Scytale recently hosted SPIFFE’s quarterly Community Day. The event is a great way to learn about the latest updates on SPIFFE/SPIRE and also hear from peers about their experience with the solutions.
This time around both Square and Pinterest shared problems they are solving with SPIFFE and SPIRE.
Why SPIFFE & SPIRE @ Square?
At Square, product teams are given the flexibility to choose technology stacks that best fit their specific needs. As a result, Square began to deploy a number of heterogeneous hosting and middleware platforms running across their data centers and cloud. As a result, it became increasingly difficult for applications across different platforms to securely and easily trust and talk to each other using platform native identities.
Square wanted a service identity management mechanism that was not limited to a single platform. SPIFFE was attractive in that it provided them with an interoperable standard to ensure secure communication between services (even on different infrastructure providers and between containerized and non-containerized services). Another attractive property is that, due to the independent SPIFFE specification, they were not locked into a specific implementation.
They chose to explore SPIRE as it had support for cloud and Kubernetes built in, as well as being easy to customize for their own data centers and existing software toolchain.
Watch Matt McPherrin talk about how SPIFFE is being deployed at Squareand their strategy for their datacenter and cloud (Kubernetes in AWS & GCP) here.
Why SPIFFE @ Pinterest?
Jeremy Kratch from Pinterest talked about how they moved from doing ad-hoc authentication, (commonly done static tokens or network ACLs) to what he calls “SPIFFEology” (aka SPIFFE/Service-centric identities). The two biggest reasons for this move were:
- Lack of support for Multi-tenant environments: As Pinterest started to deploy services into multi-tenant environments to meet scalability needs, using hostnames (provided by a network) as a form of identity didn’t cut it anymore as these hostnames are the same across tenants and not unique. It is also difficult to independently verify a source service’s hostname and thus it hostnames cannot be easily trusted. Finally, it is obviously a security advantage to encrypt traffic between workloads in multi-tenant environments.
- Increasing engineering complexity and slower time to market: Since various development teams began to use heterogeneous, dynamic platforms, using hostnames as a form of identity became time-consuming. They were spending a lot of effort in creating complex, error-prone regular expressions, to compensate for the varying patterns of hostnames across tools.
SPIFFE allows them to easily provide an ID to each service which makes creating policy easy for services owners and eliminates the reliance on hostnames or the network.
Are you looking to deploy SPIFFE or SPIRE into your production environment? Ping me (Umair Khan) on the SPIFFE Slack channel if you are interested in presenting at our next community day.