logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Daniel Feldman, Andres Vega
2023-04-20

tldr - powered by Generative AI

Spire and Spiffy are cloud-native security projects that aim to provide automated, API-driven verification of identities for every component of a system, enabling fine-grained access control and zero trust security.
  • Observing the evolution of software architectures and the need for zero trust security in cloud-native systems led to the development of Spire and Spiffy
  • Fine-grained workload identity is crucial for achieving zero trust security
  • Automating security and offloading it as a function of the platform can improve developer productivity and operational efficiency
  • Short-lived, cryptographically verifiable identities can solve the problem of protecting key material
  • Spire and Spiffy provide a plug-in interface for changing credential details and advanced authorization rules engines for access control
Authors: Eli Nesterov
2022-11-18

Enabling production-level TLS/mTLS for applications and API often requires a lot of effort and cross-team collaboration. It is easier for south-north and Internet-facing traffic but much harder for east-west traffic and internal applications. Adding secure authentication on top of that even harder task.As developers, we want to focus on business logic, adding new features, and shipping products. So it is not a surprise that we often push adding transport level security and secure authentication till the very last moment and then rush to enable it. Sounds familiar? This situation often leads to different "bolt-on" security solutions as a compromise. It lets development teams focus on the business logic and security features added transparently through various mechanisms like side-cars, service meshes, and API gateways.What if there is a better way?What if we can build apps and APIs with automated mTLS and secure authentication without adding friction to developers?In this talk, we'll discuss SPIFFE and SPIRE and how you can use them to secure microservices communication automatically. We'll look into different SPIRE architecture models and usage scenarios and examine ways to enable it by default removing frictions for developers.I'll demonstrate different use-cases, including transparent authentication to AWS, GCP, or Azure cloud services through federation, even if you are running in your on-prem data center.
Authors: Evan Gilman
2022-10-26

tldr - powered by Generative AI

The presentation discusses how to use SPIFFE/SPIRE to securely access cloud resources from anywhere without having to generate, store, or manage API keys.
  • SPIFFE and SPIRE enable identity federation for cloud native workloads
  • SPIFFE IDs are structured strings that include a trust domain name and service name
  • Trust domains are security domains that have a one-to-one relationship with a set of identity issuers
  • SPIRE can be used to securely access AWS, Azure, and GCP resources without a secret access key
Authors: Eli Nesterov
2022-10-25

tldr - powered by Generative AI

The presentation discusses the keys to a successful SPIRE rollout in production, based on learnings from multiple successful production deployments and commonly asked questions in SPIFFE/SPIRE Slack channels.
  • Understand trust boundaries and how they map into SPIFFE trust domains
  • Consider how this mapping affects your PKI and where to store keys
  • Federation between independent SPIFFE systems can affect performance and bundle size
  • Investment into building your own system depends on how much you trust it
  • Consider architecture patterns, deployment models, logging, monitoring, security, availability, and performance topics when moving from proof of concept to production
Authors: Agustín Martínez Fayó, Marcos Yacob
2022-05-20

tldr - powered by Generative AI

The presentation discusses the use of Spire and Spiffe in securing containerized applications on Windows servers.
  • Spire and Spiffe are open-source tools used for securing containerized applications
  • The presentation demonstrates the successful communication between different containerized applications using Spire and Spiffe on Windows servers
  • The presenter discusses the challenges faced in implementing Spire and Spiffe on Windows servers, particularly in obtaining information about running containers
  • Future plans include making Spire and Spiffe work on Kubernetes and supporting different programming languages
Authors: Andrew Harding
2021-10-15

tldr - powered by Generative AI

The presentation discusses the use of SPIFFE/SPIRE for cross-cluster authentication in Kubernetes.
  • SPIFFE is a set of specifications for getting a cryptographic identity for workloads to authenticate with other workloads
  • SPIRE is a tool that implements SPIFFE specifications
  • Cross-cluster authentication is complicated, but can be solved with SPIFFE/SPIRE
  • The presentation includes a live coding and demo session to show how easy it is to use SPIFFE/SPIRE in Kubernetes workloads
Authors: Ryan Turner
2021-10-15

tldr - powered by Generative AI

Spiffy is a secure production identity framework that provides a new model for identifying workloads to enable strong authentication in service-to-service communication.
  • Spiffy is an open-source set of specifications that defines what is a workload identity and how to represent it
  • Spiffy allows identifying workloads in a microservices container-based world without relying on network-level constructs like IP address or DNS name
  • Spiffy describes a workload identity through a Spiffy ID, which is an identifier string represented as a URI
  • Spiffy enables federation to allow workloads running in different trust domains to talk to each other and trust each other
  • Spiffy is working on improving attestation of supply chain provenance, enabling secretless authentication to GCP using OpenID Connect Federation, and improving key revocation and forced rotation within Spire
  • Spiffy is also working on enabling secretless authentication to Azure using OIDC Federation and improving the health check subsystem and error messages