SPIFFE/SPIRE Brings Federated Identity to Distributed Architectures
Portworx sponsored The New Stack’s coverage of KubeCon + CloudNativeCon in San Diego.
This week at the Kubecon+CloudNativeCon North America 2019, the SPIFFE and SPIRE projects will showcase their expanded capabilities to offer OpenID Connect (OIDC) federated identity, enabling microservices to employ this security not only between themselves on a single SPIRE instance, but also between shared services, such as databases, service meshes, and public cloud providers, without necessarily using secrets and/or network security controls.
With the move to distributed application architectures made up of often-ephemeral microservices running in numerous locations, perimeter security just doesn’t cut it anymore. Instead, microservices can employ a form of security called zero-trust security, wherein each and every component authenticates with any other component it must interact with.
In early 2018, the two projects joined the Cloud Native Computing Foundation (CNCF) to help developers more easily employ this form of security in their cloud native applications.
SPIFFE, which stands for Secure Production Identity Framework for Everyone, is a set of open source standards, and SPIRE, the SPIFFE Runtime Environment, is the software that actually implements that specification. Both joined the CNCF in early 2018 at the sandbox level, and since that time, Scytale, a startup founded specifically for SPIFFE, has also launched Scytale Enterprise, a cloud-based subscription-based on SPIFFE/SPIRE to standardize service authentication across cloud, container, and on-premise infrastructure. Since its creation, the SPIFFE standard has also been adopted by projects like Google’s Istio service mesh and Hashicorp’s Consul, as well as Envoy and gRPC, among others.
Andrew Jessup, co-founder and head of product at Scytale, explained in an interview with The New Stack that, until now, SPIFFE-compatible software was only able to securely communicate with other components using the same identity server. Now, with federated identity, he explained, disparate systems and services are able to securely communicate with each other — something customers have been asking for.
“I’ve got all these different service meshes running around and maybe I’m using other implementations as well, how can I actually start to connect these things together, these little isolated islands? Even if I’ve got two different types of business units running different infrastructure, both running SPIFFE-compatible systems, how can I create like contiguous trust between them?” said Jessup. “If I’m running SPIRE in one data center and Istio in another, even though these are two different implementations of SPIFFE, these things can federate and learn to trust each other, such that software running on an Istio cluster in one and a data center in another can also trust each other.”
Evan Gilman, a staff engineer at Scytale, further explained the importance of these new capabilities in a company statement.
“OIDC federation is a great way for distributed systems to securely interact without distributing shared secrets,” said Gilman. “For example, a system running within an on-premises data center managed by SPIRE can now directly authenticate with cloud platforms like AWS without sharing secrets or private keys.”
Jessup said that this absence of sharing secrets or private keys helps to prevent breaches caused by a leak of passwords, or the recent Capitol One breach, where someone gained access to the shared AWS keys and secrets.
“We’ve seen a lot of early interest around using SPIFFE not just for connecting individual workloads inside a data center or connecting what goes across data centers, but now into connecting into existing legacy software systems as well,” said Jessup. “It seems like a subtle point, but it’s a really important transition for the SPIFFE project because it vastly broadens the reach and utility of what SPIFFE is actually able to do.”
For those attending Kubecon+CloudNativeCon North America 2019 who are interested in learning more, Scytale will be demonstrating SPIRE and Scytale Enterprise, as well as hosting several lightning talks on SPIFFE/SPIRE, at Booth #S21.
Kubecon+CloudNativeCon and HashiCorp are sponsors of The New Stack.
Feature image by David Mark from Pixabay.