Defend Zero Day Attacks

Garner holistic visibility across development and deployment life cycle. Mitigate risks proactively to foil attacks with our most advanced and sophisticated CNAPP product.

Open Source

AccuKnox is the first 5G Security-ORAN to be published on Nephio

From fortifying the control plane to addressing vulnerabilities in the data plane, read the white paper and discover the crucial steps we need to take in order to enhance the security of 5G networks.

Cloud Native Security Redefined

Accelerate your cloud journey with our battle-tested expertise, delivering a comprehensive zero trust framework that safeguards cloud infrastructure and applications from targeted attacks.

Open Source

KubeArmor is now certified Redhat Openshift Operator

Embracing the Power of Open Source: We are proud to contribute to the open-source community, allowing businesses to leverage the strength of KubeArmor to safeguard their containerized environments.

Identity is the New Perimeter

by | Oct 29, 2021

Reading Time: 3 minutes

The perimeter is porous.. identity is the new perimeter.

The last few years has seen a tectonic shift in the velocity and
sophistication of software development and deployment models. The following
depicts this shift.

In this move to multi-cloud architectures, it has been established that we
live in a “perimeter-less” world and the notion of “inside .. vs outside” is
mostly irrelevant.

Furthermore, in the transition to containers, the assets are high dynamic,
transient, elastic and ephemeral. Consequently, traditional IP-centric
security mechanisms are not effective in securing container workloads. In
this scenario, the only thing that is distinct, dynamic and secure is the
identity, a unique cryptographic value assigned to a user or a service which
serves as the unique key that is used for authentication and authorization.
Hence the expression “Identity is the New Perimeter” Cloud Native leaders
like Google, Netflix, Scytale (HPE) have pioneered 
SPIFFE (Secure Production Identity Framework For Everyone [1, 2]) which
serves as a foundational mechanism for implementing this security

Establishing trust between entities (clients, servers) over untrusted channels
(like internet) was made possible due to Passwords, Shared Secrets, PKI,
HTTPS, TLS, etc. While these might seem extremely obvious in hindsight, these
are incredibly revolutionary and path breaking by any standards. However,
establishing trust in the world of micro-services due to the sheer size, scale
and diversity and heterogeneity (across on-prem, private cloud, multiple
public clouds, legacy platforms like VMs, modern platforms like
micro-services, serverless, functions) makes this an extremely daunting task.

SPIFFE [3] is a standard spec defining a workload identifier
(SPIFFE ID) that can be encoded into a SPIFFE Verifiable Identity Document
(SVID), either in the form of x509 or JWT. The spec also defines a few APIs
that must be satisfied in order to register nodes and workloads, etc. SPIRE
(SPIFFE Runtime Environment) is the reference implementation of the SPIRE

SPIFFE and SPIRE helps you avoid the onerous process of setting up your own
PKI infrastructure. The easiest way to think about SPIRE is fully automated
high velocity PKI with dynamic credential rotation; and SPIFEE ID allows you
to do cross authentication across heterogenous environments. Another common
every day to conceptualize this [5] is to view SPIFFE and a unique
identifier (say passport) and SPIRE verifies the passport.

SPIFFE and SPIRE represent a quantum leap in Identity frameworks compared
to anything in the past. The following table depicts its unique

AccuKnox leverages the SPIFFE/SPIRE framework to implement a ZeroTrust
Kubernetes Run-time Security Environment. The following depicts the
high-level architecture.

In a Zero Trust world, there is a compelling belief [5] that Identity is a foundational
element to establish trust across multiple foundational security

In summary, a strong Opensource based Identity Framework like SPIFFE/SPIRE is
a critical foundational element to establish trust domains, attest workloads,
establish policies, establish trust between organizations; all critical
functions to establish a Zero Trust platform.

I am immensely thankful for my colleague, Rahul Jadhav’s input and
contributions to this article.


1. Workload Identity — A SPIFFE Primer, Sunil Jacob


3. SPIFFE Project Introduction — Andrew Jessup and Emiliano Berenbaum

4. Five things you did not know you could do with SPIFFE and SPIRE —
Andrew Jessup and Andres Vega

5. Building Zero Trust based Authentication in Healthcare with SPIRE

Now you can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using
Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

Let us know if you are seeking additional guidance in planning your
cloud security program.

Please enable JavaScript in your browser to complete this form.
We protect your organization against current and emerging threats with Zero Trust Cloud Security Solutions