Why workload identity complexity is causing cloud native security headaches
Cloud native security complexity is growing, and a key factor in this is the sheer scale of workload identities teams are forced to contend with
Cloud native is in many ways a victim of its own success, with issues like workload identification becoming increasingly common partly due to the sheer scale of the space.
Workload identity, the process of understanding what workload is allowed to authenticate, is at the fore for some. It plays an important role in cloud native environments, and it's an issue that’s increasing in complexity, according to Kevin Bocek, chief innovation officer at Venafi.
Speaking at KubeCon 2024 in Paris, Bocek said the rapid growth of the cloud native space is raising problems for security teams as threat actors have ramped up targeting of this domain in a bid to capitalize on potential blind spots.
“The cloud native tsunami is making workload identity the focus for both security teams and adversaries. Knowing what workload is allowed to authenticate is only getting harder with more clouds, more clusters, and more microservices,” Bocek said.
Sitaram Iyer, Senior Director of Cloud Native Solutions at Venafi, expanded on the topic in conversation with ITPro, drawing attention to the implications of the increasingly popular and, hence, increasingly complex cloud native landscape.
Whereas a more traditional world may lend security teams the ability to make direct demands of developers, Iyer said, that “doesn’t quite work” in the cloud native space due to the variety of cloud providers and cloud native technologies.
“There is no one thing in cloud native technology … And eventually you realize that [you have] lots of different clusters, using their own best practices that they believe is the best practice. There is no standardization of how an application is deployed,” Iyer told ITPro.
Cloud Pro Newsletter
Stay up to date with the latest news and analysis from the world of cloud computing with our twice-weekly newsletter
This problem has prompted the development of a raft of techniques and tools dedicated to both streamlining and hardening identity protections across cloud native architectures, Iyer added.
Developers across the community are dialing in on SPIFFE, the Secure Production Identity Framework for Everyone. This is a set of open source standards designed specifically to allow devs to securely identify software.
Using SPIFFE, developers can authenticate workload identities in a more reliable and efficient manner.
This is particularly important given the rise of multi-cloud environments, Iyer noted. With organizations switching to a multi-cloud approach at a rapid pace, this creates additional security considerations and means management of workload identities across these domains is an attractive offering.
Cloud native security posture is a continuous concern in the space
Bola Rotibi, chief of enterprise research at CCS Insight, told ITPro cloud native is a complex landscape matched by equally complex security issues.
The sheer volume of touchpoints on any one piece of data or particular process creates issues of complexity, Rotibi said, while issues of security fragmentation and user identity are also important to consider alongside workload identity.
“I think security probably needs to have a lot more said about it,” Rotibi said. “What is the security posture within Kubernetes? How do they … address fragmentation concerns?”
Security concerns also manifest themselves in the often long and complex supply chains by which cloud native platforms are connected. Speaking at KubeCon 2024, Joshua Lock, software engineer at Verizon, took a slightly closer look at the issues created through supply chains.
The software supply chain denotes all the steps that go into producing a piece of software, steps which manifest themselves as dependencies that could, in turn, become vulnerabilities.
“Most people, when they talk about software supply chain security, they're really thinking about how [they can] protect against unintended modifications of some software.” Lock said.
“We want to prevent someone from tampering with [the] software in production or, if we can't do that, we'd like to know that someone has tampered with [it],” he added.
This, then, further complicates issues of security when operating in a cloud native environment, establishing another area in which users must pay close attention to ensure that one cloud native platform’s reliance on another is not compromising it.
George Fitzmaurice is a staff writer at ITPro, ChannelPro, and CloudPro, with a particular interest in AI regulation, data legislation, and market development. After graduating from the University of Oxford with a degree in English Language and Literature, he undertook an internship at the New Statesman before starting at ITPro. Outside of the office, George is both an aspiring musician and an avid reader.