Navigating the Labyrinth of RBAC and Access Keys 

As federal organizations continue building services on cloud providers and deploying to container orchestration platforms, virtual servers, or physical hardware, securing access to cloud resources is crucial. There are two common methods for access control: RBAC (Role-Based Access Control) and access keys. You know, those keys need to be rotated every six months or whatever the cadence is. That process can be automated but is painful, and if not done properly, it can lead to an incident. Depending on the number of keys, it can become burdensome and painful for teams. As noted by Zscalar, 28 percent of access was through keys instead of roles or groups within AWS. Can we use RBAC to mitigate these pain points? 

RBAC works similarly to Access Keys in the sense that it generates session tokens for applications/users to use to access resources. When it comes to how RBAC and Access Keys are implemented, that’s where the fundamental differences lie. With Access Keys, you have generated static Access Key ID and Secret Key ID to be used by the application(s). These keys are either injected into the application environment during setup and can be retrieved by the application on boot, or can be fetched during the runtime of the application from a secret store. Due to the nature of the implementation, when rotating access keys, it is common to restart the application after creating new keys. RBAC roles can be attached to software entities. Once the role is attached to the entity, the entity will be able to access the resources defined by the role. As the role is attached to the software entity, there are no keys to be rotated. 

Access Keys are usable by anyone who has the values. Leaking of these sensitive secrets can have financial implications, unauthorized access, data breaches, and much more. As these keys are static and humans make mistakes, unfortunately, there have been countless situations where engineers have used access keys to develop software and accidentally committed the keys to source control. Exposure of these secrets to anyone outside the scope of the application poses a security risk. Should a bad actor discover these keys, they might be able to access systems intended for the target application. There have been thousands of secrets discovered in source control repositories like Github. The longer these keys go undetected, the risk of compromised secrets increases. That’s one reason periodic rotation of access keys is a proactive measure. As a matter of fact, up to 50% of access keys are not rotated periodically.  

Image Reference 

RBAC is directly attached to the entities and does not have static keys, so it inherently does not need a secret rotation cadence. Depending on the software deployment architecture, you can attach the roles to the application as granularly as you like. For virtual servers like EC2, you can attach the roles to the instance itself. For Kubernetes clusters, you can attach IAM roles to Kubernetes Service Accounts through RoleBindings and OIDC (OpenID Connect). RBACs attachment to the software entities prevents misuse by unauthorized parties. 

Federal organizations have unique security requirements and compliance regulations that necessitate strict access control measures. By adopting RBAC, these organizations can ensure that only authorized personnel can access sensitive data and resources. RBAC allows for creating roles based on job functions, making it easier to manage access rights across large organizations with complex hierarchies. 

When implementing RBAC in federal organizations, it is essential to consider the following best practices: 

  1. Conduct a thorough analysis of job functions and access requirements to define roles accurately. 
  2. Assign roles based on the principle of least privilege, granting only the minimum access rights necessary for individuals to perform their duties. 
  3. Regularly review and update roles to ensure they align with changing organizational requirements and personnel changes. 
  4. Implement a robust audit trail to monitor and log all access attempts and activities associated with each role. 
  5. Provide comprehensive training to employees on RBAC policies and their responsibilities in maintaining the security of the organization’s resources. 

By adopting RBAC, federal organizations can reap several benefits, including: 

  1. Enhanced security: RBAC ensures that access to sensitive data and resources is strictly controlled, reducing the risk of unauthorized access and data breaches. 
  2. Improved compliance: RBAC helps federal organizations meet regulatory requirements, such as FISMA and NIST, by providing a framework for managing access control. 
  3. Increased efficiency: With RBAC, access management becomes more streamlined, reducing the administrative overhead associated with managing individual access key permissions.
  4. Better scalability: As federal organizations grow and evolve, RBAC allows for the easy addition of new roles and the modification of existing ones, ensuring that access control remains effective and efficient. 

In conclusion, RBAC offers a more secure and efficient alternative to access keys for federal organizations looking to secure their cloud resources. By implementing RBAC, organizations can mitigate the risks associated with static access keys, such as accidental exposure and the need for frequent rotation. RBAC provides granular access control, allowing organizations to assign roles based on job functions and adhere to the principle of least privilege. By adopting RBAC best practices and leveraging its benefits, federal organizations can enhance their security posture, improve compliance, and streamline access management processes. 


The 2020 State of Cloud (In)Security 

Governance at scale: Enforce permissions and compliance by using policy as code 

3 Ways to Reduce the Risk from Misused AWS IAM User Access Keys 

Over 100,000 GitHub repos have leaked API or cryptographic keys 

 What happens when you leak AWS credentials and how AWS minimizes the damage 

Reducing the Risk from Misused AWS IAM User Access Keys 


Part 6 Turning Theory to Practice: Applying the Cost-Capability Matrix 

Fundamentally, the matrix highlights crucial tradeoffs between innovation costs, risks, and performance spanning maturity horizons – signaling avenues for judicious investment. Cost-conscious leaders can identify commoditizing solutions balancing savings and customizability for budget optimization. Forward-thinkers ascertain emerging capabilities showing traction for adoption tailoring and scale. Visionaries pinpoint pioneering advances aligning to long-term roadmaps.  

Still, leaders rightfully ask – how does conceptual modeling enhance real decision-making? Simply put, the matrix provides a valuable framing tool guiding objective debates and trade-off analyses for capability planning and investments. 

Want to read the rest of the Series?

Part 1 Intro to the Cost Capability Matrix
Part 2 | Assessing the Cost-Capability Tradeoff, Quadrant 1 – Consumables
Part 3 | Navigating the Cutting Edge: Investing in Specialized Innovation, Quadrant 2 – White Elephants
Part 4 | Calibrating Capabilities and Costs for Widespread Adoption, Quadrant 3 – High Value
Part 5 | Exploring Uncharted Frontiers: Investing in Pioneering Innovation, Quadrant 4 – High Demand/Low-Density Workhorses

A group of cars with text

Description automatically generated

Consider bottom-up and top-down dynamics. Frontline units closest to application contexts best understand flexible tactical requirements. However, higher authorities maintain broader strategic perspectives and scaled priorities. By plotting specific capability solutions on the matrix, stakeholders can clearly visualize investments through different lenses – surfacing disconnects between local and centralized vantage points. This enriches discourse on optimizing decisions factoring in customized agility, commoditized economies, and specialized innovation. 

Furthermore, positioning existing and emerging capabilities on the matrix quickly indicates maturity levels, adoption risk, required investment, and adjacent possibilities useful for planning. Capability clusters become apparent. Targeting gaps and development opportunities grow more systematic. Roadmaps stabilize balancing short and long-term activities. 

Real world example: Small Arms Ranges Cost & Capability Matrix

In the USAF, we managed all the USAF Firing Ranges. To help us understand our portfolio, we plotted each range type using a cost and capability matrix. Figure 1 shows how the range type aligns with the doctrine statement of “train as we fight.” Figure 2 shows how the range types align based on their impact on life, health, and safety issues. As you can see, we had some white elephants, consumables, and high-value assets. We used these findings to help answer which range configuration gave us the best bang (pun intended) for our taxpayer buck. What is apparent is the importance of finding the real estate needed to operate Non-Contained Impact (NCI) ranges (aka full distance ranges). From a health perspective, we also asked which range configuration had the least health issues for range operators. Again, the NCI range type is the range configuration that impacts range operators’ health the least. There are a lot of other questions we can ask, too.

Leaders can also easily re-plot capabilities against adjusted axes as constraints shift. For instance, legal changes altering risk tolerance might expand viable spaces warranting investment in pioneering advances. Budget fluctuations would signal to adjustment of targeted maturity levels. New evaluations prompt iterative alignment to evolving contexts. 

