IAM Pulse Check #2 - Spread Love
A recap of the incredible fwd:cloudsec conference sessions, and a rare Detroit soul album to lift your spiritsRead Issue on Revue
It was quite the week in InfoSec land between the disclosures from Azure and TravisCI, with far reaching impact across cloud environments. Throw in the Apple 0day, and you have yourself the Security Olympics.But unlike NBCs botched Olympic coverage, there was an event this week that was executed to pure perfection. And it wasn’t put on by a mega conglomerate, but rather a small group of dedicated volunteers.
I’m talking about the fwd:cloudsec conference that took place in Salt Lake City on Monday and Tuesday. I had originally planned to be there in person with our team to introduce our new project, IAM Pulse, however we decided to stay back and keep our support remote. Thankfully, the event was hybrid, with all talks streamed virtually.
What an incredible and action packed 2 days of highly technical, focused talks. No fluff here, just pure depth and expertise. Our team hit the livestream with some commentary, so for this week’s newsletter, I’ll share a few highlights. You’ll be able to replay all of the talks shortly, so give a follow to @fwdcloudsec to stay up-to-date.
IAM checking these out...
Rich Mogull of Securosis and DisruptOps kicked things off with an incredible keynote. I’ve always admired Rich for his technical depth, but also his humility and understanding of the challenges people face. As he often does, he landed a quote that would make an incredible tagline: “Every cloud failure is an IAM failure. Every IAM failure is a governance failure”. Truth.
The constant struggle between security and productivity comes up with IAM all too often – too permissive and you open yourself up to risk, too restrictive and you end up with cross-functional, back and forth arguments. Getting to that sweet spot really is the holy grail, so I always love seeing teams put in the effort where it matters. This is a great before/after picture from Jared Naude from Synthesis.
I really enjoyed this talk from Saurabh Wadhwa of Uptycs, which covered a number of open source tools for observing resources and environments. I’m especially interested in cloudquery, which brings a nice SQL interface to your infrastructure. There’s been some healthy debate in this area this week – some like the familiarity, others are cautious of the abstraction model. Wherever you land on the spectrum, I think we can agree – observability is a good thing!
It’s slides like this that get me to jump out of my chair and proclaim, “yes!” Everything is different in the cloud – elastic resources constantly spinning up and down mean you can’t simply apply legacy inventory-driven approaches to security, especially when they involve long request/approval workflows. Dynamic environments need dynamic controls to match. Great stuff in this session from Yoav Nathaniel of Goldman Sachs.
You’d be hard pressed to find a heavier drop than Ian McKay’s session. Already well known amongst the community for his work and open source projects such as iamlive, Ian introduced iam-dataset, an open source project that maps all AWS managed policies and permissions. The repo is used to power permissions.cloud, a very clean interface that unifies and simplifies the growing number of managed policies. So tasty!
This session from Max B of Figma was one I was keen to watch, as I had read a recent article of his about building a home grown private web access system that closely resembled Google’s BeyondCorp initiative. In a prior startup life, I was very close to that, and always appreciate seeing real world implementations. Bonus points for Okta in the mix. Nice work!
The work that Kinnaird McQuade of Salesforce has done is quite incredible, but even more admirable is how willing and open he is to sharing. If you haven’t seen his open source projects, Cloudsplaining and Policy Sentry, I highly recommend checking them out. This session was great because he dug deep into Azure, an area that I’m admittedly still getting up to speed with. Keep it up Kinnaird!
The work of Square’s security team over the years has always been top notch, as has their willingness to share. Back when in-person meetups were a common thing (which feels like a lifetime ago), I used to frequent the SqR00t talks at their SF HQ. This talk by Adam Cotenoff covered their workflows for automating security scans across Terraform. That quote truly is a good life rule!
IAM listening to this...
I’m not exaggerating – there really was something special about how this event came together, the quality of the content, and the engagement from the community. As our IAM Pulse team embarks on our own journey, being good community stewards really matters to us. So with that, I want to share an album close to my heart to spread the love.
The depths of privately pressed soul albums in the 70s are enough to keep even the most dedicated collectors occupied for a lifetime. I should know! One album that deserves more recognition than it ever got is Harris & Orr – Spread Love. Released on a tiny Detroit label in 1976, this album has a beautiful and mature modern soul vibe that will move you and make you move at the same time. Hip hop heads go bonkers over the title track, but there’s so much more there. Grab an adult drink and chill out to the smooth vibes of Harris & Orr. That cover art, too!
Get the IAM Pulse Check Newsletter
We send out a periodic newsletter full of tips & tricks, contributions from the community, commentary on the industry, relevant social posts, and more.
Checkout past issues for a sampling of the goods.