Building trust between distributed systems with SPIFFE

Description

Modern infrastructure patterns like microservices, container orchestration, and hybrid and multicloud deployments have turned conventional models for data center authentication and security on their heads. In the face of highly dynamic compute and network resources, a new challenge has risen: how to authenticate and trust service-to-service communication in this brave new world. Enter the problem known as workload identity.

Sabree Blackmon explores the challenges in solving this problem, from what kind of credentials to settle on and how to rotate them to how to automatically (and securely) bootstrap trust to issue them and how to make sure a wide variety of external systems can authenticate them appropriately. Sabree then offers an overview of SPIFFE and SPIRE, open source projects sponsored by the Linux foundation aimed at solving these problems.

Inspired by similar infrastructure developed at Google, Twitter, and Netflix, SPIFFE was first proposed by Joe Beda at GlueCon 2016, and SPIRE, an open source implementation was first announced at KubeCon Austin in 2017, where it received widespread interest. It is fast emerging as an important component for providing “dial-tone” authentication for distributed systems running in hybrid environments. Sabree concludes by discussing some of the emerging real-world applications of SPIRE, including JWT token signing, secure introduction to Vault and Envoy, and how SPIRE can form the foundation of an organization-wide service mesh.