Skip to main content

Introduction

My first exposure to the cloud was at my first startup company. I was the “CTO” (a title that doesn’t mean much given there were only five people on the team) and was fresh out of college. We were building wearable hardware which measured heart rate and other biometrics and had written a ton of Python scripts to analyse the data. We were running these scripts on our own computers but needed a way to analyse the data automatically as part of our product. Enter The Cloud.

We signed up to all three major cloud providers (AWS, Azure and Google Cloud) to take advantage of as many startup credits as we could get our hands on. You could call us an early adopter of multi-cloud. I was the overall administrator of these cloud accounts and began to set them up.

I made my first cloud access management mistake while trying to invite my cofounder to our AWS environment, where I had started trying to host our Python scripts. I told him: “sign up for a new account and I’ll figure out how to add your account to my team”. Little did I realise that signing up for a new account created an entirely separate AWS environment for my cofounder. AWS accounts are notoriously difficult to close, so I would not be surprised if his extra account still exists to this day. At this point, I realised that cloud Identity and Access Management (IAM) is complex and nuanced and that it was very easy to make mistakes. I needed to provision IAM users and roles just to run some simple Python scripts. The very fact that we were using the cloud at all meant we had IAM problems we needed to solve.

That was not my first IAM mistake either. Throughout my time in the startup and the subsequent teams I worked with as a freelancer, I think I’ve made every conceivable mistake that one could make. From sending credentials with administrative access over Slack, to writing horrendously overprivileged IAM policies, to pulling my hair out debugging services while trying to remove permissions to achieve “least-privilege”, I’ve seen many IAM challenges firsthand.

Later, I built a product development consultancy and started helping teams avoid the mistakes I made. I helped our clients set up foundational best practices in the cloud. IAM is a big aspect of this, and I realised that a small amount of upfront planning can save a huge amount of future technical debt in your cloud.

A diagram showing the impact over time of foundational planning of cloud IAM and infrastructure. The diagram shows a small amount of upfront planning work mitigating a lot of future technical debt.

What is this book?

Lean Cloud Identity is a book describing the foundational cloud IAM practices I wish I knew when I first set up the cloud environments for my first startup. It’s tailored for organisations that are earlier in their cloud security journey. My intended audience is technical folk at both small and large organisations who are aiming to set up good cloud practices but have limited time and resources to achieve this. This is where the “lean” aspect of Lean Cloud Identity comes in. We’ll run through the highest impact practices that you can adopt quickly and aim to simplify your cloud IAM rather than make it more complicated.

It’s also important to note that I have a vested interest in making IAM easier. I am a co-founder of Common Fate, a company built around open source IAM tools. That being said, this book focuses on processes and best practices to adopt, rather than focusing on tools or products themselves.

Get the book

Lean Cloud Identity is a free book describing the foundational cloud IAM practices. Enter your email and check your inbox for full access: