Establishing Workload Identity for Zero Trust CI/CD: From Secrets to SPIFFE-Based Authentication

• URL: http://arxiv.org/abs/2504.14760v1
• Date: Sun, 20 Apr 2025 23:06:03 GMT
• Title: Establishing Workload Identity for Zero Trust CI/CD: From Secrets to SPIFFE-Based Authentication
• Authors: Surya Teja Avirneni,
• Abstract summary: CI/CD systems have become privileged automation agents in modern infrastructure, but their identity is still based on secrets or temporary credentials passed between systems.<n>This paper describes the shift from static credentials to OpenID Connect (OIDC) federation, and introduces SPIFFE as a platform-neutral identity model for non-human actors.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: CI/CD systems have become privileged automation agents in modern infrastructure, but their identity is still based on secrets or temporary credentials passed between systems. In enterprise environments, these platforms are centralized and shared across teams, often with broad cloud permissions and limited isolation. These conditions introduce risk, especially in the era of supply chain attacks, where implicit trust and static credentials leave systems exposed. This paper describes the shift from static credentials to OpenID Connect (OIDC) federation, and introduces SPIFFE (Secure Production Identity Framework for Everyone) as a runtime-issued, platform-neutral identity model for non-human actors. SPIFFE decouples identity from infrastructure, enabling strong, portable authentication across job runners and deployed workloads. We show how SPIFFE identities support policy alignment, workload attestation, and mutual authentication. The paper concludes by outlining next steps in enabling policy-based access, forming the basis of a broader Zero Trust architecture for CI/CD.

Related papers

• Identity Control Plane: The Unifying Layer for Zero Trust Infrastructure [0.0]
  Identity Control Plane (ICP) is an architectural framework for enforcing identity-aware Zero Trust access. ICP model unifies SPIFFE-based workload identity, OIDC/SAML user identity, and scoped automation credentials via broker-issued transaction tokens.
  arXiv  Detail & Related papers  (2025-04-24T17:21:00Z)
• Decoupling Identity from Access: Credential Broker Patterns for Secure CI/CD [0.0]
  Credential brokers offer a way to separate identity from access in CI/CD systems.<n>This paper shows how verifiable identities issued at runtime, such as those from SPE, can be used with brokers to enable short-lived, policy-driven credentials for pipelines and workloads.
  arXiv  Detail & Related papers  (2025-04-20T23:08:17Z)
• Trusted Identities for AI Agents: Leveraging Telco-Hosted eSIM Infrastructure [0.0]
  We propose a conceptual architecture that leverages telecom-grade eSIM infrastructure. Rather than embedding SIM credentials in hardware devices, we envision a model where telcos host secure, certified hardware modules. This paper is intended as a conceptual framework to open discussion around standardization, security architecture, and the role of telecom infrastructure in the evolving agent economy.
  arXiv  Detail & Related papers  (2025-04-17T15:36:26Z)
• SLVC-DIDA: Signature-less Verifiable Credential-based Issuer-hiding and Multi-party Authentication for Decentralized Identity [21.498265818902464]
  Verifiable Credential techniques are used to facilitate decentralized DID-based access control across multiple entities.<n>Existing DID schemes generally rely on a distributed public key infrastructure that also causes challenges.<n>This paper proposes a Permanent-Hiding (PIH)-based DID-based multi-party authentication framework with a signature-less VC model, named SLVC-DIDA.
  arXiv  Detail & Related papers  (2025-01-19T13:58:01Z)
• Distributed Identity for Zero Trust and Segmented Access Control: A Novel Approach to Securing Network Infrastructure [4.169915659794567]
  This study assesses security improvements achieved when distributed identity is employed with ZTA principle.<n>The study suggests adopting distributed identities can enhance overall security postures by an order of magnitude.<n>The research recommends refining technical standards, expanding the use of distributed identity in practice, and its applications for the contemporary digital security landscape.
  arXiv  Detail & Related papers  (2025-01-14T00:02:02Z)
• Balancing Confidentiality and Transparency for Blockchain-based Process-Aware Information Systems [46.404531555921906]
  We propose an architecture for blockchain-based PAISs aimed at preserving both confidentiality and transparency.<n>Smart contracts enact, enforce and store public interactions, while attribute-based encryption techniques are adopted to specify access grants to confidential information.
  arXiv  Detail & Related papers  (2024-12-07T20:18:36Z)
• Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check [98.34702864029796]
  We propose Authenticated Cyclic Redundancy Integrity Check (ACRIC) ACRIC preserves backward compatibility without requiring additional hardware and is protocol agnostic. We show that ACRIC offers robust security with minimal transmission overhead ( 1 ms)
  arXiv  Detail & Related papers  (2024-11-21T18:26:05Z)
• Towards Credential-based Device Registration in DApps for DePINs with ZKPs [46.08150780379237]
  We propose a credential-based device registration (CDR) mechanism that verifies device credentials on the blockchain. We present a general system model, and technically evaluate CDR using zkSNARKs with Groth16 and Marlin.
  arXiv  Detail & Related papers  (2024-06-27T09:50:10Z)
• Attribute-Based Authentication in Secure Group Messaging for Distributed Environments [2.254434034390528]
  Messaging Layer security (MLS) and its underlying Continuous Group Key Agreement protocol allow a group of users to share a cryptographic secret in a dynamic manner. The use of digital certificates for authentication in a group goes against the group members' privacy. We provide an alternative method of authentication in which the solicitors, instead of revealing their identity, only need to prove possession of certain attributes.
  arXiv  Detail & Related papers  (2024-05-20T14:09:28Z)
• Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
  We investigate the security implications of and software-based Open Radio Access Network (RAN) systems. We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
  arXiv  Detail & Related papers  (2024-05-03T07:18:45Z)
• HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
  Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
  arXiv  Detail & Related papers  (2024-01-17T00:56:23Z)
• A Universal System for OpenID Connect Sign-ins with Verifiable Credentials and Cross-Device Flow [4.006745047019997]
  Self-Sovereign Identity (SSI) is a new and promising identity management paradigm. We propose a comparatively simple system that enables SSI-based sign-ins for services that support the widespread OpenID Connect or OAuth 2.0 protocols.
  arXiv  Detail & Related papers  (2024-01-16T16:44:30Z)
• Combining Decentralized IDentifiers with Proof of Membership to Enable Trust in IoT Networks [44.99833362998488]
  The paper proposes and discusses an alternative (mutual) authentication process for IoT nodes under the same administration domain. The main idea is to combine the Decentralized IDentifier (DID)-based verification of private key ownership with the verification of a proof that the DID belongs to an evolving trusted set.
  arXiv  Detail & Related papers  (2023-10-12T09:33:50Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.