Cloud Native / Open Source / Security / Sponsored / Contributed

The Rise of Workload Identity in Cloud Native with SPIFFE/SPIRE

22 Sep 2021 8:00am, by and

In today’s world of cloud computing, our workload and compute architectures come in all shapes and sizes. Our architectures today consist of multiple platforms, regions and even span multiple cloud providers. However, it doesn’t end there. In some use cases, like with 5G or edge computing, myriad devices, such as a Raspberry Pi to an HPC node, can make an appearance on the same architecture diagram.

In this article, we will talk about how workload identity plays a critical and foundational role in cloud native architecture. We will talk about the fast-growing Cloud Native Computing Foundation (CNCF) identity technologies SPIFFE and SPIRE, and what’s in store for the future of workload identity.

The Importance of Workload Identity

Brandon Lum
Brandon loves designing and implementing computer systems, with a focus on security, operating systems, and distributed/parallel systems. At IBM Research, Brandon designs, architects and develops for problems at the intersection of cloud and security. He works on various security areas such as container content protection via encryption and image signing, identity and techniques to reduce the attack surface on the kernel.

As our workload portfolio grows in complexity, it is important to ensure that each workload or service is able to securely access only the services and resources it needs. Things like access control and RPC authorization, mutually authenticated Transport Layer Security (mTLS) and secrets distribution come to mind. We get these features from a variety of technologies, like service mesh (Istio, Linkerd) and traffic security proxies (Envoy, Ghostunnel). However all these technologies rely on one fundamental infrastructure property to deliver on their guarantees: strong cryptographic workload identity.

Prior to cloud native, workloads were fairly long-lived and countable with our two hands or a pretty manageable-sized spreadsheet. Thus, it was feasible to adopt a relatively manual strategy of an operator assigning workload identities and delivering credentials to prove that identity to workloads.

However, in the cloud native space, where workloads are ephemeral and workload definitions become agile with concepts like CI/CD and GitOps, innovation is called for in the ability to provide identities. This means both provisioning and delivering the identities, but equally important, to ensure that they go to the right workloads.

Enter: SPIFFE/SPIRE

Evan Gilman
Evan is an engineer with a background in computer networks. With roots in academia and currently working on the SPIFFE project, he has been building and operating systems in hostile environments his entire professional career. An open source contributor, speaker and author, Evan is passionate about designing systems that strike a balance with the networks they run on.

SPIFFE, the Secure Production Identity Framework for Everyone, is a set of open source standards for securely identifying software systems in dynamic and heterogeneous environments. Systems that adopt SPIFFE can easily and reliably mutually authenticate wherever they are running.

SPIRE, the SPIFFE Runtime Environment, is an extensible system that implements the principles embodied in the SPIFFE standards. SPIRE manages platform and workload attestation, provides an API for controlling attestation policies and coordinates certificate issuance and rotation.

Together, SPIFFE, SPIRE and a collection of other projects that are part of the SPIFFE organization are part of a suite of projects to provide a cloud native workload identity framework for modern architectures. For more technical specifics on SPIFFE and SPIRE, and concepts of how to establish workload identity based on zero trust, check out the book, “Solving the Bottom Turtle: a SPIFFE Way to Establish Trust in Your Infrastructure with Universal Identity.

SPIFFE/SPIRE users include Bloomberg, Uber, GitHub and ByteDance (developer of TikTok), and companies like Google, HPE, VMware, IBM, Intel and Hashicorp use it to build higher-layer products and services.

The Rising Importance of Workload Identity

With organizations having a more mature cloud native deployment and suite of microservices, the need for a workload identity like SPIFFE/SPIRE is becoming more prominent. Let us use some of the recent data to validate that! We’ll look at some highlights from the upcoming KubeCon + CloudNativeCon North America and data collected from the CNCF.

SPIFFE @ Kubecon + CloudNativeCon 2021

In fact, indications of SPIFFE and SPIRE’s importance can be seen in this year’s KubeCon + CloudNativeCon North America. Talks about SPIFFE and SPIRE make up about 20% of the entire “Security + Identity + Policy” track, with three talks from a variety or organizations:

On top of these talks, as well as two maintainer track talks, there is a full-day co-located event, Production Identity Day, alongside the conference, providing a full day of talks about SPIFFE and SPIRE.

SPIFFE Media and Velocity Report

In addition to the events and talks around SPIFFE and SPIRE at this KubeCon, there has also been increased interest in the community projects. Here are several highlights from the Q2 2021 SPIRE media and velocity report:

  • Total media mentions of SPIRE reached 271 in Q2, an increase from 127 in Q1.
  • Top publications and websites covering SPIRE in Q2 included: Help Net Security, SDxCentral.
  • Media stories mentioning SPIRE were shared 357 times across social media channels in Q2, up from 97 in Q1.
  • From a Twitter perspective, the term SPIRE was mentioned in 191 tweets, up from 69 in Q1.
  • SPIRE reached 13 contributing companies and 42 developers by the end of Q2, up from 12 contributing companies and 33 developers by the end of Q1.

Recent Highlights in SPIFFE/SPIRE

WIth more and more interest and contributors, the SPIFFE and SPIRE projects are picking up pace, leading to the SPIRE v1.0 release earlier in July this year. This is a huge milestone for the SPIRE project. As of June last year, SPIFFE and SPIRE are CNCF incubation projects, just one step away from CNCF graduation.

In addition to that, we saw the donation of project Tornjak from IBM to the SPIFFE family, a project that provides a management UI for global visibility and auditability of SPIRE workloads.

The CNCF Security TAG (Technical Advisory Group) is also working on Supply Chain Secure Software Factory reference architecture that features SPIRE, to provide attestation of nodes and workloads and provide identity to the components of the software factory.

Conclusion

From the overwhelming presence of SPIFFE at KubeCon + CloudNativeCon sessions, the number of adopters of SPIFFE/SPIRE, to the doubling to tripling of CNCF velocity metrics within a span of a quarter, there is no doubt of the growing need of workload identity and importance of the SPIFFE/SPIRE projects. Come join the ever-growing SPIFFE community and dive deeper with the book.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Velocity.

Photo by Johannes Plenio from Pexels.

A newsletter digest of the week’s most important stories & analyses.