AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

Demystifying Identity Access Management (IAM Security)

The New Perimeter, Context-Driven Access, and Combatting Burnout

In modern cloud environments, Identity and Access Management (IAM) is no longer just a technical function; it is the fundamental control layer that protects the entire organization. IAM has evolved into the “new perimeter,” necessitating a strategic approach that balances security rigor with seamless user experience.

We spoke with John Giglio, Director of Cloud Security at SADA and a former Marine, about the foundational importance of IAM, strategies for risk-based access control, the growing challenge of CISO burnout, and the key to building a robust security culture.

You can read the complete transcript of the epiosde here >

What is the Core Ideology of IAM, and Why is it the New Perimeter?

IAM stands for Identity and Access Management, but its core purpose is far broader than mere user management.

  • Identity as Access Control: Identity is what controls access to nowadays pretty much everything. It has become the factor through which access is controlled.
  • The “New Perimeter”: In many modern architectures, identity has become the new perimeter, serving as the boundary that protects resources, replacing the traditional network-centric perimeter.
  • The Challenges: The challenge lies in managing the sheer number of moving parts. With users needing access to numerous systems, and requirements changing frequently (e.g., promotions, department changes), it is often easier to be overly permissive than to strictly manage access.

What Foundational Questions Must Be Answered Before Setting up IAM?

Before an organization, whether a small startup or a large enterprise, begins setting up IAM in the cloud, two foundational questions must be addressed to ensure the setup is strategic and scalable:

  • How do they plan to use the environment?

    This refers to determining the different environments (e.g., QA, test, development, and production) and how that structure will impact the IAM setup.

  • How do they want to structure their organization?

    This involves deciding how resources in the cloud will be structured and divided up between different business units and teams.

Understanding the organizational structure and usage goals informs how access policies and resource controls are implemented.

How Can Organizations Balance Implicit Trust with Security?

Implicit trust (like a “remember me” feature or long-lived session tokens) is often implemented for user experience (UX) but poses a significant security risk if the access token is compromised.

Finding the Balance Point

  • Risk Tolerance: The implicit trust lifetime is fundamentally an organizational and risk-based question. There is no standard rule; it depends on the business’s risk tolerance.
  • UX vs. Security: While a long implicit trust time (a few days) offers a nice user experience , a very short token lifetime forces the user to log in repeatedly, which is challenging and unpopular.

Context-Driven Access Enforcement

The best way to balance this is by making the security requirement dependent on the activity the user is performing.

  • Activity-Based Prompts: If a user is only viewing general data, the long-lived token might suffice. However, if the user attempts a sensitive action (e.g., downloading a payslip, downloading sensitive data, or taking administrative action), the system should prompt for a refresh and an additional MFA.
  • Contextual Attributes: Security can be further enforced by bringing in additional context about the user and their connection, often transparently:
    • Device: Is the user on a corporate-owned, trusted device with assurance that it hasn’t been compromised?
    • Location: Is the user logging in from the same location as the last time, or is it impossible for them to have reached the new location in the elapsed time?
    • Browser: The browser can collect information about where the user is coming from or query the device for a certificate to prove it is corporate-owned.

How Does IAM Secure Data in a Remote-First Culture?

For remote-first companies, particularly those dealing with sensitive data (like healthcare startups), IAM and its associated controls must be robust to protect data outside the traditional office perimeter.

Enabling Secure Remote Access

  • The Browser as the Access Tool: The majority of applications are now accessed through the web browser. Bringing security into the browser is a critical way to enable the remote culture.
  • Modern VPNs: New-school VPN options leverage the power of the cloud and its global network footprint to enable users to connect securely from anywhere, offering better latency and scaling than traditional, single-entry corporate VPNs.

Protecting Data in Transit (DLP)

Administrators can protect data flowing to remote users by implementing data loss prevention (DLP) controls across the network flow.

  • DLP Inspection: DLP controls can inspect all the content going to and from the end user’s browser. This allows the organization to apply corporate DLP rules to the data passing through the connection.
  • Tiered Controls: Security controls should be applied in tiers based on data interaction:
    • Viewing Data: Lower requirement for additional security controls.
    • Accessing/Downloading Data: Triggers verification of more factors, as the user is attempting to exfiltrate data.

How Should Organizations Manage Encryption Keys and Secrets?

The management of encryption keys is a core component of the Shared Responsibility Model , with cloud providers handling default encryption, but customers retaining control over critical keys.

  • Cloud Default Encryption: For the majority of information, the standard approach is to use the cloud provider’s default encryption, where they manage the keys transparently, and data is encrypted at rest and in transit.
  • Customer-Managed Keys: For sensitive data or situations requiring a higher mission assurance level, organizations should use customer-managed, customer-controlled keys.
    • Control and Assurance: This ensures that the customer is the only person with the key who can decrypt the data, providing separation from the cloud provider even if they are asked for the data by a government.
    • External Key Manager: This typically involves bringing in an external key manager (usually a third-party solution) that integrates with the cloud provider but adds an extra layer of separation.
  • When to Use Custom Keys: Custom key management is typically only necessary when organizations have very high compliance requirements , such as FedRAMP high. This is where the requirement for customer-managed keys is a strict, hardline rule.

Security First: Balancing Compliance with Best Practices

The debate between security and compliance is an age-old question. John’s approach is to prioritize security first.

  • Security Drives Compliance: His belief is that if an organization implements good security practices and follows best practice security measures, compliance will follow pretty easily.
  • Reverse Methodology: Striving for security best practices (e.g., strong access controls, MFA, encryption) makes compliance essentially a checkbox.
  • Capabilities Over Tools: When assessing security needs, organizations should focus on the capabilities they need to have (e.g., “What are the activities my organization needs to be able to do?”) rather than starting with a tool or compliance checklist. This clarity makes it easier to select the right tools.

How Can Security Baselines Promote a Security Culture?

Beyond technical controls, security baselines are essential tools for promoting a wider security culture.

  • Ease of Use: Baselines should be designed to make everyone’s lives easier. Provide new teams and developers with Infrastructure as Code (IaC) templates that are pre-filled with security controls.
  • Best Practice Default: The templates should automatically implement best practices that developers might not think of, such as removing default networks and SSH rules, and implementing access controls.
  • Focus on Apps: This allows teams to focus on their core job—bringing their application—without needing to be security experts.
  • Continuous Update: Baselines are not static. Threat intelligence informs and drives the maintenance and updates of baselines on an ongoing basis to ensure they stay relevant.

What is the Key to Handling Stress and CISO Burnout?

The high rate of burnout among CISOs (73% felt burnout at some level) highlights the intense pressure of the job.

  • Recognize and Ask for Help: The first step is recognizing the stress and burnout and being willing to raise your hand and ask for help and support. Many resources are available if you ask.
  • Stepping Away: Physically stepping away from work, such as going for a walk, riding a bike, or exercising, can help with mental state and resetting the stress.
  • Prioritization for “Small Emotional Wins”: Focus on prioritization on both a daily and macro level. Make a list of the top three most important things that must get done that day. On a macro level, focus limited resources on the most important parts of the business to protect (bang for the buck).
  • Set To-Do List Night Before: Create the next day’s to-do list the night before to save time and start the morning knowing exactly what needs to be accomplished.

Conclusion: Securing the Future with Strategic IAM

John Giglio’s insights confirm that in the cloud era, IAM is the foundational discipline that must be treated as the new perimeter. Successfully securing the organization relies on moving beyond simple user management to a strategic, risk-based approach.

This means prioritizing security first to ensure compliance follows easily , making access context-driven—enforcing controls based on the activity, device, and location , and empowering developers with secure-by-default IAM baselines. Ultimately, while the CISO role is intensely challenging, combatting burnout relies on recognizing the stress, asking for help, and employing ruthless prioritization to achieve small, consistent emotional wins.

People Also Read

Continue exploring Cloudanix

Connect this concept to the platform

These learning topics are most useful when tied back to cloud posture, identity, runtime, data, and agent workflows.

Platform CNAPP+

See how Cloudanix connects code, cloud, identity, data, access, and AI agents in one graph.

 Detection Cloud Detection and Response

Move from isolated logs to graph-backed cloud investigation and response.

 Graph Attack Path Analysis

Prioritize vulnerabilities and misconfigurations by reachability and blast radius.

 AI Security Agentic AI Security

Secure coding agents, MCP tool access, and temporary cloud credentials.

What Our Users Are Saying

Customer Reviews

Cloudanix is trusted by security leaders worldwide to deliver proactive, reliable, and cutting-edge cloud security.

One day, I changed the password of a root account, and my CTO called me within less than a minute to confirm if I did so. I was not expecting a reaction this quick. He told me Cloudanix alerted him of this password change and that he wanted to confirm as it was a critical security notification. I couldn't believe it!

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Compliance is one way of staying secure, but what I want is the ability to go deeper and attain 'true security.' Cloudanix provides us the capability to do so.

Vishal Madan
Vishal Madan
Head of Engineering, iMocha

Cloudanix is building for the future of the cloud, which makes the product all the more desirable.

