SPIFFE and SPIRE are important infrastructure projects. As such, to be truly successful, they should be “boring”. What does that mean? It means they should be foundational, seamless, and ubiquitous. To the point that you almost forget they exist. SPIFFE should be the default, not a decision point. SPIRE should be the default OSS way to get there..
We are not there yet. How do we turn this vision into reality? Enter Club Zero. Here, we will gather People, and other resources to try and move the ecosystem around SPIFFE and SPIRE towards this goal.
To achieve this goal, we must build a vibrant ecosystem, and not just look at contributing directly to the SPIFFE or SPIRE projects.
We need your help to make the vision a reality. We’ve come up with some ways folks can help based on personas.
- End Users - I would like my communications secure
- System Administrators - I need to maintain systems (in a secure way)
- Security Professionals - I’m on the hook to ensure things are secure
- OS Distribution Providers - I provide software packages for others to use
- 3rd party Packagers - I provide packages when Distributions do not yet
- Documenters - I write documentation for software
- Influencers - I help others become aware of important things
- Translators - I make inaccessible knowledge accessible
- Software Developers - I make the impossible possible
- Other - Did we miss you? Please let us know.
The biggest impediment to achieving the vision is inertia. We need to describe the problem before we can work on fixing it.
No one really deploys infrastructure just to deploy it. They deploy it to solve a particular part of a bigger problem. Solving the bigger problem is the thing they really care about.
There tends to be a self reinforcing situation in infrastructure around sysadmins, developers, and security professionals that we need to overcome.
All three personas may push back against SPIFFE for the reason that they will be betting on a standard, and unsure if SPIFFE is the most widely adopted and mature one.
For a system administrator, they would deploy SPIFFE and/or SPIRE if one of the following were true:
- Software they or their users want to use requires it
- Management or the Security Team requires a capability provided by it
- Contracts or other B2B relationships require it
- If it provided significant security benefits for minimal extra effort
Reasons they push back adopting SPIFFE:
- If self maintaining
- Concern that Managing PKI is hard
- Another thing to learn
- Difficulty in configuration
- Another thing to maintain
- If there are too few things that need the dependency, its hard to justify
- If outsourcing responsibility
- Who do I call for support
- More vendors support traditional PKI then SPIFFE
For Developers, they would add SPIFFE and/or SPIRE as a dependency if:
- It enabled easier to setup identity management with little code change required
- It allowed rotation of credentials without having to manually do so
- It allowed them to no longer need to think about credentials
- It stops the security team from bothering them
Reasons they push back:
- Desire not to add additional dependencies
- Thinking system admins won’t want to maintain the dependency.
- Too hard to change the existing code to match the SPIFFE model.
- Security Professionals / System administrators not requiring tighter security. “Good enough” security.
Security Professionals would want to recommend or require SPIFFE and/or SPIRE if:
- It enhances the organization's security posture
- It allows them to meet a policy or regulations
Reasons they push back:
- Overly burdensome on system administrators or developers
- Possible bad relationship with engineering
We will initially have limited resources in Club Zero. If there are particular applications you want to work on, please work on those. But if you are looking for something to work on, we can be more strategic. Strategic contributions to key applications will accelerate adoption. We will keep a list of such projects in the club zero issue tracker.
Join us on SPIFFE Slack in #clubzero. Here we can talk to each other on what we can do to help.
Here are some ideas oh how you can help, per persona.
Make it known you want end to end encryption for safety. Ask about security of the systems you use. Ask if SPIFFE or SPIRE is being used.
Back to: How can I help
Try deploying SPIFFE based technologies such as SPIRE. If anything is harder then you expect, please let us know where the pain points are. We believe we have addressed the pain points already to make an easy to use system, but may have missed some and would love to work with you to identify and fix any such issues for you. Also, work with your security and developer teams to raise awareness of SPIFFE. Ask your Distribution support channels for direct support.
Back to: How can I help
Encourage System Administrators and Developers to use SPIFFE ecosystem tools to secure their systems. Consider suggesting, or requiring better than 1+ year wildcard certificates for security. Recommend killing off all passwords wherever possible. Request additional security in the form of additional attestation (EX: The TPM attested for the physical node. The cloud provider attested that the VM is in their datacenter)
Back to: How can I help
Consider packaging and supporting SPIFFE ecosystem projects, including SPIRE.
Back to: How can I help
If your favorite Distribution does not have native support for SPIFFE ecosystem projects, help us package them up and keep them up to date.
Talk to the developers you work with about adding SPIFFE support directly to their projects. Talk to the system administrators you work with about deploying SPIFFE infrastructure such as SPIRE or SPIRL
If the developers don’t plan to quickly support SPIFFE, sometimes it can be solved using bridge technologies from within the packaging. Consider implementing this where possible. (EX: Adding SPIFFE support to a helm chart via spiffe-helper)
Back to: How can I help
We could use your help writing easier to understand / use documentation for all parts of the ecosystem. The easier to understand / deploy, the sooner we solve difficult to otherwise solve security problems helping everyone.
Back to: How can I help
Security is a critically important part of computing, but few people understand it or know what great tooling is available. You can help us raise awareness of the problem space, and help work to get everyone on the same page towards solving really important security problems.
Videos or blogs can be created talking about particular functionality, how to do something, how to debug something, etc.
Back to: How can I help
Even if we have content, it isn’t very useful if folks can’t understand it. Making it available to more folks in their native languages is a significant contribution.
Back to: How can I help
Software Developers often have many different ways of developing. We’ve further broken down some ways you can help based on what you're working on.
Back to: How can I help
Strongly consider how support SPIFFE could help make security better while at the same time, reducing the amount of effort it will take you and your users to manage that security. If you work with system administrators or security professionals, help raise awareness of SPIFFE and SPIRE as a solution to their security related needs.
Please consider the strategic project list above or chat with us on the #clubzero slack channel
Consider adding easy to use SPIFFE support into your favorite language libraries or platforms.
While the ideal is for projects to directly support SPIFFE, sometimes that can be hard to do for non technical reasons. Consider contributing to bridge technologies such as spiffe-helper, ghosttunnel, etc. These projects enable the ecosystem to grow even without direct support.
Back to: How can I help