Naming Clouds, What Is Workload Identity Automation?

Clouds have names. Okay, cloud services don’t usually have individual names, but they do have identities to demarcate and define what (if not quite who) they are, what they are capable of, how they have been provisioned for working life and what they have access to. There are a number of specialists that operate in this specific technology space - among them is Venafi, a cloud-centric machine workload identity management company.

Pronounced ven-a-fiy not ven-ah-fee, the company has now introduced SPIFFE (Secure Production Identity Framework For Everyone) support for Venafi Firefly, the company’s own lightweight workload identity issuer for highly distributed cloud-native workloads.

Perhaps easier to pronounce for Brits because it reads like ‘spiffy’ as in dapper and dashing (although this story is not meant to be technology enunciation masterclass) SPIFFE is an open source standard dedicated to securely identifying software systems in dynamic distributed heterogeneous environments. Systems that adopt SPIFFE can easily and reliably mutually authenticate wherever they are running.

What is a workload identity?

For completeness here, a workload identity issuer service is responsible for assigning workload identities to software application workloads, or workloads related to containers, smaller scripts or higher-level services. Being able to authenticate a workload identity (which could ‘simply’ by a cloud hyperscaler service function that stems from a particular Cloud Service Provider instance) means we can authenticate the workload’s access to other services, connection points and supporting system or data fabric resources.

As a further (intended) consequence, being able to automate workload authentication enables cloud platform teams to address strict governance and compliance requirements by enabling the adoption of industry-standard workload identity. This technology automatically rotates and renews SPIFFE identities, helping to underpin zero-trust architectures by eliminating the need for long-term secrets in certificates.

Was that cloud workload identity management ‘secrets’ that also needs defining here then? Indeed, when a cloud-native application or data service needs to run outside of its normal cloud environment but still draw upon resources that stem from the hyperscaler mothership, it uses secrets (password tokens, basically) to authenticate that access. Fundamentally useful, secrets do obviously also represent a security risk if they are hacked or compromised. The secure storage and the rotation and renewal of secrets is an admin burden for cloud developers, so any automation functions that work in this space (like Venafi is offering) mostly represent good news.

For security teams, Venafi promises that Firefly delivers a consistent unified workload identity system across any public, private or hybrid cloud environment.

Unlike secrets managers and legacy PKIs (Public Key Infrastructures) that can’t support modern, decentralized approaches, Venafi Firefly with SPIFFE can reliably mutually authenticate workloads across dynamic, multi-cloud environments using short-lived, verifiable identities managed by the Venafi Control Plane. As a result, security and platform teams can effectively secure workload identities across all environments while significantly reducing operational complexity and costs.

The cloud-native tsunami

“The cloud-native tsunami is making workload identity the focus for both security teams and adversaries. Knowing what workload is allowed to authenticate is only getting harder with more clouds, more clusters and more microservices,” said Kevin Bocek, chief innovation officer at Venafi. “There’s an urgent need to ensure workload identities are governed and consistent across many teams and applications in a modern business. Security teams want to know how and why workloads are being authenticated without getting in the way of business-changing apps.”

As workload identity plays an increasingly fundamental role in cloud-native architectures, today’s modern applications require an automated way to scale and secure heterogeneous workloads that are short-lived. By leveraging SPIFFE’s open source framework of identity standards, Venafi Firefly customers can now easily secure and govern workload identities across complex, dynamic development environments such as Kubernetes without slowing down innovation.

“Venafi Firefly goes beyond conventional workload identity management. It bridges the gap between security compliance and platform team efficiency by providing a unified, automated approach to seamlessly authenticate workloads in modern, cloud-native environments,” said Shivajee Samdarshi, chief product officer at Venafi. “It automatically issues each workload with its own identity and creates an enterprise-wide trust root system to secure and authenticate workloads across any infrastructure. With SPIFFE support now added, platform teams can use Venafi Firefly to consume SPIFFE-compatible identities and seamlessly authenticate workloads for improved workload identity governance and trust.”

All those cloud ‘chores’

The story here is clearly one of rather complex lower-tier cloud infrastructure technologies. That being said, there’s a message here related to cloud connectivity, cloud identity & security, cloud compliance (especially for high-security mission-critical cloud instances), cloud secret certificate management, all of which lead to all-round trust in cloud service robustness and solidity i.e. that thing that the cloud started out with oh-so-little of.

Overall, it’s a story of cloud provisioning and administration management, the very aspects of cloud operation that we do not want software application developers to have to worry about - we want them to get on with programming great apps, please.