The perimeter is porous.. identity is the new perimeter.
The last few years has seen a tectonic shift in the velocity and
sophistication of software development and deployment models. The following
depicts this shift.
In this move to multi-cloud architectures, it has been established that we
live in a “perimeter-less” world and the notion of “inside .. vs outside” is
mostly irrelevant.
Furthermore, in the transition to containers, the assets are high dynamic,
transient, elastic and ephemeral. Consequently, traditional IP-centric
security mechanisms are not effective in securing container workloads. In
this scenario, the only thing that is distinct, dynamic and secure is the
identity, a unique cryptographic value assigned to a user or a service which
serves as the unique key that is used for authentication and authorization.
Hence the expression “Identity is the New Perimeter” Cloud Native leaders
like Google, Netflix, Scytale (HPE) have pioneered SPIFFE (Secure Production Identity Framework For Everyone [1, 2]) which
serves as a foundational mechanism for implementing this security
paradigm.
Establishing trust between entities (clients, servers) over untrusted channels
(like internet) was made possible due to Passwords, Shared Secrets, PKI,
HTTPS, TLS, etc. While these might seem extremely obvious in hindsight, these
are incredibly revolutionary and path breaking by any standards. However,
establishing trust in the world of micro-services due to the sheer size, scale
and diversity and heterogeneity (across on-prem, private cloud, multiple
public clouds, legacy platforms like VMs, modern platforms like
micro-services, serverless, functions) makes this an extremely daunting task.
SPIFFE [3] is a standard spec defining a workload identifier
(SPIFFE ID) that can be encoded into a SPIFFE Verifiable Identity Document
(SVID), either in the form of x509 or JWT. The spec also defines a few APIs
that must be satisfied in order to register nodes and workloads, etc. SPIRE
(SPIFFE Runtime Environment) is the reference implementation of the SPIRE
spec.
SPIFFE and SPIRE helps you avoid the onerous process of setting up your own
PKI infrastructure. The easiest way to think about SPIRE is fully automated
high velocity PKI with dynamic credential rotation; and SPIFEE ID allows you
to do cross authentication across heterogenous environments. Another common
every day to conceptualize this [5] is to view SPIFFE and a unique
identifier (say passport) and SPIRE verifies the passport.
SPIFFE and SPIRE represent a quantum leap in Identity frameworks compared
to anything in the past. The following table depicts its unique
advantages:
AccuKnox leverages the SPIFFE/SPIRE framework to implement a ZeroTrust
Kubernetes Run-time Security Environment. The following depicts the
high-level architecture.
In a Zero Trust world, there is a compelling belief [5] that Identity is a foundational
element to establish trust across multiple foundational security
platforms.
In summary, a strong Opensource based Identity Framework like SPIFFE/SPIRE is
a critical foundational element to establish trust domains, attest workloads,
establish policies, establish trust between organizations; all critical
functions to establish a Zero Trust platform.
I am immensely thankful for my colleague, Rahul Jadhav’s input and
contributions to this article.
Reference
1. Workload Identity — A SPIFFE Primer, Sunil Jacob
2. AWS IAM with SPIFFE & SPIRE
3. SPIFFE Project Introduction — Andrew Jessup and Emiliano Berenbaum
4. Five things you did not know you could do with SPIFFE and SPIRE —
Andrew Jessup and Andres Vega
5. Building Zero Trust based Authentication in Healthcare with SPIRE
Now you can protect your workloads in minutes using AccuKnox, it is available to protect your Kubernetes and other cloud workloads using
Kernel Native Primitives such as AppArmor, SELinux, and eBPF.
Let us know if you are seeking additional guidance in planning your
cloud security program.
