Identity and Access Management: Judgment Day

Presented at LocoMocoSec 2018, April 6, 2018, 1 p.m. (40 minutes)

When you design identity and access management (IAM) systems, consider psychology and sociology in addition to computer security. The goal of this talk is to describe the human-computer interaction problems presented by IAM and three real-world patterns with open-source implementations for managing AWS IAM in an organization. The cloud is a powerful force that changes the way we defend against adversarial software. More of us are shipping more code, more often. We use IAM systems to communicate our expectations about our code’s behavior to the machines running it. Vague specifications and impedance mismatches between human biases and machine logic make this communication channel lossy. Without careful consideration, our software can be exploited to turn against us.

Presenters:

• Alex Smolen - Clever
  Alex is a security-focused software engineering manager at Clever. He cares about usable security, privacy by design, smooth music, and fresh coffee. Before joining Clever, Alex "defended the bird" at Twitter as the tech lead for the Account Security team. He was also a security consultant at Foundstone, where people paid him to break into websites and buildings. He received his BS in Computer Science from UC Berkeley, and liked Cal so much that he went back to the School of Information for a masters degree.

Links:

• https://locomocosecurityconference2018.sched.com/event/CgT6/identity-and-access-management-judgment-day
• https://infocon.org/cons/LocoMocoSec/LocoMocoSec 2018 Kona/Alex Smolen Identity and Access Management Judgment Day.mp4

Similar Presentations:

• SAINTCON 2019 / Identity & Access Management Why?
• BSidesDC 2019 / IAM what IAM and dats what IAM: accounts for everyone! Robots too!
• ToorCamp 2016 / The Good the Bad and the Ugly: AWS Account Takeover via IAM Instance Roles