Episode 070: 12‐03‐2024 Removing Cloud Providers From the Zero Trust Equation - GluuFederation/identerati-office-hours GitHub Wiki
Title: Removing Cloud Providers From the Zero Trust Equation
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Fabian Kammel, Senior Security Consultant at ControlPlane
Description
SPIFFE is a framework to generate identities for software systems in dynamic and heterogeneous environments. SPIFFE Verifiable Identity Documents (SVIDs) enable us to be explicit about the trust we place in systems. However, the degree of trust we can place in SVIDs relies heavily on the soundness of the data gathering and verification process during node attestation. By leveraging confidential computing technologies, specifically Confidential Virtual Machines (CVMs) we can track platform information directly in hardware, including firmware, boot loader, and kernel images, which are then signed with a key rooted inside the CPU itself. By incorporating hardware-protected platform information directly into the SVID generation process, we can significantly enhance the confidence placed in the resulting identity documents. Additionally, consumers of these SVIDs will be able to assert these properties before placing trust in a system.
Homework
Takeaways
⚡ SPIFFIE agents are similar in some ways to OAuth clients--they dynamically register, can provide attestation, and obtain a credential--an X.509 certificate in the case of SPIFFIE instead of OAuth credentials. SPIFFIE's use of X.509 makes it really useful for MTLS automation.
⚡ SPIFFIE is normally used in the cloud for server identity, and frequently within a trusted domain. For use outside a trusted domain, SPIFFIE credentials could be contained in a JWT token. But at that point, perhaps OAuth would be more appropriate?
⚡ Confidential Virtual Machines ("CVM") are a game changer for cloud computing. Before CVM, workloads were potentially visible to the host and VM hypervisor. During registration, a SPIFFIE agent can provide an attestation from the CVM. This kind of technology makes it easier for enterprises to safely deploy across multiple cloud providers.
⚡ CVM attestation enables cloud computing to implement trust models similar to pre-virtualization TPM-based solutions. It's also worth comparing this attestation to the Google Integrity API attestation, which can be presented during OAuth Dynamic Client registration to assert the app has not been modified and the security state of the device (e.g. has it been "rooted").
⚡ One thing SPIFFIE seems to be missing is the equivalent of the OAuth Software Statement. Is there a way to issue a registration token to SPIFFIE agents, without which, they cannot register (even with the right attestations)?