A Multi-Cloud Framework for Zero-Trust Workload Authentication

• URL: http://arxiv.org/abs/2510.16067v1
• Date: Fri, 17 Oct 2025 04:11:31 GMT
• Title: A Multi-Cloud Framework for Zero-Trust Workload Authentication
• Authors: Saurabh Deochake, Ryan Murphy, Jeremiah Gearheart,
• Abstract summary: This paper presents a multi-cloud framework using Workload Identity Federation (WIF) and OpenID Connect (OIDC) for secretless authentication.<n>We validate this framework in an enterprise-scale environment, which significantly reduces the attack surface.
• Score: 0.0
• License: http://creativecommons.org/licenses/by-nc-nd/4.0/
• Abstract: Static, long-lived credentials for workload authentication create untenable security risks that violate Zero-Trust principles. This paper presents a multi-cloud framework using Workload Identity Federation (WIF) and OpenID Connect (OIDC) for secretless authentication. Our approach uses cryptographically-verified, ephemeral tokens, allowing workloads to authenticate without persistent private keys and mitigating credential theft. We validate this framework in an enterprise-scale Kubernetes environment, which significantly reduces the attack surface. The model offers a unified solution to manage workload identities across disparate clouds, enabling future implementation of robust, attribute-based access control.

Related papers

• Achieving Flexible and Secure Authentication with Strong Privacy in Decentralized Networks [13.209703999398805]
  IRAC is a flexible credential model that unifies credentials from heterogeneous issuers.<n>We design a secure decentralized revocation mechanism where holders prove non-revocation by demonstrating their credential's revocation within a gap in the issuer's sorted list.
  arXiv  Detail & Related papers  (2025-12-23T10:49:05Z)
• Binding Agent ID: Unleashing the Power of AI Agents with accountability and credibility [46.323590135279126]
  BAID (Binding Agent ID) is a comprehensive identity infrastructure establishing verifiable user-code binding.<n>We implement and evaluate a complete prototype system, demonstrating the practical feasibility of blockchain-based identity management and zkVM-based authentication protocol.
  arXiv  Detail & Related papers  (2025-12-19T13:01:54Z)
• Zero Trust Security Model Implementation in Microservices Architectures Using Identity Federation [0.0]
  The article itself is a case on the need of the Zero Trust Security Model of micro services ecosystem.<n>It is proposed that the solution framework will be based on industry-standard authentication and authorization and end-to-end trust identity technologies.<n>The research results overlay that the federated identity combined with the Zero Trust basics not only guarantee the rules relating to authentication and authorization but also fully complies with the latest DevSecOps standards of microservice deployment.
  arXiv  Detail & Related papers  (2025-11-07T02:03:05Z)
• Bridging the Mobile Trust Gap: A Zero Trust Framework for Consumer-Facing Applications [51.56484100374058]
  This paper proposes an extended Zero Trust model designed for mobile applications operating in untrusted, user-controlled environments.<n>Using a design science methodology, the study introduced a six-pillar framework that supports runtime enforcement of trust.<n>The proposed model offers a practical and standards-aligned approach to securing mobile applications beyond pre-deployment controls.
  arXiv  Detail & Related papers  (2025-08-20T18:42:36Z)
• Endorsement-Driven Blockchain SSI Framework for Dynamic IoT Ecosystems [0.39462888523270856]
  Self-Sovereign Identity (SSI) offers significant potential for managing identities in the Internet of Things (IoT)<n>Existing SSI frameworks limit issuance credential and revocation to trusted entities, such as IoT manufacturers.<n>We propose a blockchain-based SSI framework that allows any individual with a verifiable trust linkage to act as a credential issuer.
  arXiv  Detail & Related papers  (2025-07-14T02:03:14Z)
• Establishing Workload Identity for Zero Trust CI/CD: From Secrets to SPIFFE-Based Authentication [0.0]
  CI/CD systems have become privileged automation agents in modern infrastructure, but their identity is still based on secrets or temporary credentials passed between systems.<n>This paper describes the shift from static credentials to OpenID Connect (OIDC) federation, and introduces SPIFFE as a platform-neutral identity model for non-human actors.
  arXiv  Detail & Related papers  (2025-04-20T23:06:03Z)
• Firewalls to Secure Dynamic LLM Agentic Networks [36.6600856429565]
  LLM agents will likely communicate on behalf of users with other entity-representing agents on tasks involving long-horizon plans with interdependent goals.<n>We identify required properties for agent communication: proactivity, adaptability, privacy (sharing only task-necessary information), and security.<n>We propose a practical design and protocol inspired by network security principles.
  arXiv  Detail & Related papers  (2025-02-03T21:00:14Z)
• AEAKA: An Adaptive and Efficient Authentication and Key Agreement Scheme for IoT in Cloud-Edge-Device Collaborative Environments [7.106119177152857]
  We propose an adaptive and efficient authentication and key agreement scheme (AEAKA) for Cloud-Edge-Device IoT environments. AEAKA is highly adaptive and scalable, capable of automatically and dynamically initiating different authentication methods based on device requirements. It employs an edge-assisted authentication approach to reduce the load on third-party trust authorities.
  arXiv  Detail & Related papers  (2024-11-14T06:55:27Z)
• Authentication and identity management based on zero trust security model in micro-cloud environment [0.0]
  The Zero Trust framework can better track and block external attackers while limiting security breaches resulting from insider attacks in the cloud paradigm. This paper focuses on authentication mechanisms, calculation of trust score, and generation of policies in order to establish required access control to resources.
  arXiv  Detail & Related papers  (2024-10-29T09:06:13Z)
• DiVerify: Hardening Identity-Based Software Signing with Programmable Diverse-Context Scopes [11.521573335215239]
  State-of-the-art identity-based code signing schemes have a major shortcoming.<n>They fail to provide verifiable information about the context in which a signature is generated.<n>We propose a diverse identity verification approach that reduces reliance on a single source of verification.
  arXiv  Detail & Related papers  (2024-06-21T18:53:52Z)
• HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
  Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs) TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks. We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
  arXiv  Detail & Related papers  (2024-01-17T00:56:23Z)
• Combining Decentralized IDentifiers with Proof of Membership to Enable Trust in IoT Networks [44.99833362998488]
  The paper proposes and discusses an alternative (mutual) authentication process for IoT nodes under the same administration domain. The main idea is to combine the Decentralized IDentifier (DID)-based verification of private key ownership with the verification of a proof that the DID belongs to an evolving trusted set.
  arXiv  Detail & Related papers  (2023-10-12T09:33:50Z)
• FedSOV: Federated Model Secure Ownership Verification with Unforgeable Signature [60.99054146321459]
  Federated learning allows multiple parties to collaborate in learning a global model without revealing private data. We propose a cryptographic signature-based federated learning model ownership verification scheme named FedSOV.
  arXiv  Detail & Related papers  (2023-05-10T12:10:02Z)
• Preserving Privacy and Security in Federated Learning [21.241705771577116]
  We develop a principle framework that offers both privacy guarantees for users and detection against poisoning attacks from them. Our framework enables the central server to identify poisoned model updates without violating the privacy guarantees of secure aggregation.
  arXiv  Detail & Related papers  (2022-02-07T18:40:38Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.