34: What is SPIFFE?
Audio Cast:
Takeaway Points:
SPIFFE stands, the Secure Production Identity Framework For Everyone with a dedicated site and is part of the Cloud Native Computing Foundation
It’a a framework to identify and secure communications between application services
Described as a “universal control plane” for distributed systems, it comes with a corresponding deployment pattern and tool-set called SPIRE
With the rise of diversified application development, individual APIs and service building blocks are often built in different frameworks, with different languages and deployed in different locations. SPIFFE can be the glue to provide a level of identity control
The concept is to provide naming and a framework for authentication that moves away from statically assigned credentials and shared secrets
There is also quite a strong focus on federation or at least boundary traversal
A SPIFFE identifier is basically a URI with a SPIFFE prefix, that indicates a service. For example SPIFFE://radar.thecyberhut.com/headlines/latest.
But of course we need to then bind that identifier to something - and consistently verify that, which is the authentication angle which is done using something called an SVID - SPIFFE Verified Identify Document - a signed artefact that supports a possession auth factor
But how to define and issue SVIDs? A mechanism called attestation is used to analyse and understand process level characteristics that are not self asserted - which essentially allows for a secret-less bootstrapping process
SPIRE is away to make this “magic” happen with agent and server components
An agent interacts with the server which acts as a signing authority for that trust domain
The agent represents the “workload” or service and interacts with the server to get SVIDs and provide attested process information
The SVID is typically an x509 cert - which can be used for authentication and can be rotated when necessary
Useful links:
Walk through of SPIRE concepts
SPIRE case studies and use case cases