spiffe and spire in practice - cncf.io

41
SPIFFE AND SPIRE IN PRACTICE DANIEL FELDMAN UMAIR KHAN

Upload: others

Post on 24-Nov-2021

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: SPIFFE AND SPIRE IN PRACTICE - cncf.io

SPIFFE AND SPIRE IN PRACTICE

DANIEL FELDMANUMAIR KHAN

Page 2: SPIFFE AND SPIRE IN PRACTICE - cncf.io

AGENDA

RECAP: SPIFFE AND SPIRE 1

SECURE MICROSERVICES COMMUNICATION2

BUILD AND BRIDGE SERVICE MESH 3

AUTHENTICATE SECURELY TO COMMON PLATFORMS4

AUTHENTICATION FOR ZERO TRUST SECURITY5

REDUCING THE RISK OF ROGUE CONTAINERS6

Page 3: SPIFFE AND SPIRE IN PRACTICE - cncf.io

SPIFFE AND SPIRE INTRODUCTION

Page 4: SPIFFE AND SPIRE IN PRACTICE - cncf.io

INTRODUCING SPIFFE AND SPIRE

4

Open-source specification and

toolchain for service identity

Part of CNCFIntegrated into various open-source projects

Extensive contributions by HPE and other top

tech companies

Page 5: SPIFFE AND SPIRE IN PRACTICE - cncf.io

Increasing attack surface & risk of leakage across untrusted networksCROSS-SERVICE COMMUNICATION IS EXPLODING

5

API Gateway

Long-lived service credentials exist across applications, repositories, platforms, and tools, making them ripe for theft.

Page 6: SPIFFE AND SPIRE IN PRACTICE - cncf.io

Increasing operational complexity and reducing developer velocity CROSS-SERVICE COMMUNICATION IS EXPLODING

6

Learn new APIs

Integrate with IDPs

Credentials management

Developers of Apps / Platforms

Security Operation

Security Reviews

Compliance Reporting

On-board apps

Security ReviewsIAM Systems

Page 7: SPIFFE AND SPIRE IN PRACTICE - cncf.io

SOLVING THE “BOTTOM TURTLE”

SOURCE: SOLVING THE BOTTOM TURTLE: WWW.SPIFFE.IO/BOOK

Service Certificate

Platform Identity

Initial Configuration?

Platform Secret Store

Page 8: SPIFFE AND SPIRE IN PRACTICE - cncf.io

SOLVING THE “BOTTOM TURTLE”

SOURCE: SOLVING THE BOTTOM TURTLE: WWW.SPIFFE.IO/BOOK

Service Certificate

Platform Identity

Initial Configuration?

Platform Secret Store

Page 9: SPIFFE AND SPIRE IN PRACTICE - cncf.io

SPIFFE KEY CONCEPTS

9

Standard format for a service identifier

spiffe://trustdomain/serviceCryptographically verifiable document

asserting a SPIFFE ID

SPIFFE ID SPIFFE VERIFIABLE IDENTITY DOCUMENT

Set of public keys used to verify SVIDs

TRUST BUNDLE

Local API for workloads to retrieve their SPIFFE IDs, SVIDs, and Trust Bundles

WORKLOAD API

Page 10: SPIFFE AND SPIRE IN PRACTICE - cncf.io

Core Differentiators SPIRE

10

• Real time, attestation engine issues and validates cryptographic service identifies (SPIFFE) based on multiple factor policy

• Eliminates the need for secret management

Has it been signed by the

CI/CD pipeline?

Is the machine a member of a known network

or cluster?

Can we affirm the integrity of the machine it

runs upon?

Is it known to trusted

middleware or schedulers?

• Automatically issues, distributes, and renews short-live credentials

• Reduces operational overhead associated with credential management

• Easily extends to identity providers, certificate authorities, and systems

• Designed for dynamic, distributed environments

MULTI-FACTOR ATTESTATION AUTOMATED LIFECYCLE MANAGEMENT

EXTENSIBLE, WEB-SCALE ARCHITECTURE

Page 11: SPIFFE AND SPIRE IN PRACTICE - cncf.io

SECURE MICROSERVICES COMMUNICATION

Page 12: SPIFFE AND SPIRE IN PRACTICE - cncf.io

13

SECURE MICROSERVICES COMMUNICATION

Cloud or Kubernetes Platform

Node

Service

Node

Service

Page 13: SPIFFE AND SPIRE IN PRACTICE - cncf.io

14

SECURE MICROSERVICES COMMUNICATION

Cloud or Kubernetes Platform

Node

Service

SPIRE AgentSVIDTrust BundleSPIFFE ID

Node

Service

SPIRE AgentSVIDTrust BundleSPIFFE ID

SPIRE Server

Page 14: SPIFFE AND SPIRE IN PRACTICE - cncf.io

15

SECURE MICROSERVICES COMMUNICATION

Cloud or Kubernetes Platform

Node

Service

SPIRE AgentSVIDTrust BundleSPIFFE ID

Node

Service

SPIRE AgentSVIDTrust BundleSPIFFE ID

SPIRE Server

Mutual TLS Connection!

