For those of us that track AWS – last week was pretty welcome update that includes a bunch of great new features – announcement here.
One of the key challenges that I see over and over again for large enterprise tech is trying to get the best of AWS without complete lock-in to Amazon (multi-cloud) while at the same time supporting their mix of on-prem and cloud systems infrastructure (hybrid). Hybrid AND multi-Cloud is hard – but possible imho if you select a small number of key elements of your architecture that are independent of AWS (or any PaaS cloud provider for that matter).
One of the most important elements to protect as independent is your core authentication/authorization/secrets infrastructure – but where do you start – it’s such a complicated, tangled mess.
Try this….it can be very useful to provide a service that is essentially a “host factory” to assign dynamic identity to VMs. The host factory provides a single, independent identity for the VM so that services such as secrets management, ssh, service authorization, PKI, etc can all be delivered independently of the physical location of the vm and/or the cloud provider.
For example – in AWS, your instances authenticate to the “host factory” using it’s AWS IAM role. IAM roles are the bridge between AWS instances and their “host factory” identity. This host factory identity can be used to deliver all of the services mentioned above regardless of the provider – on-prem or any cloud service provider. This essentially provides a “line in the sand” where your intimacy with any given cloud provider is going to stop and where your control of your own machines identities starts.
Now that AWS has brought IAM roles to containers. The same bridge from ec2 instances to your “host factory” identity can be used to manage container identities.
So whether your app is VM based or containerized, it registers in the same way with the “host factory” and uses all the same core features (except ssh of course; which is not really a for containers 😉
IMHO – this approach is possible to implement quickly if you use a great system like Conjur.
There was a similar dynamic a few years back with networking identity and access management – along came a great product – Illumio – which has been adopted broadly to solve this problem. Conjur is doing for the app layer – what Illumio delivered for network layer.
Give it a try and let me know what you think.