spiffe and spire in practice - cncf.io
TRANSCRIPT
![Page 1: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/1.jpg)
SPIFFE AND SPIRE IN PRACTICE
DANIEL FELDMANUMAIR KHAN
![Page 2: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/2.jpg)
AGENDA
RECAP: SPIFFE AND SPIRE 1
SECURE MICROSERVICES COMMUNICATION2
BUILD AND BRIDGE SERVICE MESH 3
AUTHENTICATE SECURELY TO COMMON PLATFORMS4
AUTHENTICATION FOR ZERO TRUST SECURITY5
REDUCING THE RISK OF ROGUE CONTAINERS6
![Page 3: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/3.jpg)
SPIFFE AND SPIRE INTRODUCTION
![Page 4: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/4.jpg)
INTRODUCING SPIFFE AND SPIRE
4
Open-source specification and
toolchain for service identity
Part of CNCFIntegrated into various open-source projects
Extensive contributions by HPE and other top
tech companies
![Page 5: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/5.jpg)
Increasing attack surface & risk of leakage across untrusted networksCROSS-SERVICE COMMUNICATION IS EXPLODING
5
API Gateway
Long-lived service credentials exist across applications, repositories, platforms, and tools, making them ripe for theft.
![Page 6: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/6.jpg)
Increasing operational complexity and reducing developer velocity CROSS-SERVICE COMMUNICATION IS EXPLODING
6
Learn new APIs
Integrate with IDPs
Credentials management
Developers of Apps / Platforms
Security Operation
Security Reviews
Compliance Reporting
On-board apps
Security ReviewsIAM Systems
![Page 7: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/7.jpg)
SOLVING THE “BOTTOM TURTLE”
SOURCE: SOLVING THE BOTTOM TURTLE: WWW.SPIFFE.IO/BOOK
Service Certificate
Platform Identity
Initial Configuration?
Platform Secret Store
![Page 8: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/8.jpg)
SOLVING THE “BOTTOM TURTLE”
SOURCE: SOLVING THE BOTTOM TURTLE: WWW.SPIFFE.IO/BOOK
Service Certificate
Platform Identity
Initial Configuration?
Platform Secret Store
![Page 9: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/9.jpg)
SPIFFE KEY CONCEPTS
9
Standard format for a service identifier
spiffe://trustdomain/serviceCryptographically verifiable document
asserting a SPIFFE ID
SPIFFE ID SPIFFE VERIFIABLE IDENTITY DOCUMENT
Set of public keys used to verify SVIDs
TRUST BUNDLE
Local API for workloads to retrieve their SPIFFE IDs, SVIDs, and Trust Bundles
WORKLOAD API
![Page 10: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/10.jpg)
Core Differentiators SPIRE
10
• Real time, attestation engine issues and validates cryptographic service identifies (SPIFFE) based on multiple factor policy
• Eliminates the need for secret management
Has it been signed by the
CI/CD pipeline?
Is the machine a member of a known network
or cluster?
Can we affirm the integrity of the machine it
runs upon?
Is it known to trusted
middleware or schedulers?
• Automatically issues, distributes, and renews short-live credentials
• Reduces operational overhead associated with credential management
• Easily extends to identity providers, certificate authorities, and systems
• Designed for dynamic, distributed environments
MULTI-FACTOR ATTESTATION AUTOMATED LIFECYCLE MANAGEMENT
EXTENSIBLE, WEB-SCALE ARCHITECTURE
![Page 11: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/11.jpg)
SECURE MICROSERVICES COMMUNICATION
![Page 12: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/12.jpg)
13
SECURE MICROSERVICES COMMUNICATION
Cloud or Kubernetes Platform
Node
Service
Node
Service
![Page 13: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/13.jpg)
14
SECURE MICROSERVICES COMMUNICATION
Cloud or Kubernetes Platform
Node
Service
SPIRE AgentSVIDTrust BundleSPIFFE ID
Node
Service
SPIRE AgentSVIDTrust BundleSPIFFE ID
SPIRE Server
![Page 14: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/14.jpg)
15
SECURE MICROSERVICES COMMUNICATION
Cloud or Kubernetes Platform
Node
Service
SPIRE AgentSVIDTrust BundleSPIFFE ID
Node
Service
SPIRE AgentSVIDTrust BundleSPIFFE ID
SPIRE Server
Mutual TLS Connection!
