02-26, 11:30–12:00 (UTC), Ríma
Workloads increasingly delegate obtaining and using credentials to brokers. This talk present common delegation models, resulting security risks, possible mitigations and invites research into new mechanisms to secure delegated workload identities.
The changing threat environment put workload identities in the spotlight. New standards are being developed to address some of the most immediate challenges to improve the authentication and authorisation capabilities for workloads. This includes the work progressing in WIMSE and OAuth and is expected to be adopted by SPIFFE in the Cloud Native Compute foundation.
However, as these standards are being developed, and adoption of workload identities proliferate, it is also becoming clear that some of the assumptions about the security model needs to be re-visited.
Architectural patterns like egress gateways often request and operate identities on-behalf-of workloads. Similarly, modern lightweight service meshes like Istio Ambient Mode acts as a broker for workload identities, both in terms of requesting, but also in terms of using credentials. In some deployment models, a platform broker may request OAuth access tokens, but then provision those to workloads on the platform. Sender constraining these access tokens requires a form of delegated key binding where the broker can request access tokens to be bound to a key it does not control.
In this session, we will introduce the different delegation models commonly seen, discuss the security challenges that come with those modes of operation, and discuss mitigations ranging from proposals to watermark tokens so that recipients can take into account how identities were provisioned, what protocols were used and what attestation or authentication levels were achieved, through to new sender constraining mechanisms for delegated key binding to enable brokers to request sender constrained tokens on-behalf-of the workloads.
Pieter Kasselman is an Identity Enthusiast, focused on standards based identity products. Pieter has over 25 years' experience as a technologist and engineer, working on bringing new technologies and business models to market. Pieter's first encounter with identity was his final year project which used neural networks to identify users based on typing patterns. Since then he worked in a number of roles as an information security analyst, software engineer and program manager in industries that include finance, software, silicon and cloud. His diverse background gives him a unique perspective of the importance of identity and the role of identity standards as both a business enabler and the first line of defence for organizations. Pieter recently joined SPIRL where he is focused on developing standards, technologies and products that allow non-human identities, especially workload identities, to be governed to a least privilege profile.