A Year of NO: Building Organizational IAM Guardrail Policies That Work

Organizational policies are a key part of every organization’s cloud IAM strategy. They supplement least-privilege best practices by establishing guardrails that protect the organization from unknown threats, and limit the extent of damage that can potentially be caused by compromised identities, workloads or credentials.

In this talk, Ermetic Research Lead Noam Dahan explores how to build, test, and deploy effective organizational policies. He does so by being mindful of the real threats and TTPs we’re trying to protect ourselves from, along with the crown jewels we need to protect, the vulnerable points in our environment, and the data perimeter. He also dives into the implementation of organizational IAM policies in each cloud provider, their different behaviors in edge cases, and how we should adjust our strategy to accommodate these differences. Lastly, he discusses strategies for building, testing, and deploying organizational policies, and recommend a process for creating and evaluating them (including how to build detection mechanisms in case of violations).