This Week’s Featured IAM Resource
This week we are highlighting The Director’s Guide: IAM Security at Scale by Kyle Chrzanowski (Mandiant | Google Cloud) because it offers a concise, implementation-focused guide to architecting IAM at scale.
The article defines foundational use cases (like onboarding and privilege management), maps them to key tools, and proposes a rollout sequence designed to minimize disruption while accelerating security maturity.
The Problem
Identity and Access Management (IAM) at enterprise scale presents daily operational challenges for security teams.
Kyle has correctly identified that organizations frequently struggle with:
- Slow, manual access provisioning processes that frustrate users and delay business operations
- Fragmented identity systems resulting from mergers, acquisitions, and legacy technology
- Unclear ownership of IAM components between security, IT, and application teams
- Mounting technical debt from custom integrations and one-off access solutions
- Management pressure to accelerate cloud initiatives without adequate IAM foundations
Practical IAM Implementation Tips
Kyle’s article lays out a clear, director-level framework for implementing IAM at scale. Tech Stack Rollout Sequence: To build a resilient IAM foundation, the article recommends the following order of operations:
- Identity Provider (IdP) – establish a single source of identity
- Identity Governance and Administration (IGA) – automate lifecycle and access approvals
- Privileged Access Management (PAM) – protect high-risk actions and accounts
- Security controls – such as MFA and conditional access
- Application onboarding to SSO – after automation is in place
This sequence ensures automation and governance are in place before taking on the high-effort work of app migration.
Application Migration Strategy: Start with low-user-count, low-risk applications to help your team gain experience and confidence.
The article recommends “soft transitions” — running old and new authentication systems side-by-side — to avoid the disruption of hard cutovers.
More helpful Enterprise IAM resources
- https://cloud.google.com/iam/docs
- https://learn.microsoft.com/en-us/entra/id-governance/entitlement-management-overview
- https://aws.amazon.com/blogs/security/how-to-assess-and-improve-your-aws-identity-and-access-management-maturity/
IAM Fun Fact
When you delete an IAM role, AWS does not automatically terminate active sessions that were created using that role’s credentials.
If a user or service assumed the role via sts:AssumeRole and received temporary credentials, those credentials remain valid until they expire, even after the role is deleted.
That means someone could still access AWS resources using valid session tokens from a now-deleted role. This subtle behavior can introduce risk during IAM cleanups or migrations.
Best Practices:
- Use CloudTrail to monitor AssumeRole activity
- Set short MaxSessionDuration for sensitive roles
- Consider session policies or permissions boundaries to restrict the blast radius
- Remove trust relationships to block new sessions before deletion
Learn more: AWS Docs – Using IAM Roles
This kind of edge case is exactly why Kyle recommends starting IAM migrations with low-risk apps first — so your team can develop muscle memory for these subtleties before touching mission-critical systems.
🎩 Tip of the cap to Kyle Chrzanowski for this practical, experience-based guidance!
Stay up to date with The Effective IAM Newsletter:
Recent Comments