Standing privileges and cloud outages: what IAM teams need to know

TL;DR: Cloudflare’s outage was triggered by a permissions change that expanded an internal feature file until it broke production systems, showing how standing privileges can create operational blast radius even without an attacker, according to Apono. The incident reinforces that access scope and permanence are reliability controls as much as security controls.

NHIMG editorial — based on content published by Apono: When the Internet Blinks: What Cloudflare’s Outage Teaches Us About Standing Privileges

Questions worth separating out

Q: What breaks when standing privileges are left in place for cloud infrastructure changes?

A: Standing privileges increase the chance that a routine change can affect shared systems far beyond the intended task.

Q: Why do standing privileges increase operational risk in infrastructure teams?

A: Because they let the same identity retain broad rights across changing contexts, including when the task no longer needs them.

Q: How do teams know if privilege governance is actually reducing outage risk?

A: Look for fewer always-on write permissions on shared production systems, tighter scope on high-risk identities, and more changes executed through temporary elevation with expiry.

Practitioner guidance

• Reclassify sensitive write access by blast radius Identify database, feature-generation, and control-plane permissions that can affect shared production services and move them into higher-risk review paths.
• Replace standing administrative access with JIT elevation Grant temporary access only for the duration of a specific change, and require automatic expiry once the task is complete.
• Separate operational convenience from system-wide authority Review service accounts, automation pipelines, and API keys that can alter shared artefacts or production inputs.

What's in the full article

Apono's full blog post covers the operational detail this post intentionally leaves for the source:

• The specific Cloudflare permissions chain and how the internal database change altered feature-file generation.
• The Zero Standing Privileges framing Apono uses to connect outage resilience with access governance.
• Practical examples of temporary elevation, scope limits, and logging across cloud and database environments.
• How Apono positions service accounts, API keys, and automation tokens within the same privilege model.

👉 Read Apono's analysis of the Cloudflare outage and standing privilege risk →

Standing privileges and cloud outages: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →