Dates
Conferences
Tags
Sort by:
Most recent
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Daniel Feldman, Andres Vega
2023-04-20
tldr - powered by Generative AI
Spire and Spiffy are cloud-native security projects that aim to provide automated, API-driven verification of identities for every component of a system, enabling fine-grained access control and zero trust security.
- Observing the evolution of software architectures and the need for zero trust security in cloud-native systems led to the development of Spire and Spiffy
- Fine-grained workload identity is crucial for achieving zero trust security
- Automating security and offloading it as a function of the platform can improve developer productivity and operational efficiency
- Short-lived, cryptographically verifiable identities can solve the problem of protecting key material
- Spire and Spiffy provide a plug-in interface for changing credential details and advanced authorization rules engines for access control
Conference: KubeCon + CloudNativeCon Europe 2023
Authors: Josh Van Leeuwen, Thomas Meadows
2023-04-19
tldr - powered by Generative AI
The presentation discusses the Secure Production Identity Framework for Everyone (SPIFFE) and how it can be used with Cert Manager to deliver certificates to pods that are SPIFFE-compliant and attested by workload identity.
- SPIFFE is an open-source framework that defines a standard for defining a workload or machine identity.
- SPIFFE can issue SVIDs in two document formats, JWT and x509, and can verify SVIDs of other workloads.
- SPIFFE has an emerging ecosystem of plugins to integrate with other tools and services.
- CSI Driver SPIFFE can be used with Cert Manager to deliver certificates to pods that are SPIFFE-compliant and attested by workload identity.
- CSI is the way that any kind of storage works in Kubernetes.
Conference: Global AppSec San Francisco 2022
Authors: Eli Nesterov
2022-11-18
Enabling production-level TLS/mTLS for applications and API often requires a lot of effort and cross-team collaboration. It is easier for south-north and Internet-facing traffic but much harder for east-west traffic and internal applications. Adding secure authentication on top of that even harder task.As developers, we want to focus on business logic, adding new features, and shipping products. So it is not a surprise that we often push adding transport level security and secure authentication till the very last moment and then rush to enable it. Sounds familiar? This situation often leads to different "bolt-on" security solutions as a compromise. It lets development teams focus on the business logic and security features added transparently through various mechanisms like side-cars, service meshes, and API gateways.What if there is a better way?What if we can build apps and APIs with automated mTLS and secure authentication without adding friction to developers?In this talk, we'll discuss SPIFFE and SPIRE and how you can use them to secure microservices communication automatically. We'll look into different SPIRE architecture models and usage scenarios and examine ways to enable it by default removing frictions for developers.I'll demonstrate different use-cases, including transparent authentication to AWS, GCP, or Azure cloud services through federation, even if you are running in your on-prem data center.
Conference: KubeCon + CloudNativeCon North America 2022
Authors: Sitaram Iyer, Riaz Mohamed
2022-10-27
tldr - powered by Generative AI
The talk discusses how to manage security at the edge using cert-manager and utilizing SPIFFE as a way to manage and distribute trust.
- Workloads are moving from data centers to the edge, and Kubernetes has been adopted to run these workloads.
- The challenge is to secure these workloads and manage certificates and renewals at scale.
- Cert-manager and SPIFFE can be used to manage security at the edge and distribute trust.
- The talk demonstrates how to provision and renew certificates for both ingress and mTLS use cases using cert-manager on a Raspberry Pi.
Conference: KubeCon + CloudNativeCon North America 2022
Authors: Evan Gilman
2022-10-26
tldr - powered by Generative AI
The presentation discusses how to use SPIFFE/SPIRE to securely access cloud resources from anywhere without having to generate, store, or manage API keys.
- SPIFFE and SPIRE enable identity federation for cloud native workloads
- SPIFFE IDs are structured strings that include a trust domain name and service name
- Trust domains are security domains that have a one-to-one relationship with a set of identity issuers
- SPIRE can be used to securely access AWS, Azure, and GCP resources without a secret access key
Conference: Cloud Native SecurityCon North America 2022
Authors: Eli Nesterov
2022-10-25
tldr - powered by Generative AI
The presentation discusses the keys to a successful SPIRE rollout in production, based on learnings from multiple successful production deployments and commonly asked questions in SPIFFE/SPIRE Slack channels.
- Understand trust boundaries and how they map into SPIFFE trust domains
- Consider how this mapping affects your PKI and where to store keys
- Federation between independent SPIFFE systems can affect performance and bundle size
- Investment into building your own system depends on how much you trust it
- Consider architecture patterns, deployment models, logging, monitoring, security, availability, and performance topics when moving from proof of concept to production
Conference: KubeCon + CloudNativeCon Europe 2022
Authors: Charlie Egan, Jake Sanders
2022-05-20
tldr - powered by Generative AI
The presentation discusses the use of standardized identities in workload agencies to improve security and simplify the process of moving from on-prem and hybrid environments to clouds.
- The use of standardized identities, such as SPIFFE, can improve security and simplify the process of moving from on-prem and hybrid environments to clouds.
- The presentation demonstrates a toy example of a workload agency using a SPIFFE connector server to issue short-lived cloud credentials to workloads.
- The SPIFFE connector server is configured with an ACL to control which workloads can access which credentials.
- The presentation includes a live demo of the toy example, showing the deployment of the SPIFFE connector server and an example workload with a sidecar.
- The demo illustrates how the SPIFFE connector server issues short-lived credentials to the workload, which can then be used to access cloud APIs.
- The use of standardized identities can improve security by allowing for better auditing and control over which workloads have access to which credentials.
Conference: KubeCon + CloudNativeCon Europe 2022
Authors: Frederick Kautz, Andres Vega
2022-05-18
SPIFFE aims to strengthen the identification of software components in a common way that can be leveraged across distributed systems by anyone, anywhere. The ability to maintain software security by standardizing how systems define, attest, and maintain software identity, regardless of where systems are deployed or who deploys those systems, confers many benefits. The use of SPIFFE can significantly reduce costs associated with the overhead of managing and issuing cryptographic identity documents and accelerate development by removing the need for developers to understand the complexity involved to secure service-to-service communication, but that is not the only outcome. Production identity can have a positive impact on many areas such as interoperability, compliance, audibility, and more. This presentation demonstrates the real world scenarios and outcomes of deploying SPIFFE across your infrastructure and also using it to bridge and integrate the infrastructure of others.Click here to view captioning/translation in the MeetingPlay platform!
Conference: KubeCon + CloudNativeCon North America 2021
Authors: Andrew Harding
2021-10-15
tldr - powered by Generative AI
The presentation discusses the use of SPIFFE/SPIRE for cross-cluster authentication in Kubernetes.
- SPIFFE is a set of specifications for getting a cryptographic identity for workloads to authenticate with other workloads
- SPIRE is a tool that implements SPIFFE specifications
- Cross-cluster authentication is complicated, but can be solved with SPIFFE/SPIRE
- The presentation includes a live coding and demo session to show how easy it is to use SPIFFE/SPIRE in Kubernetes workloads
Conference: KubeCon + CloudNativeCon North America 2021
Authors: Ryan Turner
2021-10-15
tldr - powered by Generative AI
Spiffy is a secure production identity framework that provides a new model for identifying workloads to enable strong authentication in service-to-service communication.
- Spiffy is an open-source set of specifications that defines what is a workload identity and how to represent it
- Spiffy allows identifying workloads in a microservices container-based world without relying on network-level constructs like IP address or DNS name
- Spiffy describes a workload identity through a Spiffy ID, which is an identifier string represented as a URI
- Spiffy enables federation to allow workloads running in different trust domains to talk to each other and trust each other
- Spiffy is working on improving attestation of supply chain provenance, enabling secretless authentication to GCP using OpenID Connect Federation, and improving key revocation and forced rotation within Spire
- Spiffy is also working on enabling secretless authentication to Azure using OIDC Federation and improving the health check subsystem and error messages