Establishing a Production Zero Trust Architecture

Explore the implementation of a Zero Trust Architecture in this comprehensive conference talk by Frederick Kautz from SPIFFE/SPIRE. Develop a working definition of Zero Trust for organizational security policies, and learn to leverage CNCF and open-source technologies to achieve this architecture. Focus on cryptographic identities for workloads, define security policy controls, and address DevOps/DevSecOps requirements, including automation and observability for effective threat response. Discover strategies for onboarding legacy systems into a Zero Trust environment and gain insights on fostering organizational culture change to adopt these technologies while balancing security expert and application architect concerns. Explore topics such as the Triangle of Trust, perimeter defense versus Zero Trust, user identity, workload attestation, policy establishment, and inter-organizational trust. Delve into advanced use cases like multi-party edge compute, infrastructure identities, and multi-factor authorization using SPIFFE and JWT. Gain valuable knowledge on information security fundamentals, observability, education, and automation to successfully implement a production-ready Zero Trust Architecture.

Intro
Reality/Assumption Gap
Drivers
Change comes with Risk
Triangle of Trust
Perimeter Defense - Zero Trust
Zero Trust Environment
User Identity
Attest Workloads
Establish Policy
Establish Trust between Organizations
Application needs a connection to the Secure Corporate Intranet!
Advanced Use Case: Multi-Party Edge Compute
Identities for Infrastructure too
No Workload Authentication
Multi-factor Authorization (SPIFFE+JWT)
Workload 2FA: Identity Provider + Application Identity
Let's back up and talk strategy
Information Security 101
One possible early strategy
Observability
Education
An Aside: Legacy Systems
Automate
Educate