Back at the end of March, the Cloud Native Computing Foundation accepted a new sandbox project for identity management. The project is called SPIFFE, which stands for Secure Production Identity Framework For Everyone. It’s being supported by Amazon, Google and Red Hat, but at the center of the project is Scytale, a startup founded specifically for SPIFFE.
Scytale and SPIFFE are the brainchildren of Sunil James, who’s been in the software industry since the turn of the century. With a resume that dates all the way back to one of the first companies to offer security bug bounties and time at both Amazon and Google, James has a long view of some of the pain points that have been experienced by teams moving their enterprise environments into rapidly scalable, cloud-based infrastructure.
To this end, SPIFFE provides a unified way for systems to authenticate identity across microservices and servers. Using SPIRE (SPIFFE Runtime Environment) as a central server for handling identity, smaller agents are used on endpoints to handle authentication. SPIRE is just one implementation of the SPIFFE framework, as Istio Auth is also using SPIFFE.
James said that identity is extremely important to scalable environments, where systems are changing constantly according to demands. “You’ve got technologies like Kubernetes that allow for you to spin up arbitrary numbers of a server and spin them back down just as easily. These things are ephemeral. They exist for some period of time, they have to interact with other pieces of software, and it becomes really hard for an organization at a certain size to enable these different pieces of software to authenticate to each other. How does one piece of software know that another piece of software it’s interacting with is in fact who it says it is?” Asked James.
“That’s the fundamental question that SPIFFE tries to address, is to provide a mechanism to not only assert that identity but to allow for an encrypted communication between those two thereafter,” said James.
James said that identity has been a topic of discussion in systems development for years. He said many of the principles at work in SPIFFE aren’t new ideas, but are newly applied to modern environments.
“The thing that gives me comfort when we started Scytale, and before we started Scytale, working on the SPIFFE project was that the ideas of identity; technologists and computer scientists for generations have recognized that identity is a pretty critical component of enabling and securing communications, either through human beings, which is where most of the identity management technology has seemed to focus on, or in the case of SPIFFE and other systems before ours, around systems and services, if you will,” said James.
In this Edition:
0:23: What is SPIFFE?
3:17: The SPIFFE architecture
5:23: Comparing and contrasting SPIFFE to the SOA registry mode
8:53: Identity management, authorisation, and identity platforms
12:47: What’s it been like to work with the CNCF?
15:09: What are you working on next in SPIFFE?
The Cloud Native Computing Foundation is a sponsor of The New Stack.
Feature image via Pixabay.