![Page 15: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/15.jpg)
16
SECURE MICROSERVICES COMMUNICATION
Platform A
Node
Service
SPIRE AgentSVIDTrust BundleSPIFFE ID
Node
Service
SPIRE AgentSVIDTrust BundleSPIFFE ID
SPIRE Server
Platform B
Mutual TLS ConnectionMutual TLS Connection!
![Page 16: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/16.jpg)
17
IMPLEMENTATION OPTIONS
Workload Workload
SPIRE Agent
SPIFFE Helper
SPIRE Agent
Directly Use Workload API
SPIFFE Helper
Envoy Proxy
WorkloadEnvoy Proxy
SPIRE Agent
![Page 17: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/17.jpg)
• Works across different service meshes and outside service meshes
• Can do hardware-level or cloud-level attestation
• More fine-grained control over certificates
18
SERVICE MESH COMPARISON
![Page 18: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/18.jpg)
UBER: SECURING NEXT-GEN AND LEGACY INFRASTRUCTURE
“SPIRE is now a key component of Uber's next infrastructure, but we are also using a side-car approach to retrofit authentication into legacy infrastructure. While SPIFFE and SPIRE are commonly known to work in modern, cloud native architectures, we can adapt the projects to our proprietary legacy stack quickly. SPIRE can provide a critical bridge of trust within Uber's next-gen and legacy infrastructure and positively impact internal security and developer efficiency”
19
Ryan Turner, Software Engineer 2, Uber
Source: Solving the bottom turtle: www.spiffe.io/book
![Page 19: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/19.jpg)
BUILD AND BRIDGE SERVICE MESH
![Page 20: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/20.jpg)
21
BUILD AND BRIDGE SERVICE MESH
Service Mesh
Pod
Service
SPIRE Server
SPIRE AgentPod
Service Mesh
Proxy Proxy
SPIRE Agent
Mesh
![Page 21: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/21.jpg)
22
BUILD AND BRIDGE SERVICE MESH
Service Mesh
Pod
Service
SPIRE Server
SPIRE AgentPod
Service Mesh
Proxy Proxy
SPIRE Agent
Mesh
Service Mesh
![Page 22: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/22.jpg)
23
BUILD AND BRIDGE SERVICE MESH
Service Mesh
Pod
Service
SPIRE Server
SPIRE Agent
Service Mesh
Proxy
SPIRE Agent
Mesh
Standalone Instance
![Page 23: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/23.jpg)
• AWS App Mesh • GreyMatter• Istio • Kuma • Network Service Mesh • NGINX Service Mesh • Open Service Mesh
24
SOME EXAMPLES
![Page 24: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/24.jpg)
AUTHENTICATE SECURELY TO DATABASES OR CLOUD PLATFORM
![Page 25: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/25.jpg)
Reduce reliance on passwords or API keys
Using usernames/passwords or tokens to access resources outside Kubernetes e.g. Datastores
• Risk of breach is higher• Need to generate/manage credentials
26
AUTHENTICATE TO COMMON DATABASES OR CLOUD PLATFORMS
S3
![Page 26: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/26.jpg)
Reduce reliance on passwords or API keys
27
AUTHENTICATE TO COMMON DATABASES OR CLOUD PLATFORMS
S3With SPIRE you can: • Eliminate the need to generate and manage
distinct shared secrets for each cloud platform for each application.
• Scale, secure identity-driven authentication across all cloud providers and platforms.
