What's Up In Workload Identity - January 2025
SPIFFE? WIMSE? All that and more inside the January edition of What's Up in Workload Identity.
Hey!
Welcome to the fifth edition of What’s Up in Workload Identity, a monthly review of the world of Workload Identity (SPIFFE, WIMSE and much more…) - returning after a short break for the Christmas period!
It’s a world that’s moving fast - and it’s hard to keep up 🚀
You can expect to see each edition covering:
News: significant events in the Workload Identity space
Content: awesome blog posts and talks that have been published
Releases: the latest and greatest changes to Workload Identity tooling
Coming Up: the events and talks you won’t want to miss
Who am I? I’m Noah. I’ve been working in the Workload Identity space for the past few years. I currently work at Teleport, leading the development of our Workload Identity product. That being said, this newsletter is in a personal capacity and I’m keen to keep it unbiased! You can find out more about me on my website.
News
The latest news from the Workload Identity space
OWASP announces 2025 Non-Human Identities Top 10
Nothing says “Happy New Year!” like a brand new Top Ten from the Open Worldwide Application Security Project (OWASP)! In later December, they unveiled the OWASP 2025 Non-Human Identities Top 10 - their first list focussing on the challenges around securely working with Non-Human/workload identities.
It’s a fantastic start for 2025 to see an organization as prestigious as OWASP recognising the need for wider education in industry around the risks and challenges posed by Non-Human identities and a significant symbol of interest in NHI becoming commonplace. Clearly we’re not the only ones worrying about this!
I’ll admit - at a brief glance, the list is not all too surprising. I don’t think anybody here will be shocked that the likes of “Long-Lived Secrets”, “Overprivileged NHI” or “Secret Leakage” have made it on! What also won’t be a surprise is comparing this list of challenges to the solutions provided by tools like SPIFFE/SPIRE, and seeing that almost all of them are taken care of by taking a more modern workload-identity-esque approach.
You can check out the full list at: https://owasp.org/www-project-non-human-identities-top-10/2025/top-10-2025/
Content
The best of recent blogs, webinars and talks on Workload Identity
Why It’s Time to Rethink Machine and Workload Identity: Lessons from User Security
January 22nd 2025, on the “unmitigated risk blog”.
https://unmitigatedrisk.com/?p=934
SPIFFE as a Glue for Large Scale Telco Deployments
By Rahul Jadhav (AccuKnox) at KubeCon India 2024
SPIFFE runs in the cloud, but can it run on my laptop?
By Mattias Gees (Venafi) at Cloud Native Rejects 2024
Leveraging Micro-Segmentation, SPIFFE-based Identity Networking, and Immutable Infrastructure
By Kerry Steele (Coalfire Systems)
Releases
Highlights from recent releases to Workload Identity tools
SPIRE - 1.11.1 - December 11th
This release includes a variety of minor changