6 minute read

Open source workload identity management could help secure hybrid clouds

IBM is open sourcing project “Tornjak” to encourage the development and adoption of enterprise-level identity management between clouds.

IBM is open sourcing project “Tornjak” to encourage the development and adoption of enterprise-level identity management between clouds.

Companies big and small have made great strides migrating workloads to the cloud and deploying cloud-native applications. At the same time, the resulting hybrid multi-cloud architectures can create challenges for identity and access control, as resources and workloads must operate across multiple public clouds and services.

IBM Research’s new open source project, Tornjak, seeks to tackle those challenges head-on.

We want to help enterprises embrace this new way of working by providing a consistent level of control, visibility and auditability of workload identities for workloads across various clouds.

How do we do that?

Different cloud providers have their own sets of identity and access control systems. That allows strong authentication of workloads and access control management within a cloud provider’s own domain. But securing shared resources between clouds can be complex.

Today, when developers want to grant access between clouds, they use one of two common methods:

  1. The first is to generate a long-term token or API key. Unfortunately, that approach comes with many downsides because it leaves administrators unable to audit and determine the total impact—or blast radius—of a potential security incident.
  2. The second method relies on federation, which is more secure but not very efficient, not yet anyway.

That’s because federation support across different clouds varies greatly. More importantly, each cloud provider has its own notion of identity, schema and trust relationships. That makes creating a federated identity within an organization a complex exercise, leading as a result to misconfiguration or mismanagement of access control.

Finding common ground

That's where Tornjak can help.

Designed to create common ground for workload identity management, it provides a management layer atop the SPIFFE (Secure Production Identity Framework for Everyone), a universal identity control plane for distributed systems under the aegis of the CNCF—the Cloud Native Computing Foundation.

Tornjak also uses SPIRE, an implementation of the SPIFFE runtime environment. Using SPIFFE and SPIRE as a foundation of a zero-trust security model, Tornjak can help manage the secure provisioning and authentication identities.

One of our main goals is to provide CISOs, security operators and auditors the management interfaces and tools necessary to manage their organizations’ workload identities. The combination of SPIFFE, SPIRE and Tornjak should offer organizations stratified workload identity management, simplifying access control without sacrificing security. The technology addresses the problem space of machine identity trust in cloud native networks.

“I am very excited about the innovation happening in the zero-trust security. SPIFFE and SPIRE, now combined with Tornjak, are providing a highly scalable and community-driven solution to address service mesh security,” said Luke Hinds, security engineering lead, Red Hat Office of the CTO.

IBM open sourcing project “Tornjak” logo.
IBM open sourcing project “Tornjak” logo.

Barriers to secure workload identity management

The main challenge of our research is to create a shift in the way cloud users manage and secure their organization’s workload identities.

This challenge manifests itself in two ways:

  1. As use of cloud native technology matures and users start to move more workloads to cloud, they will discover the difficulty managing workload identities across multiple public clouds. Because there’s very little education on how this should be handled, most users end up creating work-arounds or employing techniques that may jeopardize security.
  2. And from a security and audit perspective, requirements around security are still being formalized. For the most part, users and auditors alike are uncertain how cloud native technology plays into security and compliance. That lack of common understanding and tooling in cloud native environments keeps the technology from reaching the mainstream, relegating cloud native to a much smaller group of early adopters.

Open source can accelerate development

In an effort to keep Tornjak open and available to all, IBM is donating the project to be part of the CNCF, under the SPIFFE community umbrella. The project will join a well-founded community of developers, integrators and users—including Bloomberg, ByteDance (developer of TikTok) and Github—focused on solving workload identity challenges introduced by hybrid cloud environments. The community also includes Cisco, Google, HPE and others building new tools atop SPIFFE/SPIRE.

In open sourcing Tornjak, IBM’s goal is to accelerate the development of hybrid cloud workload identity solutions. We’re also hoping to highlight the workload identity problem for those unfamiliar with it, and to demonstrate IBM’s close partnership with Red Hat and the open-source community in addressing these challenges. The CNCF SPIFFE community offers us an excellent forum through which we can contribute our ideas and pursue the best identity management solutions.

Tornjak is still in its early development stages—the project has been implemented with the basic functionality for managing identities. Additional work needs to be done to get it ready for enterprise adoption. Our hope is that the open-source community's combined efforts will enable us to achieve a production-ready solution by the end of the year.

To learn more about Tornjak and how to get started, visit our article on Medium.