Conference:  Global AppSec San Francisco 2022

Authors: Eli Nesterov

2022-11-18

Enabling production-level TLS/mTLS for applications and API often requires a lot of effort and cross-team collaboration. It is easier for south-north and Internet-facing traffic but much harder for east-west traffic and internal applications. Adding secure authentication on top of that even harder task.As developers, we want to focus on business logic, adding new features, and shipping products. So it is not a surprise that we often push adding transport level security and secure authentication till the very last moment and then rush to enable it. Sounds familiar? This situation often leads to different "bolt-on" security solutions as a compromise. It lets development teams focus on the business logic and security features added transparently through various mechanisms like side-cars, service meshes, and API gateways.What if there is a better way?What if we can build apps and APIs with automated mTLS and secure authentication without adding friction to developers?In this talk, we'll discuss SPIFFE and SPIRE and how you can use them to secure microservices communication automatically. We'll look into different SPIRE architecture models and usage scenarios and examine ways to enable it by default removing frictions for developers.I'll demonstrate different use-cases, including transparent authentication to AWS, GCP, or Azure cloud services through federation, even if you are running in your on-prem data center.

Conference:  Cloud Native SecurityCon North America 2022

Authors: Eli Nesterov

2022-10-25

The presentation discusses the keys to a successful SPIRE rollout in production, based on learnings from multiple successful production deployments and commonly asked questions in SPIFFE/SPIRE Slack channels.

• Understand trust boundaries and how they map into SPIFFE trust domains
• Consider how this mapping affects your PKI and where to store keys
• Federation between independent SPIFFE systems can affect performance and bundle size
• Investment into building your own system depends on how much you trust it
• Consider architecture patterns, deployment models, logging, monitoring, security, availability, and performance topics when moving from proof of concept to production