SPIFFE standardization of service identity has been an important step in enabling turnkey solutions for end-to-end encryption and mutual authentication between services. The SPIFFE standards are backed by the OSS SPIFFE Runtime Environment (SPIRE), which automatically delivers cryptographically provable identities to services. Istio also uses SPIFFE by default. SPIFFE enables many use cases, including identity translation, OAuth client authentication, mTLS "encryption everywhere" and workload observability. ThoughtWorks is actively working with the Istio and SPIFFE communities to bridge the gap between legacy service identity providers and SPIFFE-based identities so that mTLS can be used everywhere between services, inside a service mesh and outside.
Making key elements of Google's groundbreaking, high-scale platform available as open source offerings appears to have become a trend. In the same way that HBASE drew on BigTable and Kubernetes drew on Borg, SPIFFE is now drawing upon Google's LOAS to bring to life a critical cloud-native concept called workload identity. The SPIFFE standards are backed by the OSS SPIFFE Runtime Environment (SPIRE), which automatically delivers cryptographically provable identities to software workloads. Although SPIRE isn't quite ready for production use, we see tremendous value in a platform-agnostic way to make strong identity assertions between workloads in modern, distributed IT infrastructures. SPIRE supports many use cases, including identity translation, OAuth client authentication, mTLS "encryption everywhere," and workload observability. Istio uses SPIFFE by default.