SPIFFE: The Keystone Species of Cloud Native Security
Keystones define an entire system
Conservation biology intersects with data and systems security in several ways, including the vital role that a keystone species plays. A keystone species is one that has a disproportionate impact on the stability of an ecosystem, despite being small or rare, and draws on the structural analogy of a stone arch — if the keystone is under the least pressure of any of the stones comprising the arch, the structure collapses. The absence of a keystone species can significantly alter the ecosystem, and conversely its presence helps to ensure ecosystem resilience.
Supporting your systems with Zero Trust
The concept of Zero Trust Architecture has garnered significant attention in recent years as a way to improve security in modern systems. At its core, Zero Trust is a shift in focus from an inherent, unquestioning trust of network and operator behavior within the system to instead subjecting all traffic and operations to the scrutinous access control. What is often overlooked, and often entirely missed, is Zero Trust’s keystone species: the critical component that enables uniform ecosystem stability and interoperability. In order to shift from trust to verification, a strong uniform and granular identity must be introduced to the system architecture.
At its essence, a distributed system is not simply a group of applications running on multiple machines, but rather an assembly of processes tracing out patterns of communication flows to execute tasks. These processes involve inter-process calls, actions, and changing states.
To borrow another term from biology, a trophic cascade describes indirect and powerful ecosystem-altering interactions that flow from changes to keystone species. Zero Trust’s analog is identity. Unique identification for each component and process of a system is the foundation upon which secure communication and access control are built: it unleashes a trophic cascade of improvements for confidentiality, integrity, and defense-in-depth.
At their core, this form of identity is simply digital keys (for example, TLS certificates or JWTs) that are used to authenticate individual processes and workloads, and to encrypt and decrypt inter-process communication data. Ideally, these keys are short-lived and cryptographically verifiable. Each key is singularly unique to each application workload or process and is in turn used to establish trusted bi-directional communications. This verifiable encryption asserts the authenticity of requests from one workload to another.
SPIFFE as a Keystone
This fundamental functionality is enabled by the Secure Production Identity Framework for Everyone (SPIFFE), which has emerged as a keystone species in the cloud native ecosystem. It defines a set of APIs for proving, validating, and obtaining short-lived cryptographically verifiable identities, and its implementation creates a consumable toolchain for verifying and establishing trust within and between distributed systems. It is designed to enable the creation of strong and verifiable identities for processes running in the cloud and on-prem alike, in containers, on bare metal or virtual machines, and any other dynamic environment such as Functions-as-a-Service. This is vital because, in a Zero Trust Architecture, all subjects or actors in communication, and objects they interact with, have to be treated as potentially malicious and subjected to careful scrutiny.
For starters, SPIFFE allows for the creation of fine-grained access controls that can be used to limit the privileges of a workload based on its function and the necessary time to complete its task. This is important because it narrows the attack surface by only granting the minimum privileges required to a workload, enhancing the protection from faults or malicious behavior.
One of the positive effects of introducing SPIFFE identities to a system is removing hardcoded or slowly-rotated passwords and keys, mitigating the risk of credential reuse in the event of a breach. For comparison, traditional, long-lived identities (such as long-lived API keys, or shared secrets such as passwords) are vulnerable to being reused or replay in the event of a compromise. Once an adversary has access to this information they will use it to gain a foothold, perpetrate an attack by impersonating an application workload, and move laterally closer to the data they seek to damage or exfiltrate. SPIFFE identities dramatically lessen the probability and impact of such an attack: they are valid for a very short span of time, think minutes, are automatically rotated and can be easily revoked if necessary, eliminating the burden of storing and managing access to tokens and key material. This makes it significantly harder for adversaries to find any utility in a short-lived key for the nefarious purpose of constructing an attack.
SPIFFE has no central storage of keys or access tokens, so its security guarantees are magnified as its design averts the risks of “all the keys in one bag”. This reduced reliance on centralized secret stores lessens the impact of a potential breach by limiting the attack to only the behaviors of the workload for the duration of the key material, which makes persistence much harder.
SPIFFE is highly scalable and can be used as the basis for a platform or product offering’s TLS features and device management capabilities. It can be used to secure communications and access control for a large web-scale system with millions of users and devices such as those of Netflix or Square, as well as fitted for smaller organizations with just a few small applications.
The applicability extends not only from the operation of software in production, but also to the task of building software and its supply chain, as in a secure and cryptographically verifiable build system. The benefits that SPIFFE confers to running software can be extended all the way to the software factory — the set of tools, processes and practices used to develop, build, and distribute software. SPIFFE identities can be used to help enforce strict verification and attestation at every stage of development, including and encryption between build and test machines, thus mitigating MiTM attacks and implants in CI/CD, and can enable tracing of the provenance of artifacts and verification of artifact signatures.
These unique properties and ease of implementation bring the emergence of SPIFFE as a keystone species in the cloud native ecosystem. Its functionality is essential to apply Zero Trust as a means to improve security in modern dynamic environments. The vital role it plays is starting to be appreciated in mature, highly regulated organizations to ensure more robust and secure system security architectures, significantly toughened systems, and greater compromise resilience, making an attacker’s job much harder than traditional fixed-credential systems.
ControlPlane and SPIFFE
ControlPlane works closely with our clients to understand their unique cloud security authentication and challenges and help architect and implement customized solutions built using SPIFFE. Whether you are looking to implement Zero Trust for the first time or need assistance with an existing implementation, we have the expertise and experience to help you achieve your goals.