In today's modern technology landscape, where workload identity and access management forms the backbone of most applications, ensuring zero trust is crucial. There are no humans involved when these machines talk to each other, so the question arises: how do we ensure that only the intended access is allowed? This is where
machine identities, intent-based access control (IBAC), Kafka Access Control Lists
(ACLs), Otterize, and cert-manager come into play.
Understanding the importance of machine-to-machine zero trust
Most backends are composed of services communicating with each other, often within a Kubernetes cluster. When a service is compromised, it can potentially be used as a launching pad to infiltrate other services within the network. To address this, we need to know who is initiating these communications, which is where machine identities become critical.
The first step in achieving machine-to-machine zero trust is to define what constitutes "intended access" during the design phase. By doing so, you can ensure that your code explicitly outlines what each machine, or client, is supposed to do. Keep reading to learn how Otterize enables you to declare client intents, and how that pairs with cert-manager and Venafi.
Visualizing machine communication with Otterize
Let's consider a scenario where services are interacting with a Kafka Broker in a Kubernetes cluster. To gain a deeper understanding of these interactions, you can leverage Otterize, a powerful platform for managing and securing your machine identities and access control. Otterize is deployed using a single, no-configuration Helm install command, and can then immediately generate a graph that visualizes the calls between services. This graph is invaluable for gaining insights into your system's behavior.
Otterize enables you to view an access graph that guides you in securing your system effectively. It highlights the next steps to enhance your network's security.
Strengthening machine identities with cert-manager
The cornerstone of zero trust is a robust machine identity. One widely used tool in Kubernetes clusters, cert-manager, is here to help you establish and manage these identities. Otterize offers a first-party integration with cert-manager to ensure that your certificates are issued how you intended, enforcing Venafi Trust Protection Platform policies if so configured.
When a service requires a credential, Otterize streamlines the process by creating a certificate resource for cert-manager, ensuring the certificate with the workload’s identity is provided to the service. This integration simplifies the management of machine identities and certificates, providing a robust foundation for zero trust.
Declaring intents and protection
To make zero trust a reality, you need to declare your intents. The format is simple, and Otterize makes it easy. If your client needs access to a specific topic, you declare that intent, and Otterize will verify that the declared intents guarantee access for the client.
In addition to declaring intents, you can further enhance security by specifying protection requirements. For example, you can declare that a given Kafka topic requires intents in order to be accessed. If a client lacks a declared intent, it will be blocked. This approach ensures that only clients with both identity and intent declarations can access the topic.
Making zero trust easy: your roadmap
- Start with a strong machine identity: Utilize cert-manager and the Venafi Control Plane to establish a robust machine identity.
- Declare intents at design time: Define what's intended to happen in your code during the design phase and Otterize will automatically incorporate these declarations into your CI/CD pipeline.
- Leverage Otterize: Use Otterize to ensure everything works seamlessly, and it configures your existing systems. Otterize currently supports Kafka, network policies and Istio service measures. It is also expanding to include database integrations and AWS support.
Simplifying mTLS certificate management with cert-manager
To simplify the provisioning of mTLS certificates, cert-manager automatically creates certificate resources based on the workload's identity. The integration with Otterize further streamlines this process, determining the correct subjects for certificates using the pod's identity.
In an era of machine-to-machine connections, ensuring zero trust is imperative.
By using tools like Otterize, cert-manager, and Kafka ACLs, you can visualize, manage, and secure your workload identities and access control. This approach not only strengthens your system but also simplifies the complex task of managing machine-to-machine trust in modern environments.
Start building trust in your machine interactions today!