Ultimately, no universal technology prescription exists, given unique constraints organizations face. However, as a thinking aid, the cost-capability matrix proves invaluable for centering complex debates regarding multi-horizon innovation. The clarity introduced by visually bounding feasible spaces fosters dialogue surfaces assumptions, and focuses data-driven decision quality. With insights unlocked by this approach, leaders gain confidence in optimizing capability decisions and balancing priorities across tactical needs, strategic direction, and visionary possibilities. 

The matrix thereby enables translating conceptual frameworks into enhanced real-world technology outcomes. By encouraging systematic evaluations factoring short- and long-term costs, risks, and payoffs, leaders make progress in navigating the daunting innovation possibility space through incremental steps that sequentially raise organizational maturity. No single revelation reveals all answers – just an effective compass grounded in objective trade-off analysis pointing the way forward. 

Download Key Actions & Matrix Worksheet.

Elevating Digital Accessibility: A Closer Look at Enhanced Federal Compliance with Section 508

In the digital age, ensuring that technology serves everyone equitably is not just a noble goal—it’s a legal requirement for federal agencies. Section 508 of the Rehabilitation Act mandates that all electronic and information technology developed, procured, maintained, or used by federal agencies must be accessible to people with disabilities. This law aims to eliminate barriers in information technology, opening new avenues for people with disabilities to obtain information and engage with their government.

Recent developments signal a pivotal shift in how federal agencies approach Section 508 compliance. The Office of Management and Budget (OMB), in collaboration with the General Services Administration (GSA) and the U.S. Access Board, unveiled a landmark guidance in December, detailed in OMB Memo M-24-08. This guidance is not merely an update; it’s a clarion call for a more inclusive digital government.

The memo outlines enhanced expectations and accountability, urging agencies to place accessibility at the heart of digital governance. Among the pivotal components of the new guidance are:

  • Leadership and Accountability: Agencies are now required to appoint a dedicated program manager to spearhead and monitor digital accessibility efforts.
  • Expert Involvement: The integration of accessibility subject matter experts into the acquisition process ensures that new Information and Communications Technology (ICT) adheres to accessibility standards from the outset.
  • User-Centric Design: Including individuals with disabilities in user groups for digital product design and testing enriches the user experience for everyone.
  • Proactive Compliance: Agencies must regularly scan and monitor web content for accessibility, promptly addressing any deficiencies.
  • Ongoing Education: The mandate for regular training on Section 508 and digital accessibility aims to foster a culture of inclusivity.

These enhancements come in response to mixed results in 508 compliance across agencies. A February 2023 report by the Department of Justice and GSA underscored the need for additional support and resources, reflecting on insights from a comprehensive 2012 survey.

“Accessibility must be incorporated, unless an exception applies, from the very beginning of the design and development of any digital experience and integrated throughout every step of the ICT lifecycle, including qualitative and inclusive research, feature prioritization, testing, deployment, enhancements, and maintenance activities,” the memo states. (Exceptions are detailed in the Standards under E202 General Exceptions.)

A Future of Inclusive Digital Services

Anticipating the road ahead, the GSA and the Access Board are finalizing a government-wide Section 508 assessment for 2024. This effort, expected to roll out in phases from spring to fall, aims to gather detailed insights into agency practices and challenges. Kristin Smith-O’Connor of the GSA shared with ExecutiveGov, “We are refining and honing our approach, ensuring that the upcoming changes, while not drastic, will significantly contribute to our collective goal of a fully accessible federal digital landscape.”

Agencies are encouraged to lean on the resources available on This platform strives to be a comprehensive resource, offering guidance, best practices, and compliance testing tools. Additionally, the OMB memo directs the GSA and the Access Board to broaden Section 508 certification and training opportunities, enhancing the capabilities of federal employees to champion digital accessibility.