Page 15: SPIFFE AND SPIRE IN PRACTICE - cncf.io

16

SECURE MICROSERVICES COMMUNICATION

Platform A

Node

Service

SPIRE AgentSVIDTrust BundleSPIFFE ID

Node

Service

SPIRE AgentSVIDTrust BundleSPIFFE ID

SPIRE Server

Platform B

Mutual TLS ConnectionMutual TLS Connection!

Page 16: SPIFFE AND SPIRE IN PRACTICE - cncf.io

17

IMPLEMENTATION OPTIONS

Workload Workload

SPIRE Agent

SPIFFE Helper

SPIRE Agent

Directly Use Workload API

SPIFFE Helper

Envoy Proxy

WorkloadEnvoy Proxy

SPIRE Agent

Page 17: SPIFFE AND SPIRE IN PRACTICE - cncf.io

• Works across different service meshes and outside service meshes

• Can do hardware-level or cloud-level attestation

• More fine-grained control over certificates

18

SERVICE MESH COMPARISON

Page 18: SPIFFE AND SPIRE IN PRACTICE - cncf.io

UBER: SECURING NEXT-GEN AND LEGACY INFRASTRUCTURE

“SPIRE is now a key component of Uber's next infrastructure, but we are also using a side-car approach to retrofit authentication into legacy infrastructure. While SPIFFE and SPIRE are commonly known to work in modern, cloud native architectures, we can adapt the projects to our proprietary legacy stack quickly. SPIRE can provide a critical bridge of trust within Uber's next-gen and legacy infrastructure and positively impact internal security and developer efficiency”

19

Ryan Turner, Software Engineer 2, Uber

Source: Solving the bottom turtle: www.spiffe.io/book

Page 19: SPIFFE AND SPIRE IN PRACTICE - cncf.io

BUILD AND BRIDGE SERVICE MESH

Page 20: SPIFFE AND SPIRE IN PRACTICE - cncf.io

21

BUILD AND BRIDGE SERVICE MESH

Service Mesh

Pod

Service

SPIRE Server

SPIRE AgentPod

Service Mesh

Proxy Proxy

SPIRE Agent

Mesh

Page 21: SPIFFE AND SPIRE IN PRACTICE - cncf.io

22

BUILD AND BRIDGE SERVICE MESH

Service Mesh

Pod

Service

SPIRE Server

SPIRE AgentPod

Service Mesh

Proxy Proxy

SPIRE Agent

Mesh

Service Mesh

Page 22: SPIFFE AND SPIRE IN PRACTICE - cncf.io

23

BUILD AND BRIDGE SERVICE MESH

Service Mesh

Pod

Service

SPIRE Server

SPIRE Agent

Service Mesh

Proxy

SPIRE Agent

Mesh

Standalone Instance

Page 23: SPIFFE AND SPIRE IN PRACTICE - cncf.io

• AWS App Mesh • GreyMatter• Istio • Kuma • Network Service Mesh • NGINX Service Mesh • Open Service Mesh

24

SOME EXAMPLES

Page 24: SPIFFE AND SPIRE IN PRACTICE - cncf.io

AUTHENTICATE SECURELY TO DATABASES OR CLOUD PLATFORM

Page 25: SPIFFE AND SPIRE IN PRACTICE - cncf.io

Reduce reliance on passwords or API keys

Using usernames/passwords or tokens to access resources outside Kubernetes e.g. Datastores

• Risk of breach is higher• Need to generate/manage credentials

26

AUTHENTICATE TO COMMON DATABASES OR CLOUD PLATFORMS

S3

Page 26: SPIFFE AND SPIRE IN PRACTICE - cncf.io

Reduce reliance on passwords or API keys

27

AUTHENTICATE TO COMMON DATABASES OR CLOUD PLATFORMS

S3With SPIRE you can: • Eliminate the need to generate and manage

distinct shared secrets for each cloud platform for each application.

• Scale, secure identity-driven authentication across all cloud providers and platforms.

