Oblique

Fit access controls to your org, not the other way around | Oblique Groups used for access controls can be based on department, reporting chain, or projects. The right answer is whatever maps best to how your org actually works.

Access controls should map to how your organization works — not the other way around.

Organizations generally grant access based on department, based on reporting chain, and based on projects. Use what works for your org.

oblique.security/blog/org-str...

So privileged to have such an amazing team 💜

And @ericchiang.bsky.social shares how useful he's found go's synctest, not just for speeding up tests, but deterministically test complex functionality like leader election.
oblique.security/blog/go-sync...

Johan walks through how to set up Protobuf, Connect and gRPC (like we do at Oblique) to define and implement the APIs between the frontend and backend, meaning we basically get type-safe frontend APIs.
oblique.security/blog/type-sa...

Our engineering team is cooking 🍳 and sharing great tidbits recently that you might have missed 🧵

Access requests are a bandaid, not a fix | Oblique IT teams are overwhelmed with never-ending access requests. Getting off the identity treadmill means getting to fewer tickets over time, not faster tickets.

In other parts of security, we’ve learned that fixing classes of problems is the only way we can address them for good — but we haven’t had that mindset shift yet in access management.

We need better controls, so that we can get to fewer tickets, not faster tickets.
oblique.security/blog/access-...

The real SSO tax | Oblique The SSO tax shouldn't be about having SSO — it should be about enforcing it. The value of SSO is to centrally manage access and require strong authentication.

It’s 2025 and many teams still can’t reliably enforce strong authentication across their app stack. That’s the real SSO tax: not paying to have SSO, but paying to enforce it.

Read more about how we’re approaching practical enforcement at Oblique: oblique.security/blog/real-ss...

Modern access controls: takeaways on what actually works | Oblique We interviewed IT and security teams to ask them how they actually define, implement, and improve their access control policies. Get the report to learn more.

Get the report: oblique.security/blog/policie...

What you really want to control access to is data, not systems — so why are we stuck thinking in systems? Our cofounder @mayakaczorowski.com shares what she learned researching tiered controls for our latest report on Modern Access Controls.

What we can learn from real-world authentication failures | Oblique Recent breaches at Okta, Snowflake, and Twitter help us learn how to prevent authentication failures like credential theft, MFA bypass, and session hijacking.

Authentication failures from the last five years at Okta, Snowflake, and Twitter show very similar attacks, from credential theft, to MFA bypass, to session hijacking.

Dive deeper into these incidents and avoid repeating the same mistakes: oblique.security/blog/authn-f...

Modern access controls: takeaways on what actually works | Oblique We interviewed IT and security teams to ask them how they actually define, implement, and improve their access control policies. Get the report to learn more.

Read the report: oblique.security/blog/policie...

Don't rely on managers for access approvals — they don't work, for either security or speed.
Instead, get approvals from app owners who actually understand the systems and risks, and automate approvals that are always granted.

We see it all the time: internal security tools “work” but hurt to use—so people route around them. We break down why teams underinvest in UX and how to build tools users actually adopt. Treat security like a product. https://oblique.security/blog/security-ux/

We interviewed IT and security teams on what actually works in access control: shared ownership, data-first controls, enforce at change time, route approvals to app owners or automate, pre-approved groups for JIT access. https://oblique.security/blog/policies-report/

Modern access controls: takeaways on what actually works | Oblique We interviewed IT and security teams to ask them how they actually define, implement, and improve their access control policies. Get the report to learn more.

What *really* works in access control? We asked modern IT and security teams how they define and improve their policies — in reality, not in theory.

Read the report: oblique.security/blog/policie...

Delegate authority to those with context | Oblique Business teams have context for access decisions but lack authority. Delegate to those closest to the resources by defining clear ownership for each app.

The biggest scaling challenge for IT and security teams isn't technical — it's organizational. When you're managing access for thousands of employees and hundreds of applications, you need to know: who owns what?

Read more in our latest post: oblique.security/blog/delegat...

