logo

Throw Away Your Passwords: Trusting Workload Identity

2022-05-20

Authors:   Ric Featherstone


Summary

The presentation discusses the importance of machine identity and workload identity in securing cloud native systems. It explores the issues with traditional authentication mechanisms and proposes solutions using open source implementations and technologies.
  • Historically, identifiers such as IP addresses, passwords, and certificates were used for authentication, but they are no longer effective in a dynamic cloud native system.
  • Machine identity and workload identity are crucial for securing cloud native systems.
  • Secrets management and access control rely on workload identity or secret zero.
  • Cloud credentials can be obtained using OpenID Connect (OIDC) and can be used for authorization.
  • SPIFFY and SPIRE provide an identity framework for workload identity and machine identity.
  • SPIFFY ID is a URI format that represents the identifier for a workload.
  • SPID documents are short-lived and rotated frequently.
  • SPID documents are verified using cryptography and trust bundles.
  • SPIRE is an implementation of the SPIFFY standards that includes an agent and server.
  • The agent attests to the server, and workloads attest to the agent to map selectors to workload identities.
The speaker gave an example of using AWS APIs to obtain cloud credentials without worrying about authentication. By passing tokens between services, authorization can be enforced using OpenID Connect. The speaker also discussed using GitHub to run infrastructure code pipelines and obtain temporary cloud credentials. SPID and SPIRE were proposed as solutions for workload identity and machine identity.

Abstract

Trust is required to secure our systems: we need it to bootstrap infrastructure, to run workloads, and to reassure our customers of their privacy. But how do we establish and secure this "trust" in a dynamic cloud native system?Historically we relied upon identifiers such as IP addresses, passwords, and certificates, but can we do better than these antiquated authentication mechanisms? In this talk we:Demystify machine identity and its relationship to secrets management and access controlDiscuss the issues with historical approaches in a cloud native environmentSolve the "bottom turtle" trust bootstrap quandaryAppraise the open source implementations and technologies available to youDemonstrate practical examples of how to acquire a workload identity or secret zeroStrive for a world in which passwords and static keys are replaced by dynamic credentials and hardware roots of trustClick here to view captioning/translation in the MeetingPlay platform!

Materials: