Throw Away Your Passwords: Trusting Workload Identity

The presentation discusses the concept of workload identity and its importance in securing cloud native systems. It explores the limitations of traditional authentication mechanisms and proposes the use of dynamic credentials and hardware roots of trust.

• Historically, identifiers such as IP addresses, passwords, and certificates were used for authentication, but they are no longer effective in dynamic cloud native systems.
• Workload identity is a way for workloads to prove their identity without the need for a secret.
• A trusted third party is needed to issue identities, and identity documents should be short-lived and verifiable through cryptography.
• TPMs, Keylime, and trusted execution environments can provide stronger guarantees of identity and integrity.
• Spire and Spiffy are useful tools for managing workload identity in more complex environments.

The speaker mentions a scenario where an attacker gains access to a certificate and can then pretend to be the legitimate user. However, with TPMs, the certificate is encrypted and stored in the TPM, making it much harder for an attacker to gain access.

Trust is required to secure our systems: we need it to bootstrap infrastructure, to run workloads, and to reassure our customers of their privacy. But how do we establish and secure this "trust" in a dynamic cloud native system?Historically we relied upon identifiers such as IP addresses, passwords, and certificates, but can we do better than these antiquated authentication mechanisms? In this talk we:- Introduce workload identity concepts with real-world demos and walkthroughs- Strive for a world in which passwords and static keys are replaced by dynamic credentials and hardware roots of trust- Solve the "bottom turtle" trust bootstrap quandary- Appraise the open source implementations and technologies available to you- Demonstrate the bootstrap, compromise, and remediation of a Kubernetes cluster using workload identity integrations