Save 37% off PRO during our Black Friday Sale! »

Introducing SPIFFE: An Open Standard for Identity in Cloud Native Environments

C8a8889a30543fdb8cf2841a19d43834?s=47 Evan Gilman
December 06, 2017

Introducing SPIFFE: An Open Standard for Identity in Cloud Native Environments

Modern infrastructure patterns like microservices, container orchestration, and hybrid/multi-cloud deployments have turned conventional models for datacenter authentication and security on their heads. In the face of highly dynamic compute and network resources, a new challenge has risen: how to authenticate and secure service-to-service traffic in this brave new world? Enter the problem known as service identity.

Getting service identity right is surprisingly hard, with requirements extending well beyond simple secret management. What kind of credentials to settle on, how to rotate them, how to automatically (and securely) bootstrap them... and even more importantly, how to make sure a wide variety of external systems can authenticate them appropriately? These questions represent only a subset of the points that must be solved for.

In this talk, we introduce both SPIFFE and SPIRE - a new open source project designed to solve exactly these problems. SPIRE, backed by the SPIFFE open standard, performs seamless node and workload attestation across various platforms, and automatically issue short-lived certificates based on those attestations in a controlled manner. Even better, these certificates work across organizational boundaries and heterogeneous environments thanks to SPIFFE, which introduces a standardized identity format and validation methodology for X.509 certificates.

C8a8889a30543fdb8cf2841a19d43834?s=128

Evan Gilman

December 06, 2017
Tweet

Transcript

  1. @evan2645 Introducing SPIFFE Evan Gilman

  2. @evan2645 About Me

  3. @evan2645 Agenda •Cloud Native Network Security •SPIFFE •SPIRE Overview •SPIRE

    Walkthrough •Live Demo
  4. @evan2645 Not Your Parent’s Network Security

  5. @evan2645 Not Your Parent’s Network Security

  6. @evan2645 Software is Eating the World

  7. @evan2645 Host Provider Process Process Process Process Security Group: sg-edcd9784

    IP(s): 192.168.0.1/24
  8. @evan2645 Host Provider Process Process Process Process Security Group: sg-edcd9784

    IP(s): 192.168.0.1/24
  9. @evan2645 Host Provider Process Process Process Process Security Group: sg-edcd9784

    IP(s): 192.168.0.1/24
  10. @evan2645 Host Provider Process Process Process Process Security Group: sg-edcd9784

    IP(s): 192.168.0.1/24
  11. @evan2645 Host Provider Process Process Process Process Security Group: sg-edcd9784

    IP(s): 192.168.0.1/24
  12. @evan2645 Host Provider Process Process Process Process Host Provider Process

    Process Process Process
  13. @evan2645 Host Provider Process Process Process Process Host Provider Process

    Process Process Process
  14. @evan2645 Host Provider Process Process Process Process Host Provider Process

    Process Process Process
  15. @evan2645 Host Provider Process Process Process Process Security Group: sg-edcd9784

    IP(s): 192.168.0.1/24
  16. @evan2645 Host Provider Process Process Process Process Security Group: sg-edcd9784

    IP(s): 192.168.0.1/24 ???
  17. @evan2645 Workload Identity

  18. @evan2645 Identity Domains Mesos Dell HP Identity Domain Hyper-V Kubernetes

    KVM
  19. @evan2645 Identity Domains Mesos Dell HP Identity Domain Hyper-V Kubernetes

    KVM
  20. @evan2645 Identity Domains Mesos Dell HP Identity Domain Hyper-V Kubernetes

    KVM
  21. @evan2645 Universal Workload Identity

  22. @evan2645 SPIFFE

  23. @evan2645 SPIFFE

  24. @evan2645 SPIFFE

  25. @evan2645 SPIFFE ID spiffe://example.org/foo

  26. @evan2645 SPIFFE ID spiffe://example.org/foo

  27. @evan2645 SPIFFE Verifiable Identity Document spiffe://example.org/foo

  28. @evan2645 SPIFFE Verifiable Identity Document spiffe://example.org/foo

  29. @evan2645 SPIFFE Verifiable Identity Document spiffe://example.org/foo

  30. @evan2645 SPIFFE Verifiable Identity Document spiffe://example.org/foo

  31. @evan2645 SPIFFE Verifiable Identity Document spiffe://example.org/foo

  32. @evan2645 SPIFFE Verifiable Identity Document spiffe://example.org/foo

  33. @evan2645 SPIFFE Workload API Workload API Workload Workload Workload Server

  34. @evan2645 SPIFFE Workload API Workload API Workload Workload Workload Server

  35. @evan2645 SPIFFE Workload API Workload API Workload Workload Workload Server

  36. @evan2645 How Do I SPIFFE?

  37. @evan2645 SPIRE

  38. @evan2645 SPIRE

  39. @evan2645 SPIRE

  40. @evan2645 •Identity Mapping •Node Attestation •SVID Issuance spire-server •Workload Attestation

    •Workload API spire-agent
  41. @evan2645 SPIRE Walkthrough CA spire-server

  42. @evan2645 SPIRE Walkthrough Existing PKI (optional) Upstream CA CA spire-server

  43. @evan2645 SPIRE Walkthrough Existing PKI (optional) Upstream CA CA Registration

    API spire-server
  44. @evan2645 SPIRE Walkthrough Parent ID: spiffe://example.org/k8s/cluster/foo Selector: k8s:ns:operations Selector: k8s:sa:mediawiki

    Selector: docker:image-id: 746b819f315e SPIFFE ID: spiffe://example.org/ops/wiki
  45. @evan2645 SPIRE Walkthrough spire-server Node Attestor AWS

  46. @evan2645 SPIRE Walkthrough spire-agent Node Attestor spire-server Node Attestor AWS

  47. @evan2645 SPIRE Walkthrough spire-agent Node Attestor spire-server Node Attestor AWS

  48. @evan2645 SPIRE Walkthrough spire-agent Node Attestor spire-server Node Attestor AWS

  49. @evan2645 SPIRE Walkthrough spire-agent Node Attestor spire-server Node Attestor AWS

  50. @evan2645 SPIRE Walkthrough spire-agent Node Attestor spire-server Node Attestor AWS

  51. @evan2645 SPIRE Walkthrough spire-agent Node Attestor spire-server Node Attestor AWS

  52. @evan2645 SPIRE Walkthrough Linux Kernel spire-agent API Socket Server

  53. @evan2645 SPIRE Walkthrough Linux Kernel spire-agent API Socket Server

  54. @evan2645 SPIRE Walkthrough Linux Kernel spire-agent Workload API Socket Server

  55. @evan2645 SPIRE Walkthrough Linux Kernel spire-agent Workload API Socket Server

  56. @evan2645 SPIRE Walkthrough Linux Kernel spire-agent Workload API Socket Server

  57. @evan2645 SPIRE Walkthrough Linux Kernel spire-agent Workload API Socket Server

  58. @evan2645 SPIRE Walkthrough Linux Kernel spire-agent Workload kubelet API Socket

    Server
  59. @evan2645 SPIRE Walkthrough Linux Kernel spire-agent Workload kubelet API Socket

    Server
  60. @evan2645 SPIRE Secure Introduction

  61. @evan2645 SPIRE Secure Introduction

  62. @evan2645 SPIRE Secure Introduction

  63. @evan2645 Demo Time!

  64. @evan2645 In Summary

  65. @evan2645 Looking Forward

  66. @evan2645 Looking Forward

  67. @evan2645 Play Today spiffe/spiffe spiffe/spire spiffe/spiffe-example slack.spiffe.io

  68. @evan2645 Drink Today https://goo.gl/forms/SH16VG0iJYrkbfsJ2

  69. @evan2645 Introducing SPIFFE Evan Gilman