Enhancing Accessibility Now and in the Future

When navigating the complexities of Section 508 compliance, consider rigorous testing using tools like WAVE, Axe, and Lighthouse to identify and rectify common accessibility issues. However, recognizing the limitations of automated tools, consider augmenting them with manual evaluations, including keyboard navigation and screen reader compatibility tests. The combination of these efforts are guided by the Web Content Accessibility Guidelines (WCAG), ensuring your services remain aligned with legal requirements and best practices.

Yet, the journey towards universal accessibility is ongoing. Despite significant strides, the path forward requires continuous effort, innovation, and collaboration. We celebrate the government’s initiative to demystify Section 508 compliance, and we remain hopeful for more actionable guidance to emerge, fostering an environment where digital accessibility is not just a compliance requirement but a cornerstone of public service.

Barry Lawrence is a Senior Communication Program Manager for Highlight. The opinions expressed in this blog are his own and reflect a commitment to fostering a more accessible digital world for all Americans.

Part 5 | Exploring Uncharted Frontiers: Investing in Pioneering Innovation, Quadrant 4 – High Demand/Low-Density Workhorses 

Progress relies on bold organizations pushing boundaries with pioneering inventions redefining entire paradigms. But charting new frontiers carries immense risks, demanding exceptional discernment balancing long-term strategic necessity against short-term fiscal realities. Let’s take a deeper look at this problem through our cost and capability matrix, looking at our final quadrant. 

Did you miss the rest of the series?

Part 1 Intro to the Cost Capability Matrix
Part 2 | Assessing the Cost-Capability Tradeoff, Quadrant 1 – Consumables
Part 3 | Navigating the Cutting Edge: Investing in Specialized Innovation, Quadrant 2 – White Elephants
Part 4 | Calibrating Capabilities and Costs for Widespread Adoption, Quadrant 3 – High Value

Insights into High-Demand/Low-Density Workhorses  

Quadrant 4 contains complex customized solutions with enormous price tags and broad flexibility catering to a niche, specific application with a wide range of diverse capabilities. These genesis innovations pioneer entirely new concepts while custom-built offerings address unique constraints through specialized tailoring. Think Lockheed Martin F-35 Lightning II, VR headsets in their infancy before standardized designs, self-driving vehicles under current R&D lacking widespread production, or conceptual Mars colonization capabilities. 

The audiences drawn to Quadrant 4 accept significant expense and uncertainty in exchange for unprecedented capabilities mapping uncharted territory. By nature, the limited scale of these innovations prevents cost efficiencies and flexibility of eventual commoditized alternatives. But the tradeoff offers opportunities to pursue mind-bending breakthroughs unencumbered by commercial viability constraints – for those strategists with patience and fortitude to endure. 

For leaders balancing pragmatic investments against exploring uncharted frontiers, three guidelines apply when engaging emerging innovations well before their benefits trickle down:   

  • Anchor on Aligned Vision 
    Scattered moonshots waste resources. Prioritize game-changing innovations aligning to strategic roadmaps and unique constraint drivers before appraising exotic alternatives. 
  • Embrace Iterative Agility 
    Rigorous yet nimble road mapping reduces the risks of backing dated designs. Modular architectures, iterative testing, and flexible requirements sustain competitiveness through ongoing evolution. 
  • Forge Tight Feedback Loops   
    User-centric co-design and close developer collaboration maximize real-world value and application. Rapid concept testing surfaces must have use cases earlier.   

Make no mistake: the vast majority of cutting-edge inventions never progress beyond this high-risk, high-cost quadrant. However, for select innovations promising unprecedented paradigms aligned to institutional ambitions, the immense initial expenses and semi-narrow flexibility prove acceptable tradeoffs. With patient, disciplined strategies balancing focused innovation investments against quick-win solutions, leaders can judiciously support pioneering development while ensuring affordable access to new capabilities at the opportune moment. 

