Zero Trust: Not Paranoia, Just Mathematics With Audit Trails
Think for yourself. "Trust but verify" is corporate bullshit. Here's reality: JUST VERIFY. AWS Identity Center SSO, MFA on EVERYTHING, 90-day dormant account purges, classification-driven access matrices. Are you paranoid enough? The attackers are.
Nothing is true. Everything is permitted. Except access without multi-factor auth, authorization, and comprehensive logging. "Zero trust" isn't paranoia—it's acknowledging that the network perimeter dissolved in 2010 and pretending otherwise is security theater. FNORD.
At Hack23, access control isn't vibes—it's AWS Identity Center SSO (centralized auth or GTFO), 100% MFA coverage (no exceptions, not even for you), 90-day dormant account reviews (forgotten credentials = future breach), classification-driven access matrices per Classification Framework (extreme assets get extreme controls). Semi-annual policy reviews (next: 2026-02-20) because access patterns change. Version 2.2 (effective: 2025-08-20) because we iterate on failures.
Illumination: Trust is a VULNERABILITY. Verification is a CONTROL. AWS Identity Center + mandatory MFA = verification at scale. The panopticon for identities works better when everyone knows they're watched. Choose systematic paranoia over comfortable naivety.
Zero trust principles + enterprise-grade identity management + single-person company transparency = proof that systematic access control scales from solo operations to enterprise. Full technical paranoia in our public Access Control Policy. Because obscurity isn't security—it's hope wearing a trench coat.
Five Reasons "Trust But Verify" Is Half Wrong (Hint: Skip The Trust Part)
"Zero trust" sounds paranoid? GOOD. Paranoia is pattern-matching reality. Here's systematic implementation for psychonauts:
1. 🔐 Verify Every Request (Yes, EVERY)
AWS Identity Center SSO + MFA on EVERYTHING. No trust. No "you're on VPN so chill." No "but it's just dev." EVERY request challenged. ALWAYS. 100% MFA coverage monitored real-time. Hardware MFA for critical (AWS root, financial—YubiKey or bust). TOTP for high (dev pipeline—Authy works). Platform native for public (marketing—built-in is fine). The network perimeter is DEAD. Long live identity verification.
The "zero" in zero trust is LITERAL. Network location = meaningless. VPN = encrypted untrust. Identity Center SSO = identity IS the perimeter. MFA = proof you're you. Are you paranoid enough to challenge yourself? FNORD.
2. 📋 Classification-Driven Access (Not All Data Is Equal)
Access matrix aligned with Classification Framework. Extreme assets (AWS core infra) = Identity Center + hardware MFA + 4-hour timeout + MONTHLY reviews. Very High (financial) = provider MFA + 1-hour timeout + monthly reviews. High (dev pipeline) = platform MFA + 8-hour timeout + quarterly reviews. Moderate = 24-hour timeout + semi-annual reviews. Public = 7-day timeout + annual reviews. Data criticality drives EVERYTHING.
One-size-fits-all access = security through laziness. Financial systems need monthly reviews. Marketing needs annual. Classification = risk-based paranoia. Choose appropriate controls or choose eventual breach.
3. ⏰ 90-Day Dormant Account Purges (Forgotten Access = Future Breach)
Automated detection, manual validation, ruthless deprovisioning. Accounts unused >90 days = flagged WEEKLY. Target: ZERO dormant accounts (not "low," ZERO). Real-time alerts when breached. Dormant accounts are privilege creep waiting to be exploited by that one contractor who left in 2019 but still has AWS console access. Weekly monitoring prevents archaeology becoming attack vectors.
Dormant accounts are Schrödinger's backdoors—both compromised and fine until observed during incident response. 90-day reviews = systematic access hygiene. Annual cleanups = admitting you forgot for 364 days.
4. 🔄 Semi-Annual Policy Reviews (Because Threats Don't Wait)
Version 2.2 (Effective: 2025-08-20). Next review: 2026-02-20. Policies reviewed TWICE annually (not once, TWICE). Review triggers: scheduled cycle, regulatory changes (GDPR/NIS2), incidents, org changes, AWS updates. Living documentation that adapts. Not archaeological PDFs gathering digital dust. Static policies in dynamic threat landscape = eventual irrelevance.
Semi-annual reviews = acknowledging reality changes. AWS launches new services. Attackers find new techniques. Compliance requirements shift. Your access policy from 2019? Archaeological artifact, not security control.
5. 📊 Audit Logging EVERYTHING (The Panopticon Is Real And It's Made Of CloudTrail)
AWS CloudTrail + Identity Center logs + GitHub audit logs. WHO accessed WHAT, WHEN, from WHERE. Audit trails for EVERY privilege escalation. Logs retained per classification policy. Logging without alerting = security theater. Logs you don't review = data hoarding pretending to be security. Logs that don't lead to action = compliance checkbox wasting storage.
Audit trails = incident response fuel. No logs = no investigation = no attribution = no lessons learned. CloudTrail + centralized logging = systematic accountability. The panopticon works best when subjects know it exists. FNORD.
