past issues for a sampling of the goods.