Litcius/Paper detail

Supporting Confidential Workloads in SPIRE

Eduardo Falcão, Matteus Silva, Luz Ariel, Andrey Brito

202212 citationsDOI

Abstract

The migration of traditional deployment to clouds has driven the need for a more robust security model, the Zero-Trust model. The application of zero-trust principles addresses known security issues such as lateral movement attacks but adds extra identity management complexity. In addition, to cover a broader range of attacks, one must think of strategies to protect data, code, and credentials in such applications. Confidential computing aims to fulfill this goal. Nevertheless, confidential computing is even more complex to implement than Zero-Trust. In this work, we combine the Zero-Trust model with confidential computing by leveraging the SPIFFE standard through its reference implementation (SPIRE), and Intel SGX through the SCONE framework, to seamlessly supply software identities to confidential microservices. Furthermore, we also protected the whole identity-provisioning stack with Intel SGX and assessed the performance overhead. We believe this combination not only improves the security of SPIFFE deployments but also leverages SPIFFE to facilitate the integration between confidential computing components and native applications.

Topics & Concepts

Computer scienceConfidentialityComputer securityCloud computingMicroservicesProvisioningOverhead (engineering)Software deploymentIdentity (music)Computer networkOperating systemAcousticsPhysicsSecurity and Verification in ComputingCloud Data Security SolutionsDistributed systems and fault tolerance
Supporting Confidential Workloads in SPIRE | Litcius