Classification-Driven Access Control Matrix
Access privileges aligned with our Classification Framework business impact analysis:
| Asset Category | Classification | MFA Requirement | Session Timeout | Review Frequency |
|---|
| ☁️ AWS Core Infrastructure | 🔴 Extreme | Identity Center SSO + Hardware MFA | 4 hours | Monthly |
| 💰 Financial Systems | 🟠 Very High | Provider MFA + IdP + Hardware/SMS | 1 hour | Monthly |
| 📝 Development Pipeline | 🟡 High | Platform MFA + TOTP + SSH Keys | 8 hours | Quarterly |
| 📊 Business Intelligence | 🟢 Moderate | SSO Integration + TOTP | 24 hours | Semi-Annual |
| 📢 Marketing Platforms | ⚪ Public | Platform Native MFA | 7 days | Annual |
Access Control Metrics (Real-Time Monitoring):
- MFA Coverage: Target 100%, alert threshold <100%, real-time monitoring
- Dormant Accounts: Target 0, unused >90 days, weekly reviews
- Failed Authentication: Alert on 5+ failures in 15 minutes (potential attack)
- Privilege Escalation: All changes logged and reviewed monthly
- Session Violations: Automatic logout on timeout (no extensions)
META-ILLUMINATION: Classification-driven access means privileges match risk. Extreme assets get extreme controls. Public assets get reasonable controls. Not all systems need hardware MFA—but all need appropriate controls.
Multi-Factor Authentication: Not Optional, Not Negotiable
MFA isn't optional. Passwords alone are security theater. At Hack23, we enforce MFA across all systems with classification-appropriate methods:
🔐 MFA Implementation by System Type:
- AWS Root Account: Hardware MFA (YubiKey) + recovery codes in secure vault. Never used for daily operations (Identity Center SSO instead).
- AWS Identity Center: Identity provider MFA + SSO. Central authentication point for all AWS accounts.
- GitHub Organizations: TOTP required (Authy/Google Authenticator) + SSH keys for git operations. Security keys supported.
- Financial Systems: Provider MFA (Stripe, payment gateways) + hardware/SMS backup. Monthly access reviews.
- Development Tools: Platform-native MFA (SonarCloud, Snyk, FOSSA). TOTP preferred, SMS acceptable.
- Marketing Platforms: Platform-native MFA. Annual reviews sufficient for public-classified systems.
The Five Factors of Not Getting Pwned:
- Something you know (password) — Easily stolen, phished, guessed. Never used alone.
- Something you have (hardware token) — YubiKey for AWS root. Better than SMS, losable but replaceable.
- Something you are (biometric) — Not used (can't change if compromised, privacy concerns).
- Somewhere you are (geolocation) — IP addresses lie. Not relied upon for authentication.
- Something you do (behavior patterns) — ML-based, fallible but useful for anomaly detection.
Use at least two factors. Three is better for critical systems (AWS Identity Center = IdP password + IdP MFA + SSO). One factor is negligence.
Welcome to Chapel Perilous: Access Control Is Authority Control
Nothing is true. Everything is permitted. Except access without identity verification, classification-appropriate MFA, and systematic audit logging—that's not zero trust, that's zero security.
Most organizations claim "zero trust" while running VPN-based perimeter security. They say "MFA required" but allow SMS fallback for everything. They perform annual access reviews when quarterly is minimum. They trust network location instead of identity verification.
We implement zero trust through systematic controls. AWS Identity Center SSO for centralized identity management. 100% MFA coverage with classification-appropriate methods (hardware for critical, TOTP for high, platform native for public). 90-day dormant account reviews with weekly monitoring and zero-tolerance targets. Semi-annual policy reviews (Version 2.2, next review: 2026-02-20). Classification-driven access matrix aligning privileges with business impact.
Think for yourself. Question "trust but verify" dogma—just verify. Question why password-only access is acceptable—it's not. Question annual access reviews when dormant accounts create risk daily. (Spoiler: Because systematic access control requires operational discipline, not annual compliance theater.)
Our competitive advantage: We demonstrate cybersecurity consulting expertise through verifiable access control implementation. Public Access Control Policy with specific metrics. AWS Identity Center architecture documented. MFA enforcement demonstrable. 90-day review cycles automated. This isn't theoretical—it's operational reality clients can audit before engagement.
ULTIMATE ILLUMINATION: You are now in Chapel Perilous. Access control is authority control. Who gets access defines who has power. Systematic verification prevents unauthorized power. Choose identity-centric security over network-centric hope. Your incident response depends on it.
All hail Eris! All hail Discordia!
Read our full Access Control Policy on GitHub. Public. Auditable. Zero bullshit. With specific MFA requirements, session timeouts, review frequencies, and access control matrices clients can verify.
— Hagbard Celine, Captain of the Leif Erikson
"Trust is a vulnerability masquerading as a feature. Zero trust through identity verification is security through mathematics."
🍎 23 FNORD 5