Home Blog

Building Zero Trust authentication for multi-cloud application services

One of the fundamental challenges organizations have about multi-cloud and hybrid cloud environments, is how to easily establish secure communication across different clouds and environments. Cloud providers have their own identity and access management solutions, such as AWS IAM, to manage what access an instance should and should not have. But as soon as the applications or services  need to communicate from AWS to GCP or from AWS to their on-prem infrastructure, it becomes a challenge because it’s AWS-specific and not interoperable. Engineering and operations teams need something secure that could work across environments and at the same time should not add any friction to the deployment cycles

This is the problem Scytale, a is trying to address with Secure Production Identity Framework for Everyone (SPIFFE) and SPIFFE Runtime Environment (SPIRE). Both of these open-source  projects originated at Scytale but now are part of  the Cloud Native Computing Foundation (CNCF). These projects have grown in popularity within the cloud native community and have seen contributions from organizations such as Amazon, Bloomberg, Google, Pinterest, Square , Uber and more.

“Scytale is the primary driver of these projects that offer ‘interoperable identity’ between different cloud providers and different platforms,” Evan Gilman, Senior Engineer at Scytale.io and co-author of Zero Trust Networks. “From the commercial angle, we have built solutions to help organizations adopt these projects faster and  extend their functionalities to address the needs of enterprise customers .”

Vendor and technology neutral identity solution
The passport analogy best explains interoperable identity. Passports from different countries all look different, but they all have the same size and meet the same specifications. They all have a picture of the passport holder at the same spot, they all have a barcode at the bottom. Regardless of what country issued the passport, it works across the globe.

A “country” can be a particular software stack, platform, or a cloud provider. Regardless of the environment, the identities that exist within and between those silos can communicate.

Interoperable identity becomes even more critical in the multi-cloud and hybrid cloud deployments, as they raise this fundamental challenge of how users secure communication across those boundaries.

“We are bringing in a platform-agnostic service identity that is not specific to a cloud provider, platform, and technology,” said Gilman. It levels the playing field and allows users to talk across boundaries. Users won’t talk in AWS or GCP specifics; they communicate on the SPIFFE level. “SPIFFE provides users with what is sometimes referred to as a secure dial tone: you pick up the phone, it rings the other side irrespective of where it’s running and what platform it’s running on,” added Gilman.

SPIFFE based service authentication foundational for zero trust networks
SPIFFE is a standard, a set of documents whereas SPIRE is the software implementation of that standard. SPIRE implements the SPIFFE specifications and enables workloads or services to get these “passports” as soon as they boot, in a way that is very reliable, scalable, and highly automated. This identity centric authentication is also critical for building a zero trust-based security model  , which removes reliance on networks to deliver trustworthy information.

“Networks have been historically fairly manipulable. So instead we build systems in such a way that it doesn’t rely on that network to deliver trustworthy information,” said Gilman, “We use protocols and strong authentication and authorization to try to mitigate any kind of business that might happen on the wire. It also mitigates what we call lateral movement. So if a neighbor is compromised, just because you’re attached to the same network, that should not mean that you should gain access that you would not have otherwise.”

Gilman explains, “Part of the SPIFFE specification set deals with what we call ‘federation’. There is usually a centralized authority that issues these identities. In reality, there are different companies that have their own authorities. Even different software stacks have their own authorities. There is a need to bridge these gaps.”

That’s where the SPIFFE Federation enters the picture. It swaps these cryptographic keys between different domains. It allows users with different identity providers to communicate effortlessly.

One key design principle of the SPIFFE Federation is that it is compatible with OIDC, which is a similar identity federation spec, but is more focused around users. It allows for server-to-server and service-to-service communication. Any existing OIDC can take advantage of it and pass one of its SPIFFE identity documents to a public cloud like AWS, which will be able to validate it using this OIDC SPIFFE Federation mechanism.

While SPIFFE as a specification doesn’t change, SPIRE has a monthly release cadence. It continues to add new features on a regular basis.

The latest release introduced integration with the AWS Private CA Manager, which means that SPIRE deployments living inside AWS can use it to protect the sign-in keys for identities. These identities are cryptographically backed so there is a key that is used to sign these identities. One of the biggest challenges is to secure these sign-in keys. Being able to bury that key inside the AWS service, which is backed by hardware protection, is an incredible feature.

The community is also working on a feature called Nested SPIRE, which allows users to have multiple SPIRE server clusters that form a tree and chain up to each other.

Together, these new features give a lot of flexibility in terms of architecting for failure modes and failure domains, and architecting around different security domains.

Linux 5.5 Released With Many Hardware Support Improvements

Linus Torvalds has just released Linux 5.5 as stable. While there was an uptick in patches this week and some concern the Linux 5.5 cycle may be extended due to the downtime encountered around the Christmas and New Year’s holidays, Linus did opt today to release the 5.5 kernel on schedule today rather than going for an extra release candidate.

Linux 5.5 brings many changes including Raspberry Pi 4 support, AMD Navi GPU overclocking, support for new and upcoming Intel platforms, enabling 5-level paging by default, an NVMe drive temperature driver that is convenient and better than the current user-space utilities, Chromebook Wake-On-Voice support, KUnit for in-kernel unit testing, and much more.

[Source: Phoronix]

The best free and open-source alternatives to Google Drive on Android

Let’s check out the open-source equivalents to Google Drive, the company’s cloud storage product. Thankfully, the feature gap between Google Drive and the alternatives isn’t massive — all of them have clients for desktop and mobile, easy file sharing, and other features. Depending on what hardware you have on hand, these options might not even cost you anything.

NextCloud: NextCloud is widely regarded as the golden standard for hosting your own cloud. It goes far beyond simply hosting files — there are plugins for adding a task manager, a calendar, collaborative document editing (akin to Google Docs), video conferencing tools, notes, and much more. While the Android app only supports manging files, there are some Android clients for NextCloud plugins.

[Source: Android Police]

BT’s ‘open source’ approach will challenge Huawei’s dominance

BT is seeking to challenge the dominance of Huawei over the industry by throwing its weight behind a new “open source” approach to buying essential network gear, the chief executive of Openreach has claimed.

Clive Selley, who runs BT’s separate Openreach broadband business, said the company was seeking to push back against the existing industry structure in which a handful of suppliers, including China’s Huawei, Sweden’s Ericsson and Finland’s Nokia, hold too much power over a highly consolidated market.

[Source: The Telegraph]

So long, Sonos: Meet the open-source audio system that will never die

This week, Sonos announced — and then subsequently retracted — that it would end-of-life a series of popular audio streaming products made by the company during its first 10 years in business. Sonos had decided to end support because these first-generation products lack sufficient processing power and storage to accommodate new features.

Although there have been many improvements in materials, miniaturization, and overall performance, loudspeaker technology has not fundamentally changed since its introduction in the 1920s. Provided that they aren’t used outside their performance specifications, the drivers and cones can last decades. Other components inside speakers include magnets made out of ferrous and rare earth materials that do not expire.

[Source: ZDNet]

A Brief History of Open Source Software (part 1)

Everybody uses open source software (OSS) today. Millions of people contribute to the code itself. Indeed, a substantial percentage of the users and creators of OSS today are young enough to have never known a world that didn’t rely on OSS. In other words, it’s very easy to take this remarkable product of open collaboration for granted. But that would be a mistake, especially given how unlikely it was that such a unique phenomenon could ever have taken hold. If you’ve never had reason to wonder how all this came about, this three part series is for you. In it, I’ll review how remote developers began to collaborate to create OSS, how the legal tools to make its distribution possible evolved, and how the world came to embrace it.
[Author: Andy Updegrove]

Dfinity launches an open-source platform aimed at the social networking giants

When Dfinity raised $102 million in funding in 2018 at a $2 billion valuation in a round jointly led by Andreessen Horowitz and Polychain Capital, it was thought of as a step-change in the world of blockchain technology. In an area that was synonymous with generating a lot of headlines around cryptocurrency speculation, this was a shift in focus, looking instead at the architecture behind Bitcoin, Ethereum and the rest, and how it could be used for more than just “mining,” distributing and using new financial instruments — with a major, mainstream VC backing the idea, no less.

Dfinity launched with a very lofty goal: to build what it called the “Internet Computer”: a decentralized and non-proprietary network to run the next generation of mega-applications. It dubbed this public network “Cloud 3.0”.

Now, it looks like this Cloud is now about to break.

[Source: TechCrunch]

Linux 5.5 Ready To Shine With Navi Overclocking, Raspberry Pi 4 Support, Wake-On-Voice

Everything is aligning that the Linux 5.5 kernel is likely to be released this coming Sunday rather than being pushed off for another week of testing.

As it’s been two months since the Linux 5.5 merge window and already we’ve been quite busy talking about material on deck for Linux 5.6, here is a look back at some of the new features and changes of Linux 5.5…

[Source: Phoronix]

Librem 5 phone hands-on—Open source phone shows the cost of being different

Big companies like Samsung and Apple have enough money, control, and connections to move the supply chain in whatever direction they want. In terms of smaller companies, though, there is a single one trying to blaze its own path: Purism, the maker of open source Linux laptops, is building the Librem 5 smartphone. Not only is the OS open source and based on GNU/Linux—not Android—the hardware is open source, too. The core components have open source firmware, and there are even public hardware schematics. This is as close as you’re going to get to a totally open source smartphone.

[Source: ArsTechnica]

FSF Wants Microsoft To Open Source Windows 7

More than 10 years on from its campaign to persuade users to dump Windows 7 for a non-proprietary alternative, the Free Software Foundation (FSF) has kicked off a petition to urge Microsoft to open-source the recently snuffed software.

On the face of it, the logic seems pretty simple. On 14 January Windows 7 reached its end of life as Microsoft turned off the free security update taps with a final fix (which seemed to bork desktop wallpapers for some users).

“Its life doesn’t have to end,” cried the foundation. “We call on Microsoft to upcycle it instead.”

[Source: The Register]