Building Zero Trust authentication for multi-cloud application services
One of the elemental challenges organizations have about multi-cloud and hybrid cloud environments, is the way to simply set up safe communication throughout completely different clouds and environments. Cloud suppliers have their very own identification and entry administration options, corresponding to AWS IAM, to handle what entry an occasion ought to and mustn’t have. But as quickly because the functions or services want to speak from AWS to GCP or from AWS to their on-prem infrastructure, it turns into a problem as a result of it’s AWS-specific and never interoperable. Engineering and operations groups want one thing safe that might work throughout environments and on the similar time mustn’t add any friction to the deployment cycles
This is the issue Scytale, a is attempting to deal with with Secure Production Identity Framework for Everyone (SPIFFE) and SPIFFE Runtime Environment (SPIRE). Both of those open-source tasks originated at Scytale however now are a part of the Cloud Native Computing Foundation (CNCF). These tasks have grown in reputation inside the cloud native group and have seen contributions from organizations corresponding to Amazon, Bloomberg, Google, Pinterest, Square , Uber and extra.
“Scytale is the primary driver of these projects that offer ‘interoperable identity’ between different cloud providers and different platforms,” Evan Gilman, Senior Engineer at Scytale.io and co-author of Zero Trust Networks. “From the commercial angle, we have built solutions to help organizations adopt these projects faster and extend their functionalities to address the needs of enterprise customers .”
Vendor and know-how impartial identification resolution
The passport analogy greatest explains interoperable identification. Passports from completely different international locations all look completely different, however all of them have the identical measurement and meet the identical specs. They all have an image of the passport holder on the similar spot, all of them have a barcode on the backside. Regardless of what nation issued the passport, it really works throughout the globe.
A “country” is usually a specific software program stack, platform, or a cloud supplier. Regardless of the setting, the identities that exist inside and between these silos can talk.
Interoperable identification turns into much more crucial within the multi-cloud and hybrid cloud deployments, as they elevate this basic problem of how customers safe communication throughout these boundaries.
“We are bringing in a platform-agnostic service identity that is not specific to a cloud provider, platform, and technology,” mentioned Gilman. It ranges the taking part in discipline and permits customers to speak throughout boundaries. Users gained’t discuss in AWS or GCP specifics; they impart on the SPIFFE degree. “SPIFFE provides users with what is sometimes referred to as a secure dial tone: you pick up the phone, it rings the other side irrespective of where it’s running and what platform it’s running on,” added Gilman.
SPIFFE based mostly service authentication foundational for zero belief networks
SPIFFE is a regular, a set of paperwork whereas SPIRE is the software program implementation of that customary. SPIRE implements the SPIFFE specs and permits workloads or services to get these “passports” as quickly as they boot, in a method that could be very dependable, scalable, and extremely automated. This identification centric authentication can be crucial for constructing a zero trust-based safety mannequin , which removes reliance on networks to ship reliable info.
“Networks have been historically fairly manipulable. So instead we build systems in such a way that it doesn’t rely on that network to deliver trustworthy information,” mentioned Gilman, “We use protocols and strong authentication and authorization to try to mitigate any kind of business that might happen on the wire. It also mitigates what we call lateral movement. So if a neighbor is compromised, just because you’re attached to the same network, that should not mean that you should gain access that you would not have otherwise.”
Gilman explains, “Part of the SPIFFE specification set deals with what we call ‘federation’. There is usually a centralized authority that issues these identities. In reality, there are different companies that have their own authorities. Even different software stacks have their own authorities. There is a need to bridge these gaps.”
That’s the place the SPIFFE Federation enters the image. It swaps these cryptographic keys between completely different domains. It permits customers with completely different identification suppliers to speak effortlessly.
One key design precept of the SPIFFE Federation is that it’s suitable with OIDC, which is an analogous identification federation spec, however is extra centered round customers. It permits for server-to-server and service-to-service communication. Any present OIDC can benefit from it and move certainly one of its SPIFFE identification paperwork to a public cloud like AWS, which can have the ability to validate it utilizing this OIDC SPIFFE Federation mechanism.
While SPIFFE as a specification doesn’t change, SPIRE has a month-to-month launch cadence. It continues so as to add new options frequently.
The newest launch launched integration with the AWS Private CA Manager, which implies that SPIRE deployments residing inside AWS can use it to guard the sign-in keys for identities. These identities are cryptographically backed so there’s a key that’s used to signal these identities. One of the most important challenges is to safe these sign-in keys. Being in a position to bury that key contained in the AWS service, which is backed by hardware safety, is an unimaginable function.
The group can be engaged on a function known as Nested SPIRE, which permits customers to have a number of SPIRE server clusters that kind a tree and chain up to one another.
Together, these new options give numerous flexibility when it comes to architecting for failure modes and failure domains, and architecting round completely different safety domains.