A late reply, but thats not how AWS IAM (or most advanced authz systems) work. AWS IAM is a “capability” system with dynamic policies; its nothing so simple as a “role” based authorization contrary to some product naming. To wit, every authz evaluation is a dynamic evaluation of policy and context. Each check uses one or more policies with one or more policy statements that are combined with some boolean logic and predicate rules. The policies may be associated (sourced) with the particular request based on calling principal, principal attributes, the target resource, a related resource, or even other metadata like AWS Org membership. Thats combined with the point in time context from the request (ex action name, parameters), request metadata (eg time), principal (id, tags, etc), resource (arn, attributes, tags), and some more “system” specific context variables. You (and the authorizing service) need ALL of that information to perform an authz evaluation.
This is complicated by dynamic data, like time or source address or caller principal tag values, so even identical requests may have different results. There are also complications like DENY statements and “unless” predicates that entirely defeat a simple “resource x requires y” approach.
Evem if you solve all of those challenges via magic you end up back at information disclosure where your adversary is now capable of rapidly enumerating and testing all your authz policies!
That's easy to solve. When they ask me it might take an hour or two until I come back to them. If they were just trying to us me as a rubber duck the problem will have been solved by then.
And it's not only devs. Also PMs have this behaviour. Sitting it out before asking what they need makes most question vanish.
I don't know anything about cloud VMs, but I'm confused about how this is possible. Wouldn't determining whether you are HIPAA complaint depend on auditing all kinds of application details about how information flows through the system and how authentication and authorization are done? How could this be validated statically by looking at cloud VM config? Is Wiz doing some kind of AI magic over your whole codebase?
I am sure I am misunderstanding something, but I'm not sure what.
They scan for everything they can and report on that. They don't claim to be able to tell you if you're 100% compliant--they just claim to be able to alert you if some subset of the requirements are out of order.
And that still provides a lot of value to the right customers.
It probably appeals to the kind of businesses that see compliance as a list of checkboxes. Just make sure employees have signed the nda and contract and stuff. Doesn't matter if they are a salesperson and the nda says they can't talk about the product.
Figures. Crazy how badly I midsized this problem. When I was working on a cloud provider I suspected this would be a big problem space for building in, but I thought it was in the low billions, I was thinking (I guess stupidly) that the clouds and tools around them would be kind enough to create a lot of standardization so as at least this stuff wasn't junk. I get wanting to create a bit of friction, but thought "this is a bad place to make high friction". I guess it's pretty bad given the size of this acquisition? Or GCP just wants surface area data on other cloud providers (I presume this would aid in that, but I don't know)?
Idk about other clouds, but Google didn’t eat their own cloud dog food when I was there. We had people food (borg) that was kinda impossible to separate from the infrastructure of google3 (and Google dev processes) and so cloud was built different. It wouldn’t surprise me if that organization just had no awareness of how bad the friction really was for long enough for Wiz to get really good at it?
I'm not at Google, but the usual thinking is that the public product fixed a lot of the design warts of the internal one, but it's only 90% feature compatible, and the internal migration has an opportunity cost that's higher than the cost of maintaining two similar products.
I don't see the need for sarcasm. Most mid-size and up companies have security departments. And they use tools to make their jobs easier.
The problem with the cloud, from a security standpoint is that is it much more complex than a traditional on-premise infrastructure, especially if you go the "managed services" route and have minimal code.
Seems pretty bug free for a first version.
reply