Of course, what constitutes an acceptable tradeoff depends heavily on the observer. While pragmatic key stakeholders naturally orient toward proven capabilities and fiscal prudence, visionary strategists think bigger – prioritizing long-term possibilities over short-term savings. Both mindsets have merits. The key lies in analyzing decisions through multiple lenses, accounting for all perspectives – including the end vision, interim milestones, and must-have capabilities that ultimately determine what constitutes value. 

Practical Application  

Analyzing pioneering innovations in an organization’s portfolio through the lens of Quadrant 4 reveals just how many exploratory moonshots fail to materialize capabilities or strategic outcomes warranting prolonged investment at scale. This grounding assessment highlights expensive genesis projects and custom builds outpacing actual user needs or lagging in real-world viability. Plotting existing bleeding-edge initiatives on the matrix provides perspective on which demand vision over validation, enabling recalibration around innovations demonstrating clearer progression from novelty towards necessity. Leaders can periodically evaluate Quadrant 4 investments against strategic alignment, opportunity costs, and upside optionality relative to risk to determine if pressing forward or pivoting resources makes sense given competing priorities. 

Questions a leader should consider: 

  • How clearly do our pioneering innovation investments map to long-range strategic vision, priorities, and constraint scenarios vs isolated speculative curiosity?  
  • Have we established rigorous stage gate criteria assessing when to continue or sunset high-risk exploratory initiatives based on demonstrated applicability? 
  • What level of recurring costs over what time horizon requires validating success for various genres of bleeding-edge innovation moonshots we pursue? 
  • Where can we employ rapid prototyping and user co-creation to accelerate insights on utility earlier before overinvesting in custom innovations lacking validated market fit?   
  • To what extent do our custom innovation architectures allow for modular refresh, interoperability, and future adaptation, minimizing sunk costs as paradigms shift? 
  • Which lower-risk existing alternatives or incremental improvements could partially fulfill niche needs in the interim before specialized quadrant 4 capabilities mature?  
  • At what thresholds of stretching accuracy in long-term future forecasting should leaders demand evidence of clearer market signaling before allocating resources to extremely customized boutique solutions? 

Asking these challenging questions introduces essential rigor, milestones, priority balancing, and runway debates regarding high-cost innovations far removed from practical payoffs. This helps avoid inertia where investments balloon absent defensible strategies for affordability, adoption, and scaling. 

With honest appraisals and robust discourse, wise leaders deliberately choose innovation investments spanning maturity horizons aligned to multi-step strategic roadmaps. Mature capabilities tackle present constraints using economical, commoditized solutions. Advancing innovations address emerging opportunities primed for customizable, scalable adoption. Pioneering moonshots map future frontiers stretched beyond today’s imagination. By intentionally anchoring innovation across time horizons, leaders compound capabilities, shaping tomorrow while mastering today. In the final part of this six-part series, we’ll look at turning the theory into practice by applying the cost-capability matrix in our final part.

Part 4 | Calibrating Capabilities and Costs for Widespread Adoption, Quadrant 3 – High Value 

Innovations inevitably transition from bleeding-edge exclusivity to mass-market commodities as improved manufacturing and competition drive down costs. Savvy leaders understand where highly valued capabilities currently sit on this spectrum, ensuring investments target accessible innovations with favorable risk-reward ratios primed for scalable adoption. Let’s take a deeper look at understanding where these innovations fit into the cost vs capability matrix, focusing on quadrant 3. 

Did you miss the rest of the series?

Part 1 Intro to the Cost Capability Matrix
Part 2 | Assessing the Cost-Capability Tradeoff, Quadrant 1 – Consumables
Part 3 | Navigating the Cutting Edge: Investing in Specialized Innovation, Quadrant 2 – White Elephants

Insights into High Value   

Quadrant 3 represents the commercial sweet spot spanning novel yet increasingly standardized capabilities with expanding mainstream utility. For budget-conscious leaders seeking maximum capability per dollar spent, Quadrant 3 offers optimal bang for the buck – modernized solutions squeezing every bit of value from investments by bridging customizability and economies of scale. 