Page 27: SPIFFE AND SPIRE IN PRACTICE - cncf.io

AUTHENTICATE TO AWS

On-prem Service

OIDC Federation Keys SPIRE Server

SPIRE Agent

AWS APIs

Service

RDS Database

S3 Storage

Page 28: SPIFFE AND SPIRE IN PRACTICE - cncf.io

AUTHENTICATE TO POSTGRESQL

Service

SPIRE Server

SPIRE Agent

Service

SPIRE Agent

SPIFFE Helper

PostgreSQL

Spiffe-helper pushes certificates into PostgreSQLServices can authenticate as PostgreSQL users

Page 29: SPIFFE AND SPIRE IN PRACTICE - cncf.io
Page 30: SPIFFE AND SPIRE IN PRACTICE - cncf.io

AUTHENTICATION FOR ZERO TRUST SECURITY MODEL

Page 31: SPIFFE AND SPIRE IN PRACTICE - cncf.io

PERIMETER SECURITY

SERVICESERVICE

SERVICESERVICE

DATACENTER

As we add:● services● datacenters● clouds● regions inside clouds

perimeter security becomes increasingly untenable

SERVICE

CLOUD 1

SERVICE

SERVICE

CLOUD 2

SERVICE

SAAS PROVIDER

PARTNER

MANAGED DB

Page 32: SPIFFE AND SPIRE IN PRACTICE - cncf.io

Traditional network based security models don’t work in modern software architectures

33

CLOUD AND CONTAINERS DRIVING ADOPTION OF ZERO TRUST

• Attempts to build a trusted “wall”• Relies on IP addresses or physical

locations • Difficult to implement for today’s

dynamic environments

• Assumes “bad guys” are everywhere• Uses cryptographic identities for

authenticating every system/user• Enables universal enforcement across

hybrid infrastructures

Perimeter based Zero Trust

Page 33: SPIFFE AND SPIRE IN PRACTICE - cncf.io

SPIFFE IS FOUNDATIONAL FOR ZERO TRUST SECURITY MODEL

SERVICESERVICE

SERVICESERVICE

DATACENTER

Each service gets its own● unique● secure● provable

identitySERVICE

CLOUD 1

SERVICE

SERVICE

CLOUD 2

SERVICE

SAAS PROVIDER

PARTNER

MANAGED DB

IDENTITYPROVIDER

Page 34: SPIFFE AND SPIRE IN PRACTICE - cncf.io

ANTHEM: BUILDING A FOUNDATION FOR ZERO TRUST IN HEALTHCARE

“We could not rely on traditional parameter-based security tools and processes to secure our next-generation applications and infrastructure. Zero trust, a fine-grained, automated approach to security, made a lot of sense to us, especially in the future, as we plan to operate across organizational boundaries and cloud providers. Identity and authentication for both users and services are among the zero trust security model’s core principles. Zero trust allows us to rely less on network-based controls than authenticating every system or workload. SPIFFE and SPIRE have enabled a foundational authentication layer for our zero trust security architecture. They allow each workload to cryptographically prove “who they are” before they start communicating”

35

Bobby Samuel, VP AI Engineering, Anthem

Source: Solving the bottom turtle: www.spiffe.io/book

Page 35: SPIFFE AND SPIRE IN PRACTICE - cncf.io

REDUCING THE RISK OF ROGUE CONTAINERS

Page 36: SPIFFE AND SPIRE IN PRACTICE - cncf.io

Attackers can insert new containers or workloads

37

CHALLENGE : REDUCE RISK OF ROGUE CONTAINERS

Source Code

CI/CD Systems

ContainerContainer

Kubernetes Platform

Page 37: SPIFFE AND SPIRE IN PRACTICE - cncf.io

38

SOLUTION: BINARY ATTESTATION WITH SPIRE

• Each time the CICD system builds a container image, it sends the container hash to SPIRE• SPIRE then checks the container hash each time it

grants an identity document• This guarantees attackers can’t insert new

containers, modify containers in the container registry, or bypass CI/CD security checks

CI/CD Systems

SPIRE Server

SPIRE AgentSource Code

Container

Page 38: SPIFFE AND SPIRE IN PRACTICE - cncf.io

39

CHALLENGE : SERVICE DISRUPTION DUE TO MISCONFIGURATION

DEV PROD

Workload Workload

Page 39: SPIFFE AND SPIRE IN PRACTICE - cncf.io

SOLUTION: REDUCE RISK OF MISCONFIGURATION

SEPARATE TRUST DOMAINS

Use separate SPIRE domains for dev and prod workloads, in order to ensure isolation of prod workloads.

DEV PROD

SPIRE Server

SPIRE Agent

Workload

SPIRE Server

SPIRE Agent

Workload

Page 40: SPIFFE AND SPIRE IN PRACTICE - cncf.io

TRANSPARENT AUTHENTICATION HAS SIMPLIFIED OPERATIONS

“With SPIRE we can deploy a consistent, “dial-tone” authentication across all our platforms. The burden of authentication and security is now encapsulated from the developers so they can focus on business or application logic. This has improved our deployment velocity overall. We are also less likely to get “production errors” due to configuration issues such as using development credentials in production. Standardized authentication with SPIRE has also simplified compliance and audit since we have mutual TLS across trust domains and platforms.

41

Eli Nesterov, Security Engineering Manager, ByteDance

Source: Solving the bottom turtle: www.spiffe.io/book

Page 41: SPIFFE AND SPIRE IN PRACTICE - cncf.io

THANK YOU

42

SPIFFE.io

Slack.spiffe.io

github.com/spiffe

spiffe.io/book