Skip to main content

Day 1 Wrap-up — Identity as the First Perimeter

Mitch Mommers18/05/2026About 2 min

Day 1 Wrap-up — Identity as the First Perimeter

Today we started with identity because identity is often the first security boundary in cloud environments.

Before looking at networks, storage, APIs or compliance, we need to know:

Who or what can do what?

What we covered

Today you worked through this cycle:

Main lessons

1. Workload identities are powerful

A managed identity is not a person, but it can still have permissions.

If an attacker controls the workload, they may be able to use those permissions.

2. Scope changes risk

A role may be acceptable at one scope and dangerous at another.

Contributor on one test resource

is very different from:

Contributor on a full resource group

3. Broad access is not correct access

The backend identity had broad management access, but still lacked the correct data-plane access for Key Vault.

This is the core lesson from Lab 1.2:

too much access in one place
does not mean
the right access in the correct place

4. Least privilege must be tested

A good fix should prove two things:

The legitimate application flow still works.
The risky action is blocked.

In this case:

TestDesired outcome
Backend reads required secretWorks
Backend modifies unnecessary Azure resource metadataFails

5. Zero Trust is a design habit

Zero Trust is not only a product.

It is a way of thinking about access:

explicit
limited
verified
monitored
removable

Final Day 1 model

Screenshot placeholders

Screenshot suggestion

Add a final comparison screenshot or slide.

Suggested content:

  • Before: backend identity had Contributor on resource group
  • After: backend identity has Key Vault Secrets User on Key Vault
  • /api/impact-demo/tag-self: blocked after fix
  • /api/secret-demo: works after fix

This is useful as a closing teaching moment.

Reflection questions

Discuss briefly:

  1. Which permission was too broad?
  2. Why was the scope important?
  3. What did the backend actually need?
  4. Why did Contributor not solve the Key Vault secret access?
  5. How did the fix reduce risk?
  6. What would you monitor after applying this fix?

Bridge to Day 2

Today we reduced who can control the environment.

Tomorrow we look at what is exposed:

  • public access
  • network boundaries
  • storage exposure
  • encryption
  • remaining attack paths

Identity is only the first layer.

The next question is:

Even with better access control, what is still reachable?

Day 1 Challenge

If time allows we have a challenge: Click me!

Contributors: Mitch Mommers