![Page 27: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/27.jpg)
AUTHENTICATE TO AWS
On-prem Service
OIDC Federation Keys SPIRE Server
SPIRE Agent
AWS APIs
Service
RDS Database
S3 Storage
![Page 28: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/28.jpg)
AUTHENTICATE TO POSTGRESQL
Service
SPIRE Server
SPIRE Agent
Service
SPIRE Agent
SPIFFE Helper
PostgreSQL
Spiffe-helper pushes certificates into PostgreSQLServices can authenticate as PostgreSQL users
![Page 29: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/29.jpg)
![Page 30: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/30.jpg)
AUTHENTICATION FOR ZERO TRUST SECURITY MODEL
![Page 31: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/31.jpg)
PERIMETER SECURITY
SERVICESERVICE
SERVICESERVICE
DATACENTER
As we add:● services● datacenters● clouds● regions inside clouds
perimeter security becomes increasingly untenable
SERVICE
CLOUD 1
SERVICE
SERVICE
CLOUD 2
SERVICE
SAAS PROVIDER
PARTNER
MANAGED DB
![Page 32: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/32.jpg)
Traditional network based security models don’t work in modern software architectures
33
CLOUD AND CONTAINERS DRIVING ADOPTION OF ZERO TRUST
• Attempts to build a trusted “wall”• Relies on IP addresses or physical
locations • Difficult to implement for today’s
dynamic environments
• Assumes “bad guys” are everywhere• Uses cryptographic identities for
authenticating every system/user• Enables universal enforcement across
hybrid infrastructures
Perimeter based Zero Trust
![Page 33: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/33.jpg)
SPIFFE IS FOUNDATIONAL FOR ZERO TRUST SECURITY MODEL
SERVICESERVICE
SERVICESERVICE
DATACENTER
Each service gets its own● unique● secure● provable
identitySERVICE
CLOUD 1
SERVICE
SERVICE
CLOUD 2
SERVICE
SAAS PROVIDER
PARTNER
MANAGED DB
IDENTITYPROVIDER
![Page 34: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/34.jpg)
ANTHEM: BUILDING A FOUNDATION FOR ZERO TRUST IN HEALTHCARE
“We could not rely on traditional parameter-based security tools and processes to secure our next-generation applications and infrastructure. Zero trust, a fine-grained, automated approach to security, made a lot of sense to us, especially in the future, as we plan to operate across organizational boundaries and cloud providers. Identity and authentication for both users and services are among the zero trust security model’s core principles. Zero trust allows us to rely less on network-based controls than authenticating every system or workload. SPIFFE and SPIRE have enabled a foundational authentication layer for our zero trust security architecture. They allow each workload to cryptographically prove “who they are” before they start communicating”
35
Bobby Samuel, VP AI Engineering, Anthem
Source: Solving the bottom turtle: www.spiffe.io/book
![Page 35: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/35.jpg)
REDUCING THE RISK OF ROGUE CONTAINERS
![Page 36: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/36.jpg)
Attackers can insert new containers or workloads
37
CHALLENGE : REDUCE RISK OF ROGUE CONTAINERS
Source Code
CI/CD Systems
ContainerContainer
Kubernetes Platform
![Page 37: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/37.jpg)
38
SOLUTION: BINARY ATTESTATION WITH SPIRE
• Each time the CICD system builds a container image, it sends the container hash to SPIRE• SPIRE then checks the container hash each time it
grants an identity document• This guarantees attackers can’t insert new
containers, modify containers in the container registry, or bypass CI/CD security checks
CI/CD Systems
SPIRE Server
SPIRE AgentSource Code
Container
![Page 38: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/38.jpg)
39
CHALLENGE : SERVICE DISRUPTION DUE TO MISCONFIGURATION
DEV PROD
Workload Workload
![Page 39: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/39.jpg)
SOLUTION: REDUCE RISK OF MISCONFIGURATION
SEPARATE TRUST DOMAINS
Use separate SPIRE domains for dev and prod workloads, in order to ensure isolation of prod workloads.
DEV PROD
SPIRE Server
SPIRE Agent
Workload
SPIRE Server
SPIRE Agent
Workload
![Page 40: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/40.jpg)
TRANSPARENT AUTHENTICATION HAS SIMPLIFIED OPERATIONS
“With SPIRE we can deploy a consistent, “dial-tone” authentication across all our platforms. The burden of authentication and security is now encapsulated from the developers so they can focus on business or application logic. This has improved our deployment velocity overall. We are also less likely to get “production errors” due to configuration issues such as using development credentials in production. Standardized authentication with SPIRE has also simplified compliance and audit since we have mutual TLS across trust domains and platforms.
41
Eli Nesterov, Security Engineering Manager, ByteDance
Source: Solving the bottom turtle: www.spiffe.io/book
![Page 41: SPIFFE AND SPIRE IN PRACTICE - cncf.io](https://reader030.vdocuments.us/reader030/viewer/2022012615/619ddf7b8b9e765bb90e0124/html5/thumbnails/41.jpg)
THANK YOU
42
SPIFFE.io
Slack.spiffe.io
github.com/spiffe
spiffe.io/book