When I look back to my early notes from Jetstack, I was pretty convinced that we’d have infrastructure solved by this point. It would be abstracted away by cloud native technology, and we’d be accessing compute as if it was an electricity service.
Has this happened? Well, not exactly, but Kubernetes is well on the way to becoming foundational technology. As ‘the’ operating system of the cloud, it’s mature, an industry standard and we’re starting to move on to answering other important questions.
As the market changes, different forces emerge, and new challenges are created. The threat from cyber attack increases, and we’re still trying to figure out how AI will be used both offensively and defensively.
From my position at Venafi, there are some clear fronts on which we need to engage:
- The Perimeter No Longer Exists
Where we used to be comfortable in building firewalls around our infrastructure, cloud native has broken down the perimeter. Multi-cloud and IOT has blurred the edges of where we run our infrastructure. We now need to re-frame our thoughts on securing workloads wherever and however they run, taking a ‘zero trust’ approach to doing that. - Workloads Are Exploding
Research says machines outnumber humans by more than 45-1. The way we architect cloud native software means this is not slowing down. Microservices, serverless, multi cloud and edge computing, are accelerating the number of ‘workloads’ we run on those machines. They also become more ephemeral and shorter lived. How we think about managing these machines at this scale is only just starting to emerge, but the importance of securing them is as important as ever. - Silos strengthen
On-premises environments are not going away, and I’m seeing an increasing disparity in approach between managing ‘traditional datacenter’ workloads and ‘modern cloud native’. On top of this, the cloud vendors have also entrenched themselves in a layer of services unique to them as a way to ‘build a moat’. Given cloud native is by its very nature ‘multi-environment’, we end up with two, three or more different ways to manage and secure workloads. This is operationally complex and costly and leads to additional risk. - Secrets Sprawl
The ease of spinning up containers in the cloud gives us tremendous speed and agility, but if not properly controlled or audited, can bring great complexity. I regularly now see and hear of developers leaking secrets thanks to a lack of guardrails being applied in the ‘cloud native wild west’. Secrets managers get spun up left right and center to support rapidly expanding cloud native infrastructure, sometimes under the watchful eye of security, and sometimes not. However it evolves, risk is certainly increasing and as we’ve learned, the stakes are high.
Cloud Native Security Report 2023
What to do about it?
Just as you manage the human identities in your business with IAM, at Venafi we have built a business that enables you to do the same thing with machine identities. We recognise that some of these emerging challenges can be tackled by extending our Identity First security approach to workloads.
If you imagine a world where all of the workloads in your estate get given a consistent identity then regardless of where they run, you’re able to observe, manage and control those machines in a consistent, powerful way. Imagine being able to see all of your millions, if not billions of workloads and applying fine-grained authorization to a single piece of code running at the edge of your estate on an IoT device.
Workload Identity is a new frontier that has been made popular by SPIFFE, which now adds value to technology like the service mesh provider Istio. But SPIFFE is just the tip of the iceberg, and many different approaches remain in how this future can be built.
Because of this, I’m delighted to announce a new team at Venafi led by me called the ‘Workload Identity Architecture’ team. Our goal is to work closely with CISOs to help them to map out the problems they face in this space, solving them with an identity-first reference architecture and identity services.
It may be thinking big, but if things develop like we think they might, you begin to see the possibility of:
- Getting rid of passwords
- Getting rid of secret stores
- Getting true cross-cloud and on-premises consistency in your machine identity management
- Applying fine-grained authorisation to any piece of code anywhere in your estate
- Managing short-lived identity
Just like we take human identities incredibly seriously, it’s time we start thinking about machine identities in the same way, and I’m delighted to be taking a further step in that direction.
NOTE: You can think of a workload as just a program or application that runs on a computer (whether that be a container, a function, a microservice or a process).
Related posts