Whether pursuing technology upgrades or new solution procurement, targeting innovations sliding down adoption curves unlocks the best of both worlds – substantial capability advancement at palatable price points minimized through commodification. Building in customizability broadens the applicability of the system to wider use cases to extract full utility from existing investments. 

Moreover, commoditizing innovations through flexibility and customization provides organizational agility to tailor solutions perfectly with specific requirements. The savings accrued from maximizing adoption lifetime value frees up funds for additional capability enhancements or innovation investments in the future – and creates dynamic advancement built on firm fiscal foundations.  

By proactively targeting solutions transitioning from early niche audiences to mainstream viability, leaders avoid overspending on exotic innovations while sidestepping stagnant antiquation. Instead, real material progress emerges as prudent investments harness commodification’s compounding savings and flexibility dividends to scale organizational capabilities over time systematically. 

The key insight for leaders lies in evaluating emergent capabilities by the trajectory and velocity of their value rather than technical specifications alone. Prioritizing innovations reaching the knee of hockey stick adoption curves allows tapping into explosive demand built on proven multi-context utility. 

With appetites for sophisticated new functionalities balanced against moderate risk tolerances, early adopters validate solutions demonstrating burgeoning market viability. Take smartphones transitioning from luxury to essential, streaming proliferating beyond early niche followers, and solar energy expanding from eco-enthusiasts to cost-conscious households. In each case, engineering and positioning transformed exotic innovations into flexible mass-market commodities traded on improving price-performance ratios.   

Practical Application  

Plotting existing capabilities against Quadrant 3 allows leaders to identify emerging innovations ripe for adoption and scale. Analyzing through this lens highlights solutions fit for flexible customization, standardization, and volume deployment – prime targets for maximizing capability bang for the buck. Leaders can assess innovation velocity, utility trajectory, and price elasticity to prioritize commoditizing opportunities on the cusp of explosive hockey stick growth. Comparing organizational solutions against market alternatives re-emphasizes gaps in Anchoring innovation investments to this high-value nexus and fuels aggressive capability advancement at minimizing price points before niche innovations become exclusionary. 

Questions a leader should consider: 

  • Which emerging innovations demonstrate a clear trajectory towards commoditization that we should evaluate for adoption and scaling? 
  • How could we enhance flexibility, configurability, and customizability in our existing solutions to improve applicability across diverse use cases?  
  • Where do opportunities exist to consolidate contracts around standardized capabilities with multiple vendors to improve purchasing power? 
  • How can we leverage volume licensing, bulk pricing, or other economies of scale to reduce costs further as we broaden the deployment of valuable capabilities? 
  • Do our software development, testing, and release cycles allow rapid integration feedback and new features prioritizing user needs as capabilities commoditize?   
  • How frequently are we testing the market for replacement solutions as existing ones transition from differentiation to commoditization? 
  • What risks of disruption do we face if failing to adopt new high-value commodity solutions prior to reaching the scale ceiling with current ones? 
  • Across stakeholders benefiting from common, scalable capabilities, are governance and funding properly aligned to share responsibility and cost savings? 

Proactively asking these questions focuses technology investments on the dynamic high-value center of the market. This prevents leaving money on the table during invaluable windows when tailored adoption at scale is possible before niches become exclusionary or obsolete. 

Rather than chase exotic innovations or settle for antiquation, alignment to Quadrant 3’s mix of customizability and enlarging scale offers attractive middle paths for optimizing capability growth. Leaders realize the best of both worlds – substantial capability advancement at minimizing price points via commodification – for aggressively taking advantage of emerging opportunities. Next, we’ll examine our last quadrant, High Demand/Low-Density Workhorses.