The latest NHI Management group estimates the non-human identities to human ratio is 82:1. This ratio is rapidly increasing as we add more and more agentic and ephemeral cloud workloads and is estimated to be upwards of 400:1. Current practices are to manage these identities similar to existing human based practices with keys, tokens, and other static credentials assigned to identify them. But, as this grows, and at the pace at which they must be provisioned increases, this is not sustainable. Frameworks like Secure Production Identity Framework for Everyone (SPIFFE) aim to provide ways to address this through dynamic runtime authorization and issuance of short-lived credentials. In this webinar we’ll demo how to use SPIFFE to authorize workloads and issue dynamic, short lived tokens that are exchanged for transactional tokens for access to applications and services without the need for static credentials.
Learning Objectives:
- Show how static secrets / NHIs get out of control quickly, even when governed
- Show what SPIRE / SPIFFE is and how to run it in cloud / on-premise workloads
- Show how to take SPIFFE jwts and exchange them for access tokens so do not need to define static secrets for NHIs in the environment
- Incorporate authorization concepts like Cedar, Rego, FGA Tuples into the token issuance to define runtime authorization
This session supports content and knowledge from the SANS Cloud Security curriculum. To learn more, explore upcoming course runs, and access free Cloud tools and content, Click Here!
