logo

Enable security by default with automated mTLS and keyless authentication using SPIFFE and SPIRE

2022-11-18

Authors:   Eli Nesterov


Abstract

Enabling production-level TLS/mTLS for applications and API often requires a lot of effort and cross-team collaboration. It is easier for south-north and Internet-facing traffic but much harder for east-west traffic and internal applications. Adding secure authentication on top of that even harder task.As developers, we want to focus on business logic, adding new features, and shipping products. So it is not a surprise that we often push adding transport level security and secure authentication till the very last moment and then rush to enable it. Sounds familiar? This situation often leads to different "bolt-on" security solutions as a compromise. It lets development teams focus on the business logic and security features added transparently through various mechanisms like side-cars, service meshes, and API gateways.What if there is a better way?What if we can build apps and APIs with automated mTLS and secure authentication without adding friction to developers?In this talk, we'll discuss SPIFFE and SPIRE and how you can use them to secure microservices communication automatically. We'll look into different SPIRE architecture models and usage scenarios and examine ways to enable it by default removing frictions for developers.I'll demonstrate different use-cases, including transparent authentication to AWS, GCP, or Azure cloud services through federation, even if you are running in your on-prem data center.

Materials: