Intent-Aware Authorization for Zero Trust CI/CD

• URL: http://arxiv.org/abs/2504.14777v1
• Date: Mon, 21 Apr 2025 00:25:35 GMT
• Title: Intent-Aware Authorization for Zero Trust CI/CD
• Authors: Surya Teja Avirneni,
• Abstract summary: This paper introduces intent-aware authorization for Zero Trust CI/CD systems.<n>We describe a control loop architecture where policy engines evaluate runtime context, justification, and human approvals.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: This paper introduces intent-aware authorization for Zero Trust CI/CD systems. Identity establishes who is making the request, but additional signals are required to decide whether access should be granted. We describe a control loop architecture where policy engines such as OPA and Cedar evaluate runtime context, justification, and human approvals before issuing access credentials. The system builds on SPIFFE-based workload identity and credential brokers, and enables fine-grained, auditable authorization. This is the third paper in a series on Zero Trust CI/CD design patterns.

Related papers

• Identity Control Plane: The Unifying Layer for Zero Trust Infrastructure [0.0]
  Identity Control Plane (ICP) is an architectural framework for enforcing identity-aware Zero Trust access. ICP model unifies SPIFFE-based workload identity, OIDC/SAML user identity, and scoped automation credentials via broker-issued transaction tokens.
  arXiv  Detail & Related papers  (2025-04-24T17:21:00Z)
• Decoupling Identity from Access: Credential Broker Patterns for Secure CI/CD [0.0]
  Credential brokers offer a way to separate identity from access in CI/CD systems.<n>This paper shows how verifiable identities issued at runtime, such as those from SPE, can be used with brokers to enable short-lived, policy-driven credentials for pipelines and workloads.
  arXiv  Detail & Related papers  (2025-04-20T23:08:17Z)
• Establishing Workload Identity for Zero Trust CI/CD: From Secrets to SPIFFE-Based Authentication [0.0]
  CI/CD systems have become privileged automation agents in modern infrastructure, but their identity is still based on secrets or temporary credentials passed between systems.<n>This paper describes the shift from static credentials to OpenID Connect (OIDC) federation, and introduces SPIFFE as a platform-neutral identity model for non-human actors.
  arXiv  Detail & Related papers  (2025-04-20T23:06:03Z)
• On the Compliance of Self-Sovereign Identity with GDPR Principles: A Critical Review [0.0]
  Self-sovereign identity (SSI) was introduced as an IdM model to reduce the possibility of data breaches. SSI is a decentralised IdM, where the data owner has sovereign control of personal data stored in their digital wallet. This paper provides an evolution to IdMs and reviews state-of-the-art SSI frameworks.
  arXiv  Detail & Related papers  (2024-09-05T15:35:53Z)
• Towards Credential-based Device Registration in DApps for DePINs with ZKPs [46.08150780379237]
  We propose a credential-based device registration (CDR) mechanism that verifies device credentials on the blockchain. We present a general system model, and technically evaluate CDR using zkSNARKs with Groth16 and Marlin.
  arXiv  Detail & Related papers  (2024-06-27T09:50:10Z)
• From Hardware Fingerprint to Access Token: Enhancing the Authentication on IoT Devices [33.25850729215212]
  We present MCU-Token, a secure hardware fingerprinting framework for MCU-based IoT devices. MCU-Token can achieve high accuracy (over 97%) with a low overhead across various IoT devices and application scenarios.
  arXiv  Detail & Related papers  (2024-03-22T15:15:28Z)
• On Cryptographic Mechanisms for the Selective Disclosure of Verifiable Credentials [39.4080639822574]
  Verifiable credentials are a digital analogue of physical credentials. They can be presented to verifiers to reveal attributes or even predicates about the attributes included in the credential. One way to preserve privacy during presentation consists in selectively disclosing the attributes in a credential.
  arXiv  Detail & Related papers  (2024-01-16T08:22:28Z)
• Tamper-Evident Pairing [55.2480439325792]
  Tamper-Evident Pairing (TEP) is an improvement of the Push-Button configuration (PBC) standard. TEP relies on the Tamper-Evident Announcement (TEA), which guarantees that an adversary can neither tamper a transmitted message without being detected, nor hide the fact that the message has been sent. This paper provides a comprehensive overview of the TEP protocol, including all information needed to understand how it works.
  arXiv  Detail & Related papers  (2023-11-24T18:54:00Z)
• Combining Decentralized IDentifiers with Proof of Membership to Enable Trust in IoT Networks [44.99833362998488]
  The paper proposes and discusses an alternative (mutual) authentication process for IoT nodes under the same administration domain. The main idea is to combine the Decentralized IDentifier (DID)-based verification of private key ownership with the verification of a proof that the DID belongs to an evolving trusted set.
  arXiv  Detail & Related papers  (2023-10-12T09:33:50Z)
• SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices [67.65883495888258]
  We present SyzTrust, the first state-aware fuzzing framework for vetting the security of resource-limited Trusted OSes. SyzTrust adopts a hardware-assisted framework to enable fuzzing Trusted OSes directly on IoT devices. We evaluate SyzTrust on Trusted OSes from three major vendors: Samsung, Tsinglink Cloud, and Ali Cloud.
  arXiv  Detail & Related papers  (2023-09-26T08:11:38Z)
• FedSOV: Federated Model Secure Ownership Verification with Unforgeable Signature [60.99054146321459]
  Federated learning allows multiple parties to collaborate in learning a global model without revealing private data. We propose a cryptographic signature-based federated learning model ownership verification scheme named FedSOV.
  arXiv  Detail & Related papers  (2023-05-10T12:10:02Z)
• Generalizing Cross-Document Event Coreference Resolution Across Multiple Corpora [63.429307282665704]
  Cross-document event coreference resolution (CDCR) is an NLP task in which mentions of events need to be identified and clustered throughout a collection of documents. CDCR aims to benefit downstream multi-document applications, but improvements from applying CDCR have not been shown yet. We make the observation that every CDCR system to date was developed, trained, and tested only on a single respective corpus.
  arXiv  Detail & Related papers  (2020-11-24T17:45:03Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.