Weaving a Standards Framework for Non-Human Identities

Thank you so much. I wanna thank everybody who came today. I'm so grateful for having this opportunity. And also want to thank KuppingerCole for the opportunity to talk a little bit about standards and this idea of non-human identities. And I'll talk a little bit more about what we mean by that in a, in a moment. So let's see.

Ah, it works. So next 20 minutes, very quickly we'll talk a little bit about what a non-human identity is and why we should care. And I'm also gonna talk a little bit about why, why now? What is happening that is causing us to think about non-human identities right now? What's the drivers, the mega trends, where is our attention? And then I'm gonna talk a little bit about the role of standards in addressing this challenge. Really sort of thinking a little bit more about how do we connect ecosystems, where are the gaps? What do we need to do next as we tackle this problem?

So what is a non-human identity? Well, I'm gonna cost it a little bit more narrow and call it machine identities or all the identities that we need for our workloads software. So this is containers, virtual machines, applications, services, et cetera. And the identities that we need for the hardware on which it runs. So our mobile devices, iot, oper, OT devices, personal computers, even silicon, right? Right at the root of that supply chain. So when we think about non-human identities or when we talk about it, talk about machine identities. So why now and why standards?

So a couple of things is happening. One of them, or one of the first ones is really the rise of multi-cloud, multi-hybrid. Today when we look at our customer base, about 85% of our customers are no longer, are no longer operating in single cloud environments. They're operating in multi-cloud environments, which means their workloads, there are services, they're business logic, there businesses are distributed across multiple clouds. And managing identity in one cloud is hard. Doing it in two or three or four or five becomes harder.

And so this is one of those trends that's really just sort of shouting out interoperability, right? And a challenge for interoperability. Next one is exponential growth. I think that's been some great talks this week about exponential growth and the kind of things that happen with exponential growth.

You know, just looking at data, even in our own experience today, for every human identity in our system, there's about five non-human identities. And that is gonna explode and to ratio of about one to 20 in the next three to four years, right? And that's just the beginning because success, weget success.

And, and so then we start getting that, that enormous curve of growth. And remember that's happening in a multi-cloud environment, right? Heterogeneous solutions face, right?

So every, every, there's a lot of solutions out there. They themselves, you know, can solve a part of the problem. But the question is, how do we get all of these solutions to work together a little bit better? The other challenge and, and we should not underestimate, this is what I call expertise elsewhere. Our customers, the users of these systems, the implementers of these systems are experts. They're experts at developing code, they're experts at their businesses, they're experts at a variety of technologies and things, but they are not experts at identity.

And we should not require them to be. So there is massive skill shortages in this area. And you know, if we think about many solutions, exponential growth and multi, multiple, multi-cloud deployments, right?

You know, what can we do to help our expertise elsewhere, customers to better cope with that? And then security, right?

So you, it's very hard to have a zero trust architecture without doing fine grant authorization, which is very hard to do if you don't have identities for all your non-human identities, all your devices and your machines. And so solving for security where you have a skill shortage, exponential growth, the heterogeneous solutions space and these multi-cloud environments kind of suggests a need for standards, right? So this is why we need standards and this is why we need them now.

And so we believe that standards are indispensable building blocks for scalable, zero trust implementations in a multi-cloud, multi-hybrid world. This is the only way we're gonna be able to make sure that the right device has access to the right information at the right time for the right reason, and do that at scale. So what does the standards framework look like for non-human identities first, right? Let's think a little bit about what's the identity building blocks that we're going to need in this process. So first of all, we need identifiers, right?

Sounds obvious, but that's actually important. You have to decide how you're gonna identify something. For example, if you think about a workload, that identity for a workload is a combination of the bill of materials, the software, the supply chain. There's another identifier that's about the hardware where it's running. And then there is has another component, which is its instance that it's running. And that actually happens at runtime. And so how do we express identifiers so that we can actually manage this environment? And I'll talk a little bit more about that.

Of course, I'm not saying that there are no identifiers today, it's just that we have so many ways to express identifiers. Identifiers are great, but we also wanna capture them in some form of a credential format, right? We want to be able to represent them. And there are many credential formats. And those credential formats often also include additional attributes and information about an identity. And I'll talk a little bit more about those as well. The next two I'm gonna talk about together at a station in secrets management.

Somehow if there is an identity in a credential format, we need to be able to be sure that this identity is one that we're gonna trust, right? And so how do we do that? There's really two approaches and they work together sometimes. The first one is secrets management. So you know, you provision a long term secret to a workload or a device and you use that for identification purposes and proving identity. The other one is that around attestation.

And that's sort of, think of that as going like, just like we go to the passport office and we say, hi, I'm Peter, here is a bunch of documentation about me, please give me a passport. We sort of do the same thing with workloads, for example, right? There's a pro attestation process, process IDs, a bunch of information about the environment that gets collected. And in the end, an authority says, okay, I believe that your, you here is a, here is an identifier secret that you can use for this session. So at a station and secrets management and then provisioning, right?

So once you've made that decision, you actually have to provision all the other metadata around that identity back to your, to your device or endpoint or authentication and authorization. Of course, right now we're in a good place.

We, we have identifiers, we have secrets. So we can authenticate and we can use that to make authorization decisions. And remember, we have to do this across multiple environments. So we need workload, we need to be able to federate our workloads across environments. And once it's up and running, we have to monitor and be ready to remediate, right? Because it's not enough to just get it up and running and assume and hope that it'll stay in a good state. I think we know that things tend to break. And so I'll talk more about that a little bit as well for all of this.

We need policy and configuration on the one end. And then of course, finally we have to prove compliance for policy and configuration against all of these things, right?

So, so that's kind of what our world looks like. This is the Lego set that we have to build. Now let's talk a little bit about the good news. The good news is there is already a ton of standards in this space that we can work with. And I think there's, I'll have to count them seven or so, I'm gonna stretch the meaning of standards right from normal, from formal standards organizations to include bodies like the Cloud Native Compute Foundation. They serve a very similar function. They create design patterns that's encoded in open source code and available through projects.

And it's sort of, it helps us push out some of this common behavior, right? It allows us to create interoperability. So I'm pushing the limit a little, but now, so what do we have to create these non-human identities at this point? The first one that I'm gonna talk about very briefly is Spiffy the secure production identifier framework for everyone. And the reason we're gonna start there is it's actually a really interesting standard because it gives everything from identifiers all the way up to federation.

So it's a great way to bootstrap workloads and to do that in a cloud or environment neutral way, right? So it actually sort of ticks a bunch of those boxes to start with. Once you are booted up with spiffy, you can start authenticating and you can start doing authorization. I'll talk more about authorization right at the end. It's a hot topic this week.

I have, I'm impressed by how many people care about that part of the problem at the moment. But the good news again, right? For authentication and authorization, once my workload identity has an X 5 0 9 cert, rejo bearer token from the spiffy server, hey, I can use that with OAuth to authenticate and start performing authorization. Those are some of the standards. Some of these are in development by the way, and I, I won't have time to go into detail, but one of the challenges or one of the things that we need to look at is identity training, right?

So the reason we need to make sure that the Spiffy universe and the OAuth universes are connected and work well together is because we need to be able to carry the user authorization context throughout the cold stack across multiple clouds and be able to assert that the person who initially started this transaction did actually an actual fact authorize it, right? And so that's why that connection is really, really important. I talked about monitoring and remediation early on. And so once these workloads are up and running, we need to be able to send some signals.

And if we have a workload that we think is compromised, we want to be able to bring down that workload, not the entire environment. And so a tool presented here, I think a few days ago on shared signals and events, some work in the Open ID foundation, very excited about that standard and its ability to not just solve human identity problems, but also the non-human kind monitoring and remediation, right? I think we also need to think about things like what standards are we going to use for, for logging so that we can make investigation and compliance reporting easier.

And when we get to provisioning, right? There's another sort of cluster of standards that we should look at. There's the fighter device onboarding specification, and within the iatf, the trusted execution environment, provisioning working group, again, looking at provisioning now more on the hardware side. And then there is skim, which is really giving us that opportunity or is currently, has been recently reformed and is beginning to look also at device provisioning. And I think there is a, a star next to it.

A question mark is, do we need to do more work there to also allow for aspects of workload provisioning at a station? Really, really important, right? This is how we build trust in the identities. And that's already, there's a longstanding work in the trusted computing group with the TPM and then also in the IATF with the rats remote atian working group, giving us sort of more standards and more ways in which to a test. And also defining a set of credential formats for those attestations on secrets management.

There's the Oasis Caip work, which is really more focused on secrets management side of things. And then when we get to identifiers that are standards like Medinas and one that I'm very excited about, which is skit the supply chain integrity, transparency, and trust working group. So that working group is really looking at this whole problem around bull of materials.

You know, somebody explained it to me in layman's terms as this, think of this as code signing V next, right? And again, to my earlier comment, right where we started, when we think about the identifiers, we need a way to hook in the supply chain information, the hardware information around identity, and then the actual runtime information to make an identity that we can manage and then can act and monitor and remediate on. So that's a A framework now. So that looks pretty good, but what should we do next?

Oh, actually forgot about these. And I, I said I was gonna come back to them. When it comes to authorization, open Rigo or in the cloud Native Compute Foundation are two is an initiative that seems, and if you walk around the floor here and you talk to people, very popular. There's also a session yesterday that talks a little bit about hexa id QL a little star next to it, right? It's still being developed. And yesterday this happened, AWS in open sourced their cedar policy language, I believe. And that is yet another policy language. And I think this is one of the big open question areas.

Not only if we think about fragmentation, and there were some fantastic sessions about this yesterday, massive fragmentation in the policy language area. So what do we do? Should we invent another language? Should we find translation strategies? Is this a problem that we need to solve with standards or is there other strategies? And I think that's a discussion that we need to have in the community over the following weeks and months as well.

And, and again, I, anybody who has interest in this space, I'd love to talk to you. I'd love to hear what you are thinking and get your inputs and thoughts on what will be the best way to help solve this problem. So what next, right? So how do we craft this? So we have lots of building blocks, so we're in good shape, right? We're not starting from zero. We get to stand on the shoulders of giants. So I think the first thing is just let's start connecting the dots, right? I think getting the, getting OAuth and spiffy to connect well and make sure that that is well documented and understood.

All the basic ingredients are there, people are actually doing it today, but they're doing it in slightly different ways, which is gonna cause us challenges when we start hitting these scale issues in the coming years. And so just formalizing some of those connections in the dots. I think the next one is to start thinking about how we fill some of the gaps. So identity training that I talked about I think is going to be absolutely key for any attempt at final grain authorization.

Some work around provisioning and thinking about how we deal with the metadata and allow metadata from these workload identity environments to also be provisioned into our existing environments. And then finally, monitoring and remediation, all that work that we're doing around identity protection for workloads. How do we make sure that that can actually flow back to the workloads, to the machine identities out at the edge, and do that in a standard compliant way so that you can plug in any set of signals and get them connected to any set of workloads.

And then I think we're gonna take a lean approach, right? I think we need to look at what's the next problem. I think one of the things that really excites me about this space is we are so incredibly early and there is so much opportunity, and in many ways I feel like I'm constantly learning more about the problem.

And again, if there are folks here who are interested to join us on this journey, it's only starting now and very much interested to hearing what other folks think and how other people are tackling this problem with standards. Thank you.

Oh, great. And insightful presentation. So we still have some time for questions, and while you are thinking about your questions, I have just one anecdote, if I may.

Yes, please. Every time I hear non-human identity, I always think about the American Kennel Club and their dog identity standards. I don't know if you heard about it. No. But basically they have a standard for naming dogs. And if there can only be 37 dogs with the same name and the same breed in America, if you have a dog which could of exceeds the counter, you are not allowed into the American kind of club. Wow. So I really hope the work is, which is now being done on the real non-human identities, goes a little bit above that quality standard. Thank you.