Open-standards effort underway in the IETF
Securely communicating user identity and authorization across calls between microservices, especially in multi-cloud environments is an important problem, and it is critical to solve this using open standards to ensure interoperability.
A particularly dangerous class of attacks involves attackers being able to compromise the “virtual private cloud” (VPC) of an organization. This is getting increasingly common, and could happen through software supply chain attacks or privileged account compromise. In such cases, the potential for damage is tremendous, since the attacker can invoke microservices belonging to an organization, impersonate any user, and take any action on their behalf.
Since SGNL published the blog post “Why We Need an RPC Security Standard”, SGNLers Erik Gustavson and I (Atul Tulshibagwale) have had numerous discussions with key players in the industry to discuss how a standards based approach is important to address this problem.
Over the past few months, a few of us from organizations like Microsoft, Amazon Web Services, Okta, MITRE, NSA, SGNL and others have been meeting as a group to arrive at a charter for this work, and recently we shared this charter with the IETF OAuth Working Group. We will be discussing potential solutions at the IETF 115 meeting next week.
While internet services today provide APIs for being accessed from front-ends and API clients, each such API call results in a call chain that may involve numerous microservices. Furthermore, these microservices may be distributed across on-premise and multiple cloud platforms.
In such microservice architectures, efforts like SPIFFE have focused on ensuring there is a “caller ID” for services calling each other. However, there are a few gaps that still need to be addressed:
The charter document here captures this problem description accurately. We look forward to discussing proposals to address these questions at the IETF 115 meeting in London next week. We would love to get more participation in these discussions, and you could attend these meetings in person or remotely.
Subscribe to the SGNL blog to get updates as we discuss ideas to standardize FTA.
Want more of the latest identity-first security topics and trends delivered to your inbox? Helpful and insightful content, no fluff.