Decoupling Identity from Access: Credential Broker Patterns for Secure CI/CD

• URL: http://arxiv.org/abs/2504.14761v1
• Date: Sun, 20 Apr 2025 23:08:17 GMT
• Title: Decoupling Identity from Access: Credential Broker Patterns for Secure CI/CD
• Authors: Surya Teja Avirneni,
• Abstract summary: Credential brokers offer a way to separate identity from access in CI/CD systems.<n>This paper shows how verifiable identities issued at runtime, such as those from SPE, can be used with brokers to enable short-lived, policy-driven credentials for pipelines and workloads.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Credential brokers offer a way to separate identity from access in CI/CD systems. This paper shows how verifiable identities issued at runtime, such as those from SPIFFE, can be used with brokers to enable short-lived, policy-driven credentials for pipelines and workloads. We walk through practical design patterns, including brokers that issue tokens just in time, apply access policies, and operate across trust domains. These ideas help reduce static permissions, improve auditability, and support Zero Trust goals in deployment workflows. This is the second paper in a three-part series on secure CI/CD identity architecture.

Related papers

• Identity Control Plane: The Unifying Layer for Zero Trust Infrastructure [0.0]
  Identity Control Plane (ICP) is an architectural framework for enforcing identity-aware Zero Trust access. ICP model unifies SPIFFE-based workload identity, OIDC/SAML user identity, and scoped automation credentials via broker-issued transaction tokens.
  arXiv  Detail & Related papers  (2025-04-24T17:21:00Z)
• Intent-Aware Authorization for Zero Trust CI/CD [0.0]
  This paper introduces intent-aware authorization for Zero Trust CI/CD systems.<n>We describe a control loop architecture where policy engines evaluate runtime context, justification, and human approvals.
  arXiv  Detail & Related papers  (2025-04-21T00:25:35Z)
• Establishing Workload Identity for Zero Trust CI/CD: From Secrets to SPIFFE-Based Authentication [0.0]
  CI/CD systems have become privileged automation agents in modern infrastructure, but their identity is still based on secrets or temporary credentials passed between systems.<n>This paper describes the shift from static credentials to OpenID Connect (OIDC) federation, and introduces SPIFFE as a platform-neutral identity model for non-human actors.
  arXiv  Detail & Related papers  (2025-04-20T23:06:03Z)
• Trusted Identities for AI Agents: Leveraging Telco-Hosted eSIM Infrastructure [0.0]
  We propose a conceptual architecture that leverages telecom-grade eSIM infrastructure. Rather than embedding SIM credentials in hardware devices, we envision a model where telcos host secure, certified hardware modules. This paper is intended as a conceptual framework to open discussion around standardization, security architecture, and the role of telecom infrastructure in the evolving agent economy.
  arXiv  Detail & Related papers  (2025-04-17T15:36:26Z)
• Fundamental Limits of Hierarchical Secure Aggregation with Cyclic User Association [93.46811590752814]
  Hierarchical secure aggregation is motivated by federated learning. In this paper, we consider HSA with a cyclic association pattern where each user is connected to $B$ consecutive relays. We propose an efficient aggregation scheme which includes a message design for the inputs inspired by gradient coding.
  arXiv  Detail & Related papers  (2025-03-06T15:53:37Z)
• Shh, don't say that! Domain Certification in LLMs [124.61851324874627]
  Large language models (LLMs) are often deployed to perform constrained tasks, with narrow domains.<n>We introduce domain certification; a guarantee that accurately characterizes the out-of-domain behavior of language models.<n>We then propose a simple yet effective approach, which we call VALID that provides adversarial bounds as a certificate.
  arXiv  Detail & Related papers  (2025-02-26T17:13:19Z)
• DocMIA: Document-Level Membership Inference Attacks against DocVQA Models [52.13818827581981]
  We introduce two novel membership inference attacks tailored specifically to DocVQA models.<n>Our methods outperform existing state-of-the-art membership inference attacks across a variety of DocVQA models and datasets.
  arXiv  Detail & Related papers  (2025-02-06T00:58:21Z)
• Lifecycle Management of Resumés with Decentralized Identifiers and Verifiable Credentials [0.0]
  This paper introduces a trust framework for managing digital resum'e credentials. We propose a framework for real-time issuance, storage and verification of Verifiable Credentials without intermediaries.
  arXiv  Detail & Related papers  (2024-06-17T13:37:44Z)
• Attribute-Based Authentication in Secure Group Messaging for Distributed Environments [2.254434034390528]
  Messaging Layer security (MLS) and its underlying Continuous Group Key Agreement protocol allow a group of users to share a cryptographic secret in a dynamic manner. The use of digital certificates for authentication in a group goes against the group members' privacy. We provide an alternative method of authentication in which the solicitors, instead of revealing their identity, only need to prove possession of certain attributes.
  arXiv  Detail & Related papers  (2024-05-20T14:09:28Z)
• HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
  Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
  arXiv  Detail & Related papers  (2024-01-17T00:56:23Z)
• Student Certificate Sharing System Using Blockchain and NFTs [0.0]
  We propose a certificate sharing system based on blockchain that gives students authority and control over their academic certificates. Students may access the data created by each individual institute in a single platform, filter the view of the relevant courses according to their requirements, and mint their certificate metadata as NFTs.
  arXiv  Detail & Related papers  (2023-10-30T21:45:12Z)
• Combining Decentralized IDentifiers with Proof of Membership to Enable Trust in IoT Networks [44.99833362998488]
  The paper proposes and discusses an alternative (mutual) authentication process for IoT nodes under the same administration domain. The main idea is to combine the Decentralized IDentifier (DID)-based verification of private key ownership with the verification of a proof that the DID belongs to an evolving trusted set.
  arXiv  Detail & Related papers  (2023-10-12T09:33:50Z)
• Model Barrier: A Compact Un-Transferable Isolation Domain for Model Intellectual Property Protection [52.08301776698373]
  We propose a novel approach called Compact Un-Transferable Isolation Domain (CUTI-domain) CUTI-domain acts as a barrier to block illegal transfers from authorized to unauthorized domains. We show that CUTI-domain can be easily implemented as a plug-and-play module with different backbones.
  arXiv  Detail & Related papers  (2023-03-20T13:07:11Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.