BP: Universal Cryptographically-Verifiable Workload Identities
About BP
British Petroleum (BP) is an integrated energy business with operations in Europe, North and South America, Australasia, Asia and Africa. They deliver heat, light and mobility products and services to people all around the world to help to drive the transition to a lower carbon future.
BP has a vast hybrid IT infrastructure to maintain and secure, ranging from containers orchestrated by managed Kubernetes offerings in multiple public cloud platforms, to on-premise workloads and IoT field devices. As such, BP requires a robust strategy for managing machine identity across a diverse range of workload types.
Universal Cryptographically-verifiable Service Identities
The client required a comprehensive strategy for machine identity that encompassed various workload types, including containers, virtual machines (VMs), on-premise workloads, and IoT devices. They sought a cloud-agnostic solution to simplify workload identity and enable various use cases for their customers.
ControlPlane developed a proof of concept using the Secure Production Identity Framework for Everyone (SPIRE) project to demonstrate how the workload identity solution could address the client’s needs. Additionally, an options paper was created to evaluate alternative solutions. This enabled the client to capture workload identity requirements, make informed decisions, and define a long-term strategy for their organisation.
Challenges
BP needed a streamlined approach for managing machine identity across different workload types and cloud environments to bootstrap a zero trust security architecture. They were looking to establish a trusted, scalable authentication and authorization system for modern container workloads whilst supporting their existing computing infrastructure.
The client faced the following challenges:
- No centralised workload identity system on which to establish cryptography in a zero trust architecture
- Difficulty in achieving identity federation between the client’s multi-cloud platform split across AWS and Azure
- Increased complexity in setting up federation relationships for customers wanting their workloads to authenticate to their own cloud resources
These challenges were impacting the organisation in several ways:
- Inefficient workload identity management processes hindered workload authentication and resource access
- A non-seamless experience for customers utilising or collaborating across different environments
- Increased administrative overhead and complexity from manual setup and maintenance of federation relationships
Solutions
ControlPlane developed a proof of concept using SPIRE, a production-ready implementation of the Secure Production Identity Framework For Everyone (SPIFFE) standard for workload identity, establishing a trusted root for a zero trust security architecture.
- Demonstrated SPIRE addresses machine identity requirements across diverse workload types and cloud environments
- Evaluated multiple solutions considering the organisation’s posture and platform requirements and created an options paper
These solutions provided multiple benefits to the client, including:
- Validation of platform design principles and evidence to further the program
- Lower cost than building in-house due to full-time subject matter experts
- Informed decision-making and enumeration of the cloud native zero trust landscape
- Community introduction and involvement with our open source partners in the SPIFFE and SPIRE projects
Business Outcomes
The client established an approach to long-term workload identity management for zero trust platforms, using SPIRE to solve machine identity challenges across multi-cloud platforms and workload types and enhanced in-house expertise in zero trust and workload identity
ControlPlane’s expertise in zero trust security architecture and their collaborative efforts with GCP demonstrated their dedication to driving innovation and delivering secure solutions in the cloud-native ecosystem.