When it comes to the modern API landscape, identity is a critical element of machine-to-machine communication. Being able to identify a source and destination machine in a flow allows for trusted and high-volume interactions to occur seamlessly, offering more robust and secure mechanisms for data exchange and transformation.

Below, we’ll look at two identity frameworks: SPIFFE and SPIRE. We’ll dive into what these frameworks are trying to accomplish, their role in securely identifying systems, and how they can be leveraged to secure cloud-native workloads and create better systems.

Why Machine Identities Matter

The simple reality of modern computing and APIs is that the operational environment has never been more complex. Many years ago, you might only expect to see a single API or a monolith in your day-to-day operations, and these systems would scarcely connect to external systems for anything other than resource updates, status communication, or general-purpose functions.

Now, however, the average computing environment is composed of microservices, ephemeral containers, distributed and federated systems, and cloud-native implementations that make for extremely complex operating conditions.

This heterogeneous state has made many of our traditional methods for identifying and securing systems quite cumbersome. API keys, certificates, passwords — these systems, while still valuable, were designed for a very specific flow and purpose, and they often had significant pitfalls and considerations requiring additional forms of authentication or authorization to be truly secure.

Accordingly, workload identification has become much more important in a rapid way. Identifying a machine in a network seems like a simple task, but this is made all the more complex when the machines and devices number in the thousands in modest setups and the hundreds of thousands in more complex multinational operation environments.

What is SPIFFE?

To tackle this problem, a solution called SPIFFE is been developed. SPIFFE, or the Secure Production Identity Framework for Everyone, is an open-source framework of standards that allows any system to be securely identified.

How Does SPIFFE Work?

SPIFFEE works by attaching a SPIFFE ID to a specific workload. This ID is a unique identifier that identifies the specific workload in question and takes the format spiffe://trustdomain/workload_identifier.

These IDs operate within the trust domain, which is the trusted system root. SPIFFE notes that this could mean a wide variety of things, from organizations to departments. The key point is that the trust domain is essentially the controlling entity of identification, allowing you to compare the SPIFFE ID against the root keys of the trust domain.

Finally, the SPIFFE Verifiable Identity Document is an identity document that proves the ID holder’s identity to the inquiring body. It utilizes a signature from the trust domain signatory, allowing for verification across diverse environments. While this is similar in process to the traditional certificate authority model for trust, SPIFFE enables trust domains to be used to separate the services by form, function, and trust level, allowing for portability while increasing overall security by establishing layers of trust.

One major capability that SPIFFE brings to the table throughout this process is root-level segmentation. Part of the problem of the public key infrastructure (PKI) approach is that you typically have a large body of roots that can generally sign anything. This results in a signing environment that is hard to control, overly general, and ultimately less useful.

Instead of following this model, SPIFFE introduces the concept of a bundle — a group of signing roots that are trusted only within their own trust domain. This approach significantly enhances security by limiting the impact of a compromised signing key to its designated trust domain, thereby preventing it from affecting neighboring signing infrastructures.

What is SPIRE?

SPIRE, or the SPIFFE Runtime Environment, is a reference implementation from SPIFFE designed to provide a production-ready solution. It utilizes the core architecture of the SPIFFE framework and provides the basis for an extensible and integratable platform for identity validation.

How Does SPIRE Work?

SPIRE is based on a server-agent architectural paradigm in which the server is utilized as a signing authority, and an agent is used to manage the workloads connecting to the server.

A SPIRE server is essentially a trusted managerial element that manages all identities within a trust domain, utilizing local registration entries and node attestation to manage and authenticate the identities of the systems connecting to the server. This attestation occurs when the agent first connects to the server, where node attestors “interrogate” the node and its underlying platform for information only it would know. When a node attestation succeeds, it receives a SPIFFE ID.

On the agent, three main components allow the management of the workloads. The node attestor plugins work with the server node attestors to validate and verify the identity of the connected agents. The workload attestor plugin verifies the workload process identity by doing its own attestation against the information given by the server, allowing for a secondary layer of security within the workload verification flow.

Benefits of Using SPIFFE and SPIRE

SPIFFE and the SPIRE implementation are great solutions to providing enhanced machine-to-machine communication with high attestation and security. These systems allow for a high degree of trust in the connected systems, providing certification authority to validate identity in complex systems.

Beyond providing strong security, this approach also simplifies the connectivity between these systems by quite a lot. Since servers and agents are both given a certain amount of authority and delegation, complex systems can be simplified down to a simple attestation system that prevents complex checks while delivering substantive increases in security.

This approach is also well-suited for multi-cloud and hybrid systems, as the distributed nature of the agent verification and the trust domain matrix approach allows for the division of systems by logical, security, workload, or other separations. SPIFFE is ultimately a platform-agnostic solution. Unlike AWS roles, which are specific to AWS, or Kubernetes service accounts that only work with Kubernetes workloads, SPIFFE and SPIRE provide an identity system that is not inherently tied to a particular technology or approach. In effect, this allows for a much greater ability to expand without having to default to a highly specific and centralized system.

Conclusion

SPIFFE and SPIRE are great examples of purpose-built frameworks designed for the modern era. By leveraging some simple principles in powerful ways, SPIFFE offers a highly extensible and reliable system to prove and manage identity in complex environments and interconnected systems. SPIRE is an effective deployable solution ready for immediate adoption and use, offering identity-first solutions for broad applications.