SlideShare a Scribd company logo

Building trust between modern distributed systems with spiffe

ajessup
ajessup

An overview of the SPIFFE and SPIRE projects, and how they help organizations to build secure and resilient cloud-native applications

Software
1 of 27
Download to read offline
Building Trust Between Modern Distributed Systems with SPIFFE Andrew Jessup, Scytale Inc.
Source Workload Destination Workload “Do I believe this workload is who they say they are?” “Do I believe they really sent that message?”
Mobile API Web Front End POS API TicketsSubscriptions Billing Members DB
Web Front End Subscriptions 4. Acknowledge * Or key/secret, signed nonce etc. 2. Supply username and password* with authentication handshake Accounts 1. Retrieve username and password from configuration Model 1: Destination workload authentication 3. Verify username and password ? ? Source workload Destination workload
Model 2: Platform mediated identity Web Front End Subscriptions 4. Acknowledge 2. Send proof of identity with authentication handshake 1. Retrieve proof-of-identity from the platform 3. Verify source workload identity Platform (eg. AWS, or Kubernetes) Eg. AWS IAM, Kubernetes Service Accounts Privaliged API Privaliged API Source workload Destination workload
Destination workload authentication Platform mediated identity SPIFFE API-driven credential rotation and distribution No Yes Yes One identity per workload No Yes Yes No credentials need to be deployed with the workload No Yes Yes Supports trust across different platforms platforms Yes No Yes
Platform B Secure Production Identity Framework For Everyone Web Front End Subscriptions 4. Acknowledge 1. Retrieve SPIFFE ID and SVIDs from the worklaod API 3. Verify source workload identity Platform A Workload API Workload API 2. Send proof of identity with authentication handshake
Dave Presotto 2004 Russ Cox 2008 Eric Grosse 2007 Rob Pike 2002 Sean Quinlan 2002
The SPIFFE project A set of specifications that cover how a workload should retrieve and use it’s identity. ● SPIFFE ID ● SPIFFE Verifiable Identity Documents (SVIDs) ● The SPIFFE Workload API The SPIFFE Runtime Environment. Open-source software that implements the SPIFFE Workload API for a variety of platforms. Apache 2.0 license. Independent governance. Highly extensible through plug-ins. github.com/spiffe/spiffe github.com/spiffe/spire
SPIFFE ID spiffe://acme.com/billing/payments Trust Domain Workload Identifier
SPIFFE Verifiable Identity Document spiffe://acme.com/billing/payments Today only one form of SVID (X509-SVID). Other document types under consideration (including JWT-SVID) Typically short-lived
Server SPIFFE Workload API Workload Workload API whoami() Workload whoami()
SPIFFE Integrations so far A Go client library for parsing SVIDs (github.com/spiffe/go-spiffe) Using SVIDs to authenticate Ghost-tunnel proxies https://blog.scytale.io/securing-the-service-mesh-with-spire-0-3-38775f767653 Using SVIDs to authenticate Envoy proxies https://blog.scytale.io/securing-the-service-mesh-with-spire-0-3-38775f767653 In development: ● A C client library for parsing SVIDs (github.com/spiffe/c-spiffe) ● Using SVIDs to authenticate gRPC clients (w. Google) ● Using SVIDs as an authentication backend to Vault (w. QAware, Hashicorp and Redhat) ● Using SVIDs to authenticate to nginx (Scytale)
SPIFFE Runtime Environment SPIRE Server spiffe://acme.com/billing/payments selector: aws:sg:sg-edcd9784 selector: unix:uid:1001
Node attestation EC2 Instance Workload SPIRE Agent Workload API SPIRE Server AWSInstance MetadataAPI 1. Node agent authenticates to the SPIRE Server, passes AWS Instance Identity Document
Node attestation EC2 Instance Workload SPIRE Agent Workload API SPIRE Server 2. List of valid SPIFFE IDs for the node, and selectors, returned
Workload attestation EC2 Instance Workload SPIRE Agent Workload API SPIRE Server 3. Workload requests identity 4. Node agent performs an out-of-band check of the workload process metadata, compares to known selectorswhoami()
SVID Bundle Issuance EC2 Instance Workload SPIRE Agent Workload API SPIRE Server 5. If match found, NA generates a key for the workload 6. NA sends certificate signing request based on that key to SPIRE Server
SVID Bundle Issuance EC2 Instance Workload SPIRE Agent Workload API SPIRE Server 6. SPIRE server issues SVID (as well as certificates for any other workload the instance should support)
SVID Bundle Issuance EC2 Instance Workload SPIRE Agent Workload API SPIRE Server 7. Certificate bundle returned to the workload
SPIFFE Runtime Environment SPIRE Server spiffe://acme.com/billing/payments selector: aws:sg:sg-edcd9784 selector: k8s:ns:payments selector: k8s:sa:pay-svc selector: docker:image-id:442ca9
SPIRE Workload Attestor Plug-ins Node Attestor Plug-ins Workload API Secure Introduction to other services mTLS JWTs Identity for proxy services Linux Windows OS X YubiKey HSM providersAzure GCP Kubernetes Mesosphere Join Token AWS Kerberos Simplify deployment of distributed systems CoreWorkloadPlatform gRPC
What SPIFFE is not ● Authorization (however it provides identities upon which authorization schemes can be deployed) ● Transport level security (however SVIDs can be used to facilitate things like TLS or JWT signing)
Things we didn’t talk about ● Integration into custom datastores and PKI ● Design patterns (secure introduction to secrets stores, service mesh, etc.) ● Identity translation ● Federation
Where to go next ● Github! ○ github.com/spiffe/spiffe ○ github.com/spiffe/spire ○ github.com/spiffe-example ● Evan Gillman’s KubeCon 2017 talk on SPIFFE (YouTube) ● Medium - https://blog.scytale.com/ ● Join our next community day (March 9, daytime PST) or meet us at KubeCon EU 2018 in Copenhagen Pointers to SIGs, Slack, mailing lists and more
Thank You! Andrew Jessup Twitter: @whenfalse

Recommended

Screencast dave dev-introtoask-andecho-july2015
Screencast dave dev-introtoask-andecho-july2015Screencast dave dev-introtoask-andecho-july2015
Screencast dave dev-introtoask-andecho-july2015David Isbitski
 
2016 - Easing Your Way Into Docker: Lessons From a Journey to Production
2016 - Easing Your Way Into Docker: Lessons From a Journey to Production2016 - Easing Your Way Into Docker: Lessons From a Journey to Production
2016 - Easing Your Way Into Docker: Lessons From a Journey to Productiondevopsdaysaustin
 
Lamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api GatewayLamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api GatewayMike Becker
 
Amazon ECS Deep Dive
Amazon ECS Deep DiveAmazon ECS Deep Dive
Amazon ECS Deep DiveAmazon Web Services
 
AWS July Webinar Series: Overview: Build and Manage your APIs with Amazon API...
AWS July Webinar Series: Overview: Build and Manage your APIs with Amazon API...AWS July Webinar Series: Overview: Build and Manage your APIs with Amazon API...
AWS July Webinar Series: Overview: Build and Manage your APIs with Amazon API...Amazon Web Services
 
AWS November Webinar Series - From Local Development to Production Using the ...
AWS November Webinar Series - From Local Development to Production Using the ...AWS November Webinar Series - From Local Development to Production Using the ...
AWS November Webinar Series - From Local Development to Production Using the ...Amazon Web Services
 
Microservice Architecture on AWS using AWS Lambda and Docker Containers
Microservice Architecture on AWS using AWS Lambda and Docker ContainersMicroservice Architecture on AWS using AWS Lambda and Docker Containers
Microservice Architecture on AWS using AWS Lambda and Docker ContainersDanilo Poccia
 
Aws Lambda Cart Microservice Server Less
Aws Lambda Cart Microservice Server LessAws Lambda Cart Microservice Server Less
Aws Lambda Cart Microservice Server LessDhanu Gupta
 

Recommended

Screencast dave dev-introtoask-andecho-july2015
Screencast dave dev-introtoask-andecho-july2015Screencast dave dev-introtoask-andecho-july2015
Screencast dave dev-introtoask-andecho-july2015David Isbitski
 
2016 - Easing Your Way Into Docker: Lessons From a Journey to Production
2016 - Easing Your Way Into Docker: Lessons From a Journey to Production2016 - Easing Your Way Into Docker: Lessons From a Journey to Production
2016 - Easing Your Way Into Docker: Lessons From a Journey to Productiondevopsdaysaustin
 
Lamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api GatewayLamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api GatewayMike Becker
 
Amazon ECS Deep Dive
Amazon ECS Deep DiveAmazon ECS Deep Dive
Amazon ECS Deep DiveAmazon Web Services
 
AWS July Webinar Series: Overview: Build and Manage your APIs with Amazon API...
AWS July Webinar Series: Overview: Build and Manage your APIs with Amazon API...AWS July Webinar Series: Overview: Build and Manage your APIs with Amazon API...
AWS July Webinar Series: Overview: Build and Manage your APIs with Amazon API...Amazon Web Services
 
AWS November Webinar Series - From Local Development to Production Using the ...
AWS November Webinar Series - From Local Development to Production Using the ...AWS November Webinar Series - From Local Development to Production Using the ...
AWS November Webinar Series - From Local Development to Production Using the ...Amazon Web Services
 
Microservice Architecture on AWS using AWS Lambda and Docker Containers
Microservice Architecture on AWS using AWS Lambda and Docker ContainersMicroservice Architecture on AWS using AWS Lambda and Docker Containers
Microservice Architecture on AWS using AWS Lambda and Docker ContainersDanilo Poccia
 
Aws Lambda Cart Microservice Server Less
Aws Lambda Cart Microservice Server LessAws Lambda Cart Microservice Server Less
Aws Lambda Cart Microservice Server LessDhanu Gupta
 
Evolution of the REST API
Evolution of the REST APIEvolution of the REST API
Evolution of the REST APIJeremyOtt5
 
(DVO305) Turbocharge YContinuous Deployment Pipeline with Containers
(DVO305) Turbocharge YContinuous Deployment Pipeline with Containers(DVO305) Turbocharge YContinuous Deployment Pipeline with Containers
(DVO305) Turbocharge YContinuous Deployment Pipeline with ContainersAmazon Web Services
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIsAmazon Web Services
 
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...Amazon Web Services
 
(CMP406) Amazon ECS at Coursera: A general-purpose microservice
(CMP406) Amazon ECS at Coursera: A general-purpose microservice(CMP406) Amazon ECS at Coursera: A general-purpose microservice
(CMP406) Amazon ECS at Coursera: A general-purpose microserviceAmazon Web Services
 
(DEV304) What’s New in the AWS SDK for .NET | AWS re:Invent 2014
(DEV304) What’s New in the AWS SDK for .NET | AWS re:Invent 2014(DEV304) What’s New in the AWS SDK for .NET | AWS re:Invent 2014
(DEV304) What’s New in the AWS SDK for .NET | AWS re:Invent 2014Amazon Web Services
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncYan Cui
 
Introduction to building alexa skills and putting your amazon echo to work
Introduction to building alexa skills and putting your amazon echo to workIntroduction to building alexa skills and putting your amazon echo to work
Introduction to building alexa skills and putting your amazon echo to workAbe Diaz
 
Writing Alexa Voice Skills With NodeJS (with a little IoT)
Writing Alexa Voice Skills With NodeJS (with a little IoT)Writing Alexa Voice Skills With NodeJS (with a little IoT)
Writing Alexa Voice Skills With NodeJS (with a little IoT)David Janes
 
TurboCharge Your Continuous Delivery Pipeline with Containers - Pop-up Loft
TurboCharge Your Continuous Delivery Pipeline with Containers - Pop-up LoftTurboCharge Your Continuous Delivery Pipeline with Containers - Pop-up Loft
TurboCharge Your Continuous Delivery Pipeline with Containers - Pop-up LoftAmazon Web Services
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API GatewayAmazon Web Services
 
Continuous Delivery to Amazon ECS
Continuous Delivery to Amazon ECSContinuous Delivery to Amazon ECS
Continuous Delivery to Amazon ECSAmazon Web Services
 
(DVO308) Docker & ECS in Production: How We Migrated Our Infrastructure from ...
(DVO308) Docker & ECS in Production: How We Migrated Our Infrastructure from ...(DVO308) Docker & ECS in Production: How We Migrated Our Infrastructure from ...
(DVO308) Docker & ECS in Production: How We Migrated Our Infrastructure from ...Amazon Web Services
 
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...Amazon Web Services
 
Automating Software Deployments with AWS CodeDeploy by Matthew Trescot, Manag...
Automating Software Deployments with AWS CodeDeploy by Matthew Trescot, Manag...Automating Software Deployments with AWS CodeDeploy by Matthew Trescot, Manag...
Automating Software Deployments with AWS CodeDeploy by Matthew Trescot, Manag...Amazon Web Services
 
Releasing Software Quickly and Reliably With AWS CodePipeline by Mark Mansour...
Releasing Software Quickly and Reliably With AWS CodePipeline by Mark Mansour...Releasing Software Quickly and Reliably With AWS CodePipeline by Mark Mansour...
Releasing Software Quickly and Reliably With AWS CodePipeline by Mark Mansour...Amazon Web Services
 
Getting Started with Docker on AWS
Getting Started with Docker on AWSGetting Started with Docker on AWS
Getting Started with Docker on AWSAmazon Web Services
 
From AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud AppsFrom AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud AppsAtlassian
 
Scheduling Containers on Amazon ECS
Scheduling Containers on Amazon ECSScheduling Containers on Amazon ECS
Scheduling Containers on Amazon ECSAmazon Web Services
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesVladimir Budilov
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo OmuraSPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo OmuraPreferred Networks
 

More Related Content

What's hot

Evolution of the REST API
Evolution of the REST APIEvolution of the REST API
Evolution of the REST APIJeremyOtt5
 
(DVO305) Turbocharge YContinuous Deployment Pipeline with Containers
(DVO305) Turbocharge YContinuous Deployment Pipeline with Containers(DVO305) Turbocharge YContinuous Deployment Pipeline with Containers
(DVO305) Turbocharge YContinuous Deployment Pipeline with ContainersAmazon Web Services
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIsAmazon Web Services
 
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...Amazon Web Services
 
(CMP406) Amazon ECS at Coursera: A general-purpose microservice
(CMP406) Amazon ECS at Coursera: A general-purpose microservice(CMP406) Amazon ECS at Coursera: A general-purpose microservice
(CMP406) Amazon ECS at Coursera: A general-purpose microserviceAmazon Web Services
 
(DEV304) What’s New in the AWS SDK for .NET | AWS re:Invent 2014
(DEV304) What’s New in the AWS SDK for .NET | AWS re:Invent 2014(DEV304) What’s New in the AWS SDK for .NET | AWS re:Invent 2014
(DEV304) What’s New in the AWS SDK for .NET | AWS re:Invent 2014Amazon Web Services
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncYan Cui
 
Introduction to building alexa skills and putting your amazon echo to work
Introduction to building alexa skills and putting your amazon echo to workIntroduction to building alexa skills and putting your amazon echo to work
Introduction to building alexa skills and putting your amazon echo to workAbe Diaz
 
Writing Alexa Voice Skills With NodeJS (with a little IoT)
Writing Alexa Voice Skills With NodeJS (with a little IoT)Writing Alexa Voice Skills With NodeJS (with a little IoT)
Writing Alexa Voice Skills With NodeJS (with a little IoT)David Janes
 
TurboCharge Your Continuous Delivery Pipeline with Containers - Pop-up Loft
TurboCharge Your Continuous Delivery Pipeline with Containers - Pop-up LoftTurboCharge Your Continuous Delivery Pipeline with Containers - Pop-up Loft
TurboCharge Your Continuous Delivery Pipeline with Containers - Pop-up LoftAmazon Web Services
 
Continuous Delivery to Amazon ECS
Continuous Delivery to Amazon ECSContinuous Delivery to Amazon ECS
Continuous Delivery to Amazon ECSAmazon Web Services
 
(DVO308) Docker & ECS in Production: How We Migrated Our Infrastructure from ...
(DVO308) Docker & ECS in Production: How We Migrated Our Infrastructure from ...(DVO308) Docker & ECS in Production: How We Migrated Our Infrastructure from ...
(DVO308) Docker & ECS in Production: How We Migrated Our Infrastructure from ...Amazon Web Services
 
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...Amazon Web Services
 
Automating Software Deployments with AWS CodeDeploy by Matthew Trescot, Manag...
Automating Software Deployments with AWS CodeDeploy by Matthew Trescot, Manag...Automating Software Deployments with AWS CodeDeploy by Matthew Trescot, Manag...
Automating Software Deployments with AWS CodeDeploy by Matthew Trescot, Manag...Amazon Web Services
 
Releasing Software Quickly and Reliably With AWS CodePipeline by Mark Mansour...
Releasing Software Quickly and Reliably With AWS CodePipeline by Mark Mansour...Releasing Software Quickly and Reliably With AWS CodePipeline by Mark Mansour...
Releasing Software Quickly and Reliably With AWS CodePipeline by Mark Mansour...Amazon Web Services
 
Getting Started with Docker on AWS
Getting Started with Docker on AWSGetting Started with Docker on AWS
Getting Started with Docker on AWSAmazon Web Services
 
From AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud AppsFrom AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud AppsAtlassian
 
Scheduling Containers on Amazon ECS
Scheduling Containers on Amazon ECSScheduling Containers on Amazon ECS
Scheduling Containers on Amazon ECSAmazon Web Services
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesVladimir Budilov
 

What's hot (20)

Evolution of the REST API
Evolution of the REST APIEvolution of the REST API
Evolution of the REST API
 
(DVO305) Turbocharge YContinuous Deployment Pipeline with Containers
(DVO305) Turbocharge YContinuous Deployment Pipeline with Containers(DVO305) Turbocharge YContinuous Deployment Pipeline with Containers
(DVO305) Turbocharge YContinuous Deployment Pipeline with Containers
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
 
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
(SEC304) Bring Your Own Identities – Federating Access to Your AWS Environmen...
 
(CMP406) Amazon ECS at Coursera: A general-purpose microservice
(CMP406) Amazon ECS at Coursera: A general-purpose microservice(CMP406) Amazon ECS at Coursera: A general-purpose microservice
(CMP406) Amazon ECS at Coursera: A general-purpose microservice
 
(DEV304) What’s New in the AWS SDK for .NET | AWS re:Invent 2014
(DEV304) What’s New in the AWS SDK for .NET | AWS re:Invent 2014(DEV304) What’s New in the AWS SDK for .NET | AWS re:Invent 2014
(DEV304) What’s New in the AWS SDK for .NET | AWS re:Invent 2014
 
Why your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSyncWhy your next serverless project should use AWS AppSync
Why your next serverless project should use AWS AppSync
 
Introduction to building alexa skills and putting your amazon echo to work
Introduction to building alexa skills and putting your amazon echo to workIntroduction to building alexa skills and putting your amazon echo to work
Introduction to building alexa skills and putting your amazon echo to work
 
Writing Alexa Voice Skills With NodeJS (with a little IoT)
Writing Alexa Voice Skills With NodeJS (with a little IoT)Writing Alexa Voice Skills With NodeJS (with a little IoT)
Writing Alexa Voice Skills With NodeJS (with a little IoT)
 
TurboCharge Your Continuous Delivery Pipeline with Containers - Pop-up Loft
TurboCharge Your Continuous Delivery Pipeline with Containers - Pop-up LoftTurboCharge Your Continuous Delivery Pipeline with Containers - Pop-up Loft
TurboCharge Your Continuous Delivery Pipeline with Containers - Pop-up Loft
 
Amazon API Gateway
Amazon API GatewayAmazon API Gateway
Amazon API Gateway
 
Continuous Delivery to Amazon ECS
Continuous Delivery to Amazon ECSContinuous Delivery to Amazon ECS
Continuous Delivery to Amazon ECS
 
(DVO308) Docker & ECS in Production: How We Migrated Our Infrastructure from ...
(DVO308) Docker & ECS in Production: How We Migrated Our Infrastructure from ...(DVO308) Docker & ECS in Production: How We Migrated Our Infrastructure from ...
(DVO308) Docker & ECS in Production: How We Migrated Our Infrastructure from ...
 
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...
AWS July Webinar Series - Overview Build and Manage your APs with amazon api ...
 
Automating Software Deployments with AWS CodeDeploy by Matthew Trescot, Manag...
Automating Software Deployments with AWS CodeDeploy by Matthew Trescot, Manag...Automating Software Deployments with AWS CodeDeploy by Matthew Trescot, Manag...
Automating Software Deployments with AWS CodeDeploy by Matthew Trescot, Manag...
 
Releasing Software Quickly and Reliably With AWS CodePipeline by Mark Mansour...
Releasing Software Quickly and Reliably With AWS CodePipeline by Mark Mansour...Releasing Software Quickly and Reliably With AWS CodePipeline by Mark Mansour...
Releasing Software Quickly and Reliably With AWS CodePipeline by Mark Mansour...
 
Getting Started with Docker on AWS
Getting Started with Docker on AWSGetting Started with Docker on AWS
Getting Started with Docker on AWS
 
From AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud AppsFrom AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
From AUI to Atlaskit - Streamlining Development for Server & Cloud Apps
 
Scheduling Containers on Amazon ECS
Scheduling Containers on Amazon ECSScheduling Containers on Amazon ECS
Scheduling Containers on Amazon ECS
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutes
 

Similar to Building trust between modern distributed systems with spiffe

Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo OmuraSPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo OmuraPreferred Networks
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS EnhancementGuo Albert
 
Building Scalable Services with Amazon API Gateway - Technical 201
Building Scalable Services with Amazon API Gateway - Technical 201Building Scalable Services with Amazon API Gateway - Technical 201
Building Scalable Services with Amazon API Gateway - Technical 201Amazon Web Services
 
How to implement authorization in your backend with AWS IAM
How to implement authorization in your backend with AWS IAMHow to implement authorization in your backend with AWS IAM
How to implement authorization in your backend with AWS IAMProvectus
 
Exposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using SwaggerExposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using SwaggerSalesforce Developers
 
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Michael Collier
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesNick Maludy
 
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan VMware Tanzu
 
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...Amazon Web Services
 
SPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantSPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantNCCOMMS
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthKashif Imran
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Joris Poelmans
 
Leveraging the azure cloud for your mobile apps
Leveraging the azure cloud for your mobile appsLeveraging the azure cloud for your mobile apps
Leveraging the azure cloud for your mobile appsMarcel de Vries
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerNovell
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016Nov Matake
 
KazooCon 2014 - Introduction to Kazoo APIs!
KazooCon 2014 - Introduction to Kazoo APIs!KazooCon 2014 - Introduction to Kazoo APIs!
KazooCon 2014 - Introduction to Kazoo APIs!2600Hz
 
AWS Summit Barcelona 2015 - Introducing Amazon API Gateway
AWS Summit Barcelona 2015 - Introducing Amazon API GatewayAWS Summit Barcelona 2015 - Introducing Amazon API Gateway
AWS Summit Barcelona 2015 - Introducing Amazon API GatewayVadim Zendejas
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomQConLondon2008
 

Similar to Building trust between modern distributed systems with spiffe (20)

Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo OmuraSPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
SPIFFE Meetup Tokyo #2 - Attestation Internals in SPIRE - Shingo Omura
 
CAS Enhancement
CAS EnhancementCAS Enhancement
CAS Enhancement
 
Building Scalable Services with Amazon API Gateway - Technical 201
Building Scalable Services with Amazon API Gateway - Technical 201Building Scalable Services with Amazon API Gateway - Technical 201
Building Scalable Services with Amazon API Gateway - Technical 201
 
How to implement authorization in your backend with AWS IAM
How to implement authorization in your backend with AWS IAMHow to implement authorization in your backend with AWS IAM
How to implement authorization in your backend with AWS IAM
 
Exposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using SwaggerExposing Salesforce REST Services Using Swagger
Exposing Salesforce REST Services Using Swagger
 
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
 
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL CertificatesHashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
 
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
Secure Credential Management with CredHub - DaShaun Carter & Sharath Sahadevan
 
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
Continuous Integration e Delivery per (r)innovare lo sviluppo software e la g...
 
Workshop: We love APIs
Workshop: We love APIsWorkshop: We love APIs
Workshop: We love APIs
 
SPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You WantSPUnite17 Who Are You and What Do You Want
SPUnite17 Who Are You and What Do You Want
 
SharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims AuthSharePoint, ADFS and Claims Auth
SharePoint, ADFS and Claims Auth
 
Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011Claim Based Authentication in SharePoint 2010 for Community Day 2011
Claim Based Authentication in SharePoint 2010 for Community Day 2011
 
Leveraging the azure cloud for your mobile apps
Leveraging the azure cloud for your mobile appsLeveraging the azure cloud for your mobile apps
Leveraging the azure cloud for your mobile apps
 
Exploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access ManagerExploring Advanced Authentication Methods in Novell Access Manager
Exploring Advanced Authentication Methods in Novell Access Manager
 
ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016ID連携入門 (実習編) - Security Camp 2016
ID連携入門 (実習編) - Security Camp 2016
 
KazooCon 2014 - Introduction to Kazoo APIs!
KazooCon 2014 - Introduction to Kazoo APIs!KazooCon 2014 - Introduction to Kazoo APIs!
KazooCon 2014 - Introduction to Kazoo APIs!
 
AWS Summit Barcelona 2015 - Introducing Amazon API Gateway
AWS Summit Barcelona 2015 - Introducing Amazon API GatewayAWS Summit Barcelona 2015 - Introducing Amazon API Gateway
AWS Summit Barcelona 2015 - Introducing Amazon API Gateway
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
 

Recently uploaded

英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 

Recently uploaded (20)

英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 

Building trust between modern distributed systems with spiffe

  • 1. Building Trust Between Modern Distributed Systems with SPIFFE Andrew Jessup, Scytale Inc.
  • 2. Source Workload Destination Workload “Do I believe this workload is who they say they are?” “Do I believe they really sent that message?”
  • 3. Mobile API Web Front End POS API TicketsSubscriptions Billing Members DB
  • 4. Web Front End Subscriptions 4. Acknowledge * Or key/secret, signed nonce etc. 2. Supply username and password* with authentication handshake Accounts 1. Retrieve username and password from configuration Model 1: Destination workload authentication 3. Verify username and password ? ? Source workload Destination workload
  • 5. Model 2: Platform mediated identity Web Front End Subscriptions 4. Acknowledge 2. Send proof of identity with authentication handshake 1. Retrieve proof-of-identity from the platform 3. Verify source workload identity Platform (eg. AWS, or Kubernetes) Eg. AWS IAM, Kubernetes Service Accounts Privaliged API Privaliged API Source workload Destination workload
  • 6. Destination workload authentication Platform mediated identity SPIFFE API-driven credential rotation and distribution No Yes Yes One identity per workload No Yes Yes No credentials need to be deployed with the workload No Yes Yes Supports trust across different platforms platforms Yes No Yes
  • 7. Platform B Secure Production Identity Framework For Everyone Web Front End Subscriptions 4. Acknowledge 1. Retrieve SPIFFE ID and SVIDs from the worklaod API 3. Verify source workload identity Platform A Workload API Workload API 2. Send proof of identity with authentication handshake
  • 8.
  • 9. Dave Presotto 2004 Russ Cox 2008 Eric Grosse 2007 Rob Pike 2002 Sean Quinlan 2002
  • 10. The SPIFFE project A set of specifications that cover how a workload should retrieve and use it’s identity. ● SPIFFE ID ● SPIFFE Verifiable Identity Documents (SVIDs) ● The SPIFFE Workload API The SPIFFE Runtime Environment. Open-source software that implements the SPIFFE Workload API for a variety of platforms. Apache 2.0 license. Independent governance. Highly extensible through plug-ins. github.com/spiffe/spiffe github.com/spiffe/spire
  • 12. SPIFFE Verifiable Identity Document spiffe://acme.com/billing/payments Today only one form of SVID (X509-SVID). Other document types under consideration (including JWT-SVID) Typically short-lived
  • 13. Server SPIFFE Workload API Workload Workload API whoami() Workload whoami()
  • 14. SPIFFE Integrations so far A Go client library for parsing SVIDs (github.com/spiffe/go-spiffe) Using SVIDs to authenticate Ghost-tunnel proxies https://blog.scytale.io/securing-the-service-mesh-with-spire-0-3-38775f767653 Using SVIDs to authenticate Envoy proxies https://blog.scytale.io/securing-the-service-mesh-with-spire-0-3-38775f767653 In development: ● A C client library for parsing SVIDs (github.com/spiffe/c-spiffe) ● Using SVIDs to authenticate gRPC clients (w. Google) ● Using SVIDs as an authentication backend to Vault (w. QAware, Hashicorp and Redhat) ● Using SVIDs to authenticate to nginx (Scytale)
  • 15. SPIFFE Runtime Environment SPIRE Server spiffe://acme.com/billing/payments selector: aws:sg:sg-edcd9784 selector: unix:uid:1001
  • 16. Node attestation EC2 Instance Workload SPIRE Agent Workload API SPIRE Server AWSInstance MetadataAPI 1. Node agent authenticates to the SPIRE Server, passes AWS Instance Identity Document
  • 17. Node attestation EC2 Instance Workload SPIRE Agent Workload API SPIRE Server 2. List of valid SPIFFE IDs for the node, and selectors, returned
  • 18. Workload attestation EC2 Instance Workload SPIRE Agent Workload API SPIRE Server 3. Workload requests identity 4. Node agent performs an out-of-band check of the workload process metadata, compares to known selectorswhoami()
  • 19. SVID Bundle Issuance EC2 Instance Workload SPIRE Agent Workload API SPIRE Server 5. If match found, NA generates a key for the workload 6. NA sends certificate signing request based on that key to SPIRE Server
  • 20. SVID Bundle Issuance EC2 Instance Workload SPIRE Agent Workload API SPIRE Server 6. SPIRE server issues SVID (as well as certificates for any other workload the instance should support)
  • 21. SVID Bundle Issuance EC2 Instance Workload SPIRE Agent Workload API SPIRE Server 7. Certificate bundle returned to the workload
  • 22. SPIFFE Runtime Environment SPIRE Server spiffe://acme.com/billing/payments selector: aws:sg:sg-edcd9784 selector: k8s:ns:payments selector: k8s:sa:pay-svc selector: docker:image-id:442ca9
  • 23. SPIRE Workload Attestor Plug-ins Node Attestor Plug-ins Workload API Secure Introduction to other services mTLS JWTs Identity for proxy services Linux Windows OS X YubiKey HSM providersAzure GCP Kubernetes Mesosphere Join Token AWS Kerberos Simplify deployment of distributed systems CoreWorkloadPlatform gRPC
  • 24. What SPIFFE is not ● Authorization (however it provides identities upon which authorization schemes can be deployed) ● Transport level security (however SVIDs can be used to facilitate things like TLS or JWT signing)
  • 25. Things we didn’t talk about ● Integration into custom datastores and PKI ● Design patterns (secure introduction to secrets stores, service mesh, etc.) ● Identity translation ● Federation
  • 26. Where to go next ● Github! ○ github.com/spiffe/spiffe ○ github.com/spiffe/spire ○ github.com/spiffe-example ● Evan Gillman’s KubeCon 2017 talk on SPIFFE (YouTube) ● Medium - https://blog.scytale.com/ ● Join our next community day (March 9, daytime PST) or meet us at KubeCon EU 2018 in Copenhagen Pointers to SIGs, Slack, mailing lists and more
  • 27. Thank You! Andrew Jessup Twitter: @whenfalse