Protecting the Soft Underbelly of Your Organization
Recent attacks like the one experienced by the U.S. Treasury exposed a threat that those of us in the identity world have long known about:
Your Workload Identities are Just as Important to Protect as Your Human Identities
Machines, or workloads are growing at an unprecedented rate, driven by an explosion of microservices, IOT devices and AI agents. Reports suggest they now outnumber human identities by 45:1.
But can you be sure that you secure your workload identities as well as your human identities?
Unfortunately, your adversary has woken up to the fact that workload identities are the unprotected ‘soft underbelly’ of the organization, and in gaining access to them, they can gain access to the very heart of our systems. Unfortunately, in the U.S. Government’s case, that was the Treasury itself.
But why are workloads so weakly protected? Well, the scale and challenges associated with securing access between workloads mean that it is very difficult to properly achieve. Common problems include:
- Accidental committing of secrets into source code
- Reuse of secrets between different types of workloads with an implication that they become overprivileged
- The manual effort required to secure workloads that use different types of identity in different cloud environments
Organizations are waking up to the sad truth that their workloads are often a weakly protected, and underappreciated aspect of their IT infrastructure, and this problem is growing worse by the day.
Two graduated CNCF projects are fundamental to providing a solution to these problems, cert-manager and SPIFFE.
In fact, cert-manager has already transformed certificate management in Kubernetes, automating the lifecycle of X.509 certificates for applications and services. Driven by cert-manager’s continued adoption, powerful new capabilities are emerging when combined with SPIFFE, another key CNCF project designed to provide secure, verifiable workload identity across distributed environments.
By integrating cert-manager with SPIFFE, you can secure every workload with a unique and universal identity using open standards. This is built on a foundation of proven PKI technology patterns. Doing this means workloads are always authenticated and authorized. You will also eliminate static credentials to enforce zero-trust security models.
Cert-manager is a CNCF project which graduated in 2024. SPIFFE graduated in 2022. Together, these projects form a critical part of how we begin to protect some of the most important, yet underappreciated assets of our business. For more information see SPIFFE.io and cert-manager.io.
KubeCon + CloudNativeCon EU 2025 is taking place in London from April 1-4. Register now.
