Identity is important, probably more than it has ever been. But do you know what else identity is, at least to me? Boring. I do not know why, but groups, accounts, privileges, all of that never sparked much interest for me. I know just enough to do my job in the SecOps and incident response space, and I never felt like I wanted to dive deeper. Well, that might not be entirely true. I tried reading up on identity, but I could never power through an article without getting bored halfway through and abandoning it.

And yet, I picked up Identity Native Infrastructure Access Management by Ev Kontsevoy, Sakshyam Shah, and Peter Conrad as the first book I will review on my blog. Why? I decided it was time to grow up and start reading proper books on identity. It also happened to be only 130 pages long and had a boar on the cover, which helped.

Let’s dig in.

Identity-Native Infrastructure Access Management

Book by by Ev Kontsevoy, Sakshyam Shah, and Peter Conrad. 130 pages or so. The theme? Eliminating secrets and adopting Zero Trust model.

The first question that comes to mind while reading the title is – what is Identity-Native Access?

The authors describe it as a way of replacing passwords and other secrets with the physical traits of devices and the biological traits of people. This makes identity much harder to fake and greatly reduces the chance of human error. When every participant in an access request can prove who they truly are, security rules can be applied without relying on secrets. The result is a safer way to ensure that only the right people and systems can reach protected resources.

In pratcice it means relying on biometrics for humans and HSMs / TPMs for machines and building authentication systems around that.

In the book, the authors maintain that secrets are not scalable, cause security issues, and introduce the possibility of human error. As organizations grow, their attack surface grows with them, and this becomes even more evident in the age of managing resources as code, where rapid provisioning lets IT teams move faster than security can keep up. Secrets are inherently vulnerable, and MFA does not really fix the problem. As the authors put it in the first chapter:

Unfortunately, common implementations of multifactor authentication simply convert the know + have pair of secrets into a session token or a browser cookie—just another secret, with all the problems that a secret entails

In particularily liked the sub-chapter named Security Versus Convenience. It does state a well known fact that users tend to cut corners if an access control system (or any process for that matter) is too restrictive:

Therefore, we can conclude that an infrastructure access system is only secure if the engineering team actually loves using it.

Throught the book the authors hammer at the point that secrets are bad and digital certificates should be used instead, dive into Zero Trust and mix complex and easy topics. So what do I think about the book?

Retelling of basics

This book is not for me. After nearly a decade in cybersecurity, I did not learn anything I did not already know. Some concepts were explained much better than how I first learned them, and I did find value in exploring the idea of identity native access management. But the useful parts felt like they could have been compressed into a ten page article.

The book was laregely a retelling of basics for me. Authors go over:

• Identity
• Cryptography
• Zero Trust
• Authentication
• Authorization
• Auditing

with a slightly lower level of detail that the official CISSP book does. In my opinion, there isn’t much difference in reading this book and prepping for the CISSP.

The concept of identity-native infrastructure access and the use of Teleport to demonstrate how it can work in practice were the main value adds from my point of view. I will play around with Teleport myself after reading this book out of interest.

Summary

Identity keeps coming up as the main security concern these days, especially in SecOps where almost every alert ties back to an account or a privilege somewhere. Even though identity has never been the most exciting topic for me, I picked up Identity Native Infrastructure Access Management to finally give it a proper look.

The book pushes the idea of getting rid of secrets and moving toward a model that relies on biometrics, hardware backed keys, and short lived certificates instead of passwords. While the core concept of identity native access and the example of Teleport were interesting, most of the book felt like a recap of fundamentals I already know. Useful in parts, but it could have been a much shorter read.

Rating

For me this book is a 3/10.

Mind you, this is an entirely subjective rating that reflects how much I got out of the book. I do not think professionals who already have a CISSP or similar will get much from it beyond the concept of identity native access management and maybe Teleport. Certain concepts are explained very well, but none of them are groundbreaking or likely to change how I work. Overall, I did not learn anything substantial from reading this book.