Skip to main content
banner image
venafi logo

Cloud Native Machine Identity Management for Zero Trust

Cloud Native Machine Identity Management for Zero Trust

cloud-native-machine-identity-management-for-zero-trust
September 22, 2022 | Richard Collins, Jetstack

One of the core components of the zero trust security model is device identity, which is the ability for a device to have a unique identity that can be authenticated and factored into access control decisions. I find it fascinating to see how Kubernetes now sits at the core operation of so many diverse forward-thinking companies. Pomerium integrates with cert-manager to provide automation of certificate issuance in Kubernetes environments, enabling developers to develop "fastsecure." Just to chew the fat, I got into a conversation with Pomerium to discuss how modern device identity solutions are using machine identity management with cert-manager to help drive their particular vision for zero trust.    

Pomerium recently completed the integration of their Ingress controller with cert-manager as part of the Machine Identity Management Development Fund.  I had the opportunity to meet with Colin Mo, who is the DevRel (Developer Relations) Manager of Pomerium, about the benefits the joint solution will deliver to users.

Learn more about the Machine Identity Management Summit 2022, Ground Zero for Zero Trust

Richard: Tell us about Pomerium and the role machine identities play in your solution. 

Colin: Sure! Pomerium is a context-aware gateway that enables secure access to internal applications. It provides a standardized interface to add access control to applications regardless of whether the application itself has authorization or authentication baked in. Pomerium gateways both internal and external requests and can be used in situations where you'd typically reach for a VPN.  With access decisions based on contextual information, we provide that full zero trust philosophy throughout the organization.

Our latest release offers authenticating device identity leveraging the open standard WebAuthN. This enables organizations using Pomerium to enforce and attest to device state without forcing end users to install any special client on the device. 

Richard:  If you're talking about what's on the horizon, then what does the future of identity driven access look like to Pomerium?

Colin: At a high level, we've been looking more at context-driven vs identity-driven, because we see identity as a subset of context. So the person making the network request might be real and validated and completely fine, but what about their device? What about their network access rights? These are all the things that surround the context of their request. The person might be fine. They might not be compromised. But their device is a separate piece of the overall context of the request. If you knew an untrusted third-party might be listening in on a sensitive conversation between you and someone else you would say and reveal things in a different manner. So all of that should play a part in access decisions in the future and this is how we're thinking about it.

Richard: Do you see the work that you do with cert-manager evolving in that direction a bit more than from where it is today?

Colin: cert-manager does a specific part of that context driven access that I mentioned earlier.  Our Kubernetes Ingress controller will work with cert-manager to issue certificates. Until now, Pomerium administrators were not easily able to automate the provisioning and renewal of the TLS certificates supporting the identities of Pomerium’s public facing services. To address this gap, Pomerium has added capabilities which enable seamless integration with the automation provided by cert-manager. Organizations will no longer lose developer productivity or expose themselves to security gaps while manually issuing certificates. 

Richard:  That will certainly improve speed and security for developers – what Venafi calls “fastsecure.”

Colin:  Yes, the benefits are multiple.  With Pomerium Ingress and cert-manager working together, we can prevent outages due to certificate misconfiguration or expiration. We can ensure Kubernetes resources adhere to company security policy, and users can implement Zero Trust and ensure that sensitive services are only accessed by authenticated and authorized users.

The Pomerium Machine Identity Management project has integrated Pomerium Ingress with cert-manager and is compatible with Jetstack Secure and Venafi as a Service.  You can learn more about Pomerium on the Venafi Marketplace.

 

This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Ecosystem is evolving above and beyond just technical integrations.

 

 Related posts

Learn more about machine identity management. Explore now.

 

 

 

Like this blog? We think you will love this.
automate-policy-checks-opencredo-secure-software-pipeline
Featured Blog

Automate Policy Checks for Your CI/CD: OpenCredo Secure Software Pipeline Verifier

Secure Software Pipeline Verifier

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Richard Collins, Jetstack
Richard Collins, Jetstack
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more