In modern cloud environments, Identity and Access Management (IAM) is no longer just a technical function; it is the fundamental control layer that protects the entire organization. IAM has evolved into the “new perimeter,” necessitating a strategic approach that balances security rigor with seamless user experience.
We spoke with John Giglio, Director of Cloud Security at SADA and a former Marine, about the foundational importance of IAM, strategies for risk-based access control, the growing challenge of CISO burnout, and the key to building a robust security culture.
You can read the complete transcript of the epiosde here >
What is the Core Ideology of IAM, and Why is it the New Perimeter?
IAM stands for Identity and Access Management, but its core purpose is far broader than mere user management.
- Identity as Access Control: Identity is what controls access to nowadays pretty much everything. It has become the factor through which access is controlled.
- The “New Perimeter”: In many modern architectures, identity has become the new perimeter, serving as the boundary that protects resources, replacing the traditional network-centric perimeter.
- The Challenges: The challenge lies in managing the sheer number of moving parts. With users needing access to numerous systems, and requirements changing frequently (e.g., promotions, department changes), it is often easier to be overly permissive than to strictly manage access.
What Foundational Questions Must Be Answered Before Setting up IAM?
Before an organization, whether a small startup or a large enterprise, begins setting up IAM in the cloud, two foundational questions must be addressed to ensure the setup is strategic and scalable:
-
How do they plan to use the environment?
This refers to determining the different environments (e.g., QA, test, development, and production) and how that structure will impact the IAM setup.
-
How do they want to structure their organization?
This involves deciding how resources in the cloud will be structured and divided up between different business units and teams.
Understanding the organizational structure and usage goals informs how access policies and resource controls are implemented.
How Can Organizations Balance Implicit Trust with Security?
Implicit trust (like a “remember me” feature or long-lived session tokens) is often implemented for user experience (UX) but poses a significant security risk if the access token is compromised.
Finding the Balance Point
- Risk Tolerance: The implicit trust lifetime is fundamentally an organizational and risk-based question. There is no standard rule; it depends on the business’s risk tolerance.
- UX vs. Security: While a long implicit trust time (a few days) offers a nice user experience , a very short token lifetime forces the user to log in repeatedly, which is challenging and unpopular.
Context-Driven Access Enforcement
The best way to balance this is by making the security requirement dependent on the activity the user is performing.
- Activity-Based Prompts: If a user is only viewing general data, the long-lived token might suffice. However, if the user attempts a sensitive action (e.g., downloading a payslip, downloading sensitive data, or taking administrative action), the system should prompt for a refresh and an additional MFA.
- Contextual Attributes: Security can be further enforced by bringing in additional context about the user and their connection, often transparently:
- Device: Is the user on a corporate-owned, trusted device with assurance that it hasn’t been compromised?
- Location: Is the user logging in from the same location as the last time, or is it impossible for them to have reached the new location in the elapsed time?
- Browser: The browser can collect information about where the user is coming from or query the device for a certificate to prove it is corporate-owned.
How Does IAM Secure Data in a Remote-First Culture?
For remote-first companies, particularly those dealing with sensitive data (like healthcare startups), IAM and its associated controls must be robust to protect data outside the traditional office perimeter.
Enabling Secure Remote Access
- The Browser as the Access Tool: The majority of applications are now accessed through the web browser. Bringing security into the browser is a critical way to enable the remote culture.
- Modern VPNs: New-school VPN options leverage the power of the cloud and its global network footprint to enable users to connect securely from anywhere, offering better latency and scaling than traditional, single-entry corporate VPNs.
Protecting Data in Transit (DLP)
Administrators can protect data flowing to remote users by implementing data loss prevention (DLP) controls across the network flow.
- DLP Inspection: DLP controls can inspect all the content going to and from the end user’s browser. This allows the organization to apply corporate DLP rules to the data passing through the connection.
- Tiered Controls: Security controls should be applied in tiers based on data interaction:
- Viewing Data: Lower requirement for additional security controls.
- Accessing/Downloading Data: Triggers verification of more factors, as the user is attempting to exfiltrate data.
How Should Organizations Manage Encryption Keys and Secrets?
The management of encryption keys is a core component of the Shared Responsibility Model , with cloud providers handling default encryption, but customers retaining control over critical keys.
- Cloud Default Encryption: For the majority of information, the standard approach is to use the cloud provider’s default encryption, where they manage the keys transparently, and data is encrypted at rest and in transit.
- Customer-Managed Keys: For sensitive data or situations requiring a higher mission assurance level, organizations should use customer-managed, customer-controlled keys.
- Control and Assurance: This ensures that the customer is the only person with the key who can decrypt the data, providing separation from the cloud provider even if they are asked for the data by a government.
- External Key Manager: This typically involves bringing in an external key manager (usually a third-party solution) that integrates with the cloud provider but adds an extra layer of separation.
- When to Use Custom Keys: Custom key management is typically only necessary when organizations have very high compliance requirements , such as FedRAMP high. This is where the requirement for customer-managed keys is a strict, hardline rule.
Security First: Balancing Compliance with Best Practices
The debate between security and compliance is an age-old question. John’s approach is to prioritize security first.
- Security Drives Compliance: His belief is that if an organization implements good security practices and follows best practice security measures, compliance will follow pretty easily.
- Reverse Methodology: Striving for security best practices (e.g., strong access controls, MFA, encryption) makes compliance essentially a checkbox.
- Capabilities Over Tools: When assessing security needs, organizations should focus on the capabilities they need to have (e.g., “What are the activities my organization needs to be able to do?”) rather than starting with a tool or compliance checklist. This clarity makes it easier to select the right tools.
How Can Security Baselines Promote a Security Culture?
Beyond technical controls, security baselines are essential tools for promoting a wider security culture.
- Ease of Use: Baselines should be designed to make everyone’s lives easier. Provide new teams and developers with Infrastructure as Code (IaC) templates that are pre-filled with security controls.
- Best Practice Default: The templates should automatically implement best practices that developers might not think of, such as removing default networks and SSH rules, and implementing access controls.
- Focus on Apps: This allows teams to focus on their core job—bringing their application—without needing to be security experts.
- Continuous Update: Baselines are not static. Threat intelligence informs and drives the maintenance and updates of baselines on an ongoing basis to ensure they stay relevant.
What is the Key to Handling Stress and CISO Burnout?
The high rate of burnout among CISOs (73% felt burnout at some level) highlights the intense pressure of the job.
- Recognize and Ask for Help: The first step is recognizing the stress and burnout and being willing to raise your hand and ask for help and support. Many resources are available if you ask.
- Stepping Away: Physically stepping away from work, such as going for a walk, riding a bike, or exercising, can help with mental state and resetting the stress.
- Prioritization for “Small Emotional Wins”: Focus on prioritization on both a daily and macro level. Make a list of the top three most important things that must get done that day. On a macro level, focus limited resources on the most important parts of the business to protect (bang for the buck).
- Set To-Do List Night Before: Create the next day’s to-do list the night before to save time and start the morning knowing exactly what needs to be accomplished.
Conclusion: Securing the Future with Strategic IAM
John Giglio’s insights confirm that in the cloud era, IAM is the foundational discipline that must be treated as the new perimeter. Successfully securing the organization relies on moving beyond simple user management to a strategic, risk-based approach.
This means prioritizing security first to ensure compliance follows easily , making access context-driven—enforcing controls based on the activity, device, and location , and empowering developers with secure-by-default IAM baselines. Ultimately, while the CISO role is intensely challenging, combatting burnout relies on recognizing the stress, asking for help, and employing ruthless prioritization to achieve small, consistent emotional wins.