Stop trying to make git happen | Oblique Internal tools built as code come with version control and audit logs for free, but git becomes a barrier for non-engineers to use these tools.

You shouldn't build your internal tools in git unless you hate your users.
Stop making me learn git. Stop trying to make git happen 💁‍♀️
oblique.security/blog/git-int...

If you're interested in learning more about what's happening in the IAM market — and who's competing with Okta and why — then you should read our cofounder @mayakaczorowski.com's latest post.

Why your RBAC roles aren't actually roles | Oblique A role in RBAC should represent what someone actually does in your environment. Your job title makes a bad RBAC role: it's your position, not your function.

Your job title makes a bad RBAC role: what access does a Chief Happiness Officer need, anyways? A role in RBAC should represent what someone actually does in your environment. Your job title is your position, not your job function.

Read more in our latest blog post: oblique.security/blog/rbac-ro...

Comms groups inevitably become access groups | Oblique Comms groups map to how people actually work, and often, access groups don't (but they should). Comms groups always become access groups. It's not a matter of if, but when.

Comms groups map to how people actually work, and often, access groups don't (but they should). But comms groups always become access groups. It's not a matter of if, but when.
Read more in our latest post: oblique.security/blog/comms-a...

The New Commandments of Security Teams Guest post by Maya Kaczorowski

Check out our cofounder @mayakaczorowski.com's post on @frankw.bsky.social's Frankly Speaking on how modern security teams are scaling.
Read the post for the new commandments of security teams: franklyspeaking.substack.com/p/the-new-co...

Check out the latest from our cofounder @ericchiang.bsky.social to learn about a neat Go type trick to avoid query injection in SQL builders.

Over the past 60 years, we've gone from reusing the same password everywhere to advanced biometric authentication like FaceID. Dive into the history of authentication in just 2 minutes!

The evolution of authentication, from passwords to passkeys | Oblique Authentication has evolved from simple passwords to federated systems with passwordless logins, continuously balancing security and usability.

Authentication has evolved from simple passwords to federated systems with passwordless logins, with a constant push and pull to balance security and usability.
Deep dive into the evolution of authentication in our latest blog post!
oblique.security/blog/history...

Authenticating GitHub Actions without API keys | Oblique Instead of minting long-lived APIs keys and warning users “keep this secret,” let's use GitHub Action's OpenID Connect support instead.

Instead of minting long-lived API keys, you can use GitHub Actions' OpenID Connect support for workload identity. Here's how we authenticate config-as-code workflows in Oblique without secret management headaches.

Better security + Better developer experience 💟

oblique.security/blog/github-...

Making IAM Less Painful: A Security PM's Journey to Founding Oblique Security TL;DR: I sat down with Maya Kaczorowski who’s building Oblique Security. I chatted about her early beginnings studying math and cryptography to building security products at Google Cloud, GitHub, and ...

Check out this interview with our co-founder @mayakaczorowski.com on finding and solving problems that have real security impact - like why access management is a perennial issue for organizations.
thesecuritywing.com/making-iam-l...

Good justifications write themselves | Oblique Organizations ask users to fill out justification fields when requesting access, but these are useless explanations. Your authorization system should already have the context it needs.

Most access request justifications are useless. "Please give me access" doesn't give you any context, it's just someone trying to get back to work.
oblique.security/blog/justifi...

Chesterton's fence doesn't apply to access controls | Oblique IT teams are scared to remove access they don't understand, leading to sprawling entitlements. Removing unused access isn't risky — never removing access is.

IT teams are afraid of removing access — what if something breaks?

Even if you don't know why someone has access, you should be able to figure out if they're using it. Removing unused access isn't risky — never removing access is.

Read more in our latest blog post: oblique.security/blog/chester...

Identity management is harder than it should be | Oblique Identity management is surprisingly hard, as access controls change constantly, and getting them right requires context. We founded Oblique to work on impactful security problems.

Identity management has quietly become the primary security perimeter. But it's a mess — identity requires constant manual work that security teams burn out from.

At Oblique, we're helping organizations make their access controls actually maintainable.

Full post: oblique.security/blog/identit...