Production Identity Day: SPIFFE & SPIRE

This session would cover new community integrations and initiatives being worked on by community members. Guest speakers, along with their topics, include:

• Extending Authentication for Istio with SPIRE – Doron Chen, IBM
• Securing user privacy with transitive identity –  Andrew Jessup, HPE
• Leveraging certificate transparency to strengthen audibility in SPIRE - Ruide Zhang, ByteDance
• Parsec and SPIFFE –  Paul Howard, Arm

For a long time in order to achieve mutual TLS between Kafka brokers and its clients we had to use long-lived certificates which is a nightmare to manage at large scale. At TransferWise, we have around 300 microservices and most of them use Kafka for the async communication, stream processing, event sourcing, etc. We wanted to implement Kafka security in a way that reduced the maintenance burden on platform teams, while making migration of diverse clients as simple as possible. In this talk we will describe how we have achieved that goal using SPIFFE with SPIRE and Envoy, requiring zero code changes on the client side.

We’ve been rolling SPIFFE out internally at GitHub to empower teams to manage interoperable Production Identity documents. In this talk we’ll give a brief overview of how we’ve deployed SPIRE and leveraged its plugin system to integrate with our internal systems and tooling.

At Square we have developed our own service identity system a few years ago that served us well in our datacenters, but as we increasingly started adopting the cloud, we decided to implement SPIFFE to provide seamless service identity system that would span many environments. In this talk I would like to briefly present how we built a migration process and what we learned from it.

Microservice architecture although beneficial brings with it unique security challenges around authentication and authorization which become more acute due to the diverse nature of microservice environments.
How do we reliably authenticate and authorize interactions between 10s, 100s, or even 1000s of services at scale while handling 1000 API calls per second?

SPIRE solves authentication by creating an identity plane across varied infrastructure over which cryptographically verifiable identities such as JWTs are delivered securely to workloads. OPA provides a policy engine that can be used to enforce fine-grained authorization policies across the stack.
We will show how SPIRE issued JWT SVID claims created using SPIRE’s OIDC Federation can be used by OPA to enforce service-to-service and end-user access control in microservice environments without compromising on speed and availability.