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Cloudanix gave us the visibility we were missing. Being able to move from permanent access to a robust Just-In-Time (JIT) workflow has fundamentally changed our security posture without slowing down our engineering velocity.

Pavan Kumar Lekkala
Pavan Kumar Lekkala
SRE Lead, HugoHub

We are excited to leverage Cloudanix's comprehensive multi-cloud DevSecOps solution to secure our production workloads on AWS. Cloudanix has demonstrated that it can solve many challenges that DevSecOps teams face while continually adding new features such as SOC2 compliance and drift detection.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Managing third-party partner access was once a major concern for our security posture. With Cloudanix JIT Cloud, we've effectively achieved zero third-party risk. We can now grant access confidently, knowing that it is temporary, audited, and automatically revoked, resulting in a 100% reduction in our privileged access exposure.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

The snooze feature and responsible alerts have helped us save time and prioritize what to tackle first.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Implementing Cloudanix JIT internally allowed us to practice what we preach. By eliminating permanent access to our own clouds and databases, we've neutralized the risk of standing privileges, ensuring our own 'keys to the kingdom' are never left exposed.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

The problem with permissions is a lot of times, the gaps are left open due to oversights from inside the organization itself. With Cloudanix's CIEM, we get a complete view of user permissions and access. This enables us to update the permissions, reducing the attack surface.

Nilesh Pethani
Nilesh Pethani
Application Architect, iMocha

In the world of Fintech, trust is our currency. Cloudanix provided the frictionless visibility we needed to secure our EKS workloads across AWS, ensuring we stay audit-ready for SOC2 and GDPR without slowing down our engineering velocity.

Amol Naik
Amol Naik
Head of Security & Infrastructure, HugoHub

Cloudanix delivered value within 5 minutes of onboarding. Continuous monitoring, timely detection, and excellent documentation helped us attain a great cloud security posture.

Divyanshu Shukla
Senior DevSecOps, Meesho

Technology strategies and business strategies are in a state of constant change which includes centralization and decentralization of responsibilities. Regardless of strategic shift, we still have intellectual property to protect. Cloudanix are critical partners for us in our public cloud security posture across our three cloud providers.

Jerry Locke
Jerry Locke
Senior Director Global Solutions Engineering, Eversana

Cloudanix has been amazing. They opened up a common Slack channel with us — and it feels like we are talking to our own team and getting things done with Cloud security. The support team is always available, friendly, helpful, and ready to go out of their way.

Satish Mohan
Satish Mohan
CTO, Airgap Networks

Beyond just access management, Cloudanix CSPM has given us a unified view of our AWS environment. The real-time alerting and anomaly detection allow us to prevent any untoward activity before it happens, which is critical for a marketplace connecting 50+ financial institutions.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

For a Fintech company, data is our most valuable — and most sensitive — asset. Cloudanix DAM hasn't just improved our visibility; it has given us control. The ability to mask data and prevent unauthorized queries in real-time is a game-changer for our compliance and customer trust.

Jiten Gala
Jiten Gala
President Engineering and Product, Kapittx

Our clients, especially in the Middle East financial sector, demand absolute accountability. Cloudanix JIT Cloud has been a competitive differentiator for us, allowing us to provide secure, governed access to customer accounts that meet their strictest audit and compliance requirements.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

Cloudanix is always on my team's lips because of its exceptional support. Be it a small or big query, Cloudanix has gone above and beyond to resolve them. This one's a keeper for us.

Sujit Karpe
Sujit Karpe
CTO, iMocha

For a long-lasting partnership, great support goes a long way. Cloudanix has delivered exceptional support whenever required. Their edge is their team is always ready to go beyond to solve any issues that we have. This speaks volumes about the culture at Cloudanix.

Akash Maheshwari
Akash Maheshwari
Co-founder, MoveInSync

Beyond the technology, Cloudanix feels like an extension of our own team. Their willingness to stand up a dedicated Middle East tenant for us and provide exceptional support at a sensible price makes them a long-term partner for Hugosave.

Surya Tamada
Surya Tamada
CTO, HugoHub

The real-time notifications that Cloudanix provides are a real lifesaver. Their adaptive notifications ensure that my team stays productive and doesn't get interrupted all the time.

Digvijay Singh
Staff Security Engineer, Meesho

The whole point in technological evolution is to help improve the world we live in. We must protect that and to do so requires an effective and efficient security strategy. The Cloudanix team helped make our public cloud security posture management strategy a reality. The symbiotic relationship we have allows for a continuous feedback loop which is how business should operate.

Larry Wheat
Larry Wheat
Staff Solutions Engineer, Eversana

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo