Over the last six years, technology practitioners and the industry at large have been going through a massive paradigm shift in the way that we think about defensive security. In that time, Kubernetes has gone from a curiosity to mainstream, highly dynamic and heterogeneous computing environments have become the norm, and "zero trust" has ballooned into a $27B industry. Together, these forces have critically disrupted the security patterns of yesteryear. As a result, new patterns, tools, and technologies are necessary to meet the challenges that modern enterprises face in this new world.
At the center of this transformation lies a single, well-understood construct: identity. It forms the foundational bedrock upon which all other systems logically depend, and without it, even basic functionalities and assurances are difficult to achieve. The technology industry has decades of experience managing identity, however the existing solutions don’t work in the context of modern computing infrastructure. Specifically, they solve human-centric problems well, but fall over when it comes to problems that are dynamic and systems-centric. To address this, we must turn to a new concept: workload identity.
Workload identity is fundamentally different from human identity. It diverges from human identity in important and sometimes subtle ways, from credentials and authentication flows to basic operational requirements. Without it, patterns and protocols originally designed for human identity are incorrectly applied, which results in a long list of vulnerabilities and pains like mishandled secrets and vault management overhead. In fact, these were the direct cause of a security incident in 60% of US companies surveyed in 2021. Furthermore, over 60% of IT/DevOps leaders reported that they were interrupted at least daily with a secrets management request, and over 20% of IT/DevOps workers were interrupted more than four times a day, resulting in a total productivity loss of $8.5B. This is not the way. Workload identity is the answer.
Our founding team includes some of the world's leading authorities on zero trust security and workload identity. Alongside others, we designed and wrote the CNCF-graduated SPIFFE and SPIRE projects. We have delivered dozens of talks, and written multiple books. We strongly believe that a successful zero trust strategy is not possible without a consistent and pervasive notion of identity. Our mission is to democratize access to SPIFFE and workload identity at large, bringing true zero trust within reach, and putting an end to the pain surrounding secrets and access management that many of us are all too familiar with.
Stay tuned.