In his recent guest blog for GitGuardian, Mattias Gees, Director of Tech Workload Identity Architecture at Venafi, laid out an argument for using Secure Production Identity Framework for Everyone (SPIFEE) and The SPIFFE Runtime Environment (SPIRE). He also covered the technical details for implementing this identity solution. It is a must-read for anyone struggling to find a path forward on IAM across their organization.
Security professionals should love this approach because it addresses multiple challenges around non-human identities at once by eliminating long-lived secrets like API keys and service worker passwords and relying on automatically issuing short-lived certificates for authentication and authorization. Even if an attacker gets their hands on an old x.509 cert, the window of opportunity likely will have closed before they can act.
So, why not implement a certificate-based system like SPIFFE/SPIRE right now in your organization? For some of our readers, the answer is, "I just didn't know about it yet," and they will begin as soon as you return to your terminal. The answer for most folks, especially those working in a large enterprise, might be closer to "We can't just replace hardcoded credentials with managed machine identities! What would fail? This is an overwhelming proposition!"
While we will not say it is a quick and easy journey, there is an achievable route for organizations committed to solving IAM challenges at the root. And that path starts with admitting you are overwhelmed by secrets sprawl.
Understanding the route toward non-human identities
In our post on Hacker News, "End-to-End Secrets Security: Making a Plan to Secure Your Machine Identities," we laid out a general framework for moving from the Wild West, where no one manages secrets, to a world where all secrets are properly stored, accounted for, and rotated.
We identified the steps:
- Secrets Detection - Search through code and systems involved in the software development lifecycle to identify existing plaintext credentials, gathering as much information as possible about each.
- Secrets Management - Accounting for all known secrets through a centralized vault platform.
- Developer Workflows - Adjust processes and tools to make it easier to properly create, store, and call secrets securely.
- Secrets Scanning - Continuously monitoring for any new secrets that get added in plain text.
- Automatic Rotation - Regular replacement of valid secrets shortens their potential exploitation by malicious actors.
Adopting certificate management infrastructure, like that provided by SPIFEE/SPIRE, is the next logical step in solving secrets sprawl in your organization. Every other step will support you as you go system by system and change the way your applications and all related machine identities communicate.
Other approaches to managing short-lived certificates for your non-human identities
While the article we first cited focuses on adopting SPIFFE/SPIRE, we need to acknowledge that there are other ways to approach certificate-based machine identity management. Some approaches involve SPIFFE as part of the process, such as leveraging the open-source service mesh Istio; SPIRE can be leveraged in place of an agent-based approach.
Other paths to short-lived certificates can be found in secret managers themselves. This takes the form of Public Key Infrastructure PKI. Vault by Hashicorp has a path to automated PKI infrastructure. Venafi, which is now part of CyberArk, offers Zero Touch PKI-as-a-Service.
No matter which final destination you aim at or the specific path you take on your machine identity journey, the first step from where you and your developers are today is the same for everyone.
Taking stock of secrets is the needed first step
The first needed step in threat modeling is understanding what you are protecting. The first step in API security is knowing what APIs you even have. It follows that the first step down the road to SPIFFE/SPIRE and better managing non-human identities is understanding what machine identities currently need authentication and authorization.
We know that access has, up to now, relied on API keys and other long-lived credential approaches, so if we find all the secrets throughout our codebases, project management tools, communication channels, and other text files, like logs, we should have an accounting of all the related services, workloads, and devices right?
You might already be down this path as you adopt a secrets management platform like Conjure from CyberArk, Vault Enterprise by Hashicorp, or cloud provider-specific ones like AWS or GCP. Even if this is as far as you plan to go down this path, then we can really speed things up with The GitGuardian Secrets Detection Platform.
Freeing developers from being secrets experts
While the security ramifications of moving away from long-lived credentials are something we could write an entire book about, a productivity argument must also be made. There is a hidden cost to continuing down the route of manually managing secrets per service or device. In their book "Solving the Bottom Turtle," the authors of SPIFFE/SPIRE say:
"By abstracting cloud provider identity interfaces into a set of well-defined common APIs built on open standards, SPIFFE significantly reduces the burden of developing and maintaining cloud-aware apps."
A cloud-aware application is simply one that calls services in the cloud. And guess what? Every service is different. Each has a learning curve. Each has permissions with varied levels of nuance to navigate. Developers just want their apps to work, so the easiest path is often just leaving permissions as permissive as possible and hardcoding the resulting credential in the place where it is called in the codebase.
SPIFFE/SPIRE and similar approaches for machine identity access remove this level of complexity from the developer's world. Developers save a lot of effort when there is a standardized approach across all services and workloads. Again, from their book
Two important aspects of SPIFFE/SPIRE unlock these savings: the fully automated issuance and management of cryptographic identity and its associated lifecycle, and the uniformity and offloading of authentication and service-to-service communication encryption. By removing manual processes associated with the former, and time spent in research and trial/error in the latter, developers can better focus on what matters for them: the business Logic.
This is amazing news for the developer. If they are coding a REST API microservice, there is no need for them to bog down their work implementing a bearer token or any other such mechanism to achieve secure communication. All of those decisions are completely offloaded to the framework.
Their estimates show an average of 530 projected hours saved due to better developer productivity.
We are here to help guide your next steps
If you are ready to embark on this journey, it is important to recognize that you are not on this path alone. Secrets sprawl is an issue every organization struggles with. The more non-human identities in your environments, the more urgent it is to find a way to escape the risks long-lived credentials currently pose.
It is a good thing there are folks like those at The Linux Foundation's Cloud Native Computing Foundation and OpenSSF who are working on making solutions like SPIFFE/SPIRE free, open source, and accessible to all. Secrets management platforms like Conjure and Vault are going to make sure your current non-human identities that necessarily rely on secrets can continue to function safely while you implement a better approach.
GitGuardian is here to help you with that first step that is ever-ongoing; discovering all the secrets in your code (and other sources) in a scalable and automatable way. Our API-based approach means you can rely on getting the right contextual information in each incident and tie it directly into your remediation processes and tooling. We see a bright future where long-lived secrets have no place in how our non-human identities communicate. We hope to work with you to get you there sooner.