‹ Blogs

Zero Trust Training Courses with the Linux Foundation

Featured Image
Published on April 03, 2024
Author By ControlPlane

The Kautz Zero Trust Triangle

As a major provider of cloud native training material, The Linux Foundation commissioned ControlPlane to author two hands-on courses on how to architect and build secure Zero Trust networks:

  • LFS183x, a free e-learning course entitled “Introduction to Zero Trust”
  • LFS482, a three day, instructor-led course on “Zero Trust Security with SPIFFE and SPIRE”

A Zero Trust approach to networking requires traffic authorisation decisions to be made based on cryptographically verifiable identity documents associated with the entities making the network requests. For humans, we have long-established procedures for obtaining identity documents such as passports, identity cards and driving licenses. These documents can then be used to establish that someone is who they claim to be when they sign up for an application or system account. However, for cloud native, potentially ephemeral workloads, obtaining identity documents by relying on manually provisioned long-lived secrets is not feasible (and not good for security!). Both LFS183x and LFS482 focus on SPIFFE and SPIRE to allow heterogeneous workloads to obtain short-lived, automatically rotated identity documents, without requiring access to a pre-provisioned secret.

Once we have a mechanism for workloads to seamlessly obtain identity documents, we can enforce the principle of least privilege by making authorisation decisions based on these identities, using a policy engine. LFS183x and LFS482 explore in detail how Open Policy Agent can make policy decisions based on structured data.

The final element needed is enforcement of our policy decisions based on identity, and both courses discuss different ways in which this can be achieved. One common architecture which enables Zero Trust is a service mesh, where proxies run alongside workloads to enforce policy, and abstract away service-to-service traffic management from application functionality. Service meshes have some very attractive Zero Trust properties, such as mutual TLS between workloads, with certificates issued by an internal authority within the service mesh control plane.

LFS183x - “Introduction to Zero Trust” and LFS482 - “Zero Trust Security with SPIFFE and SPIRE” are live now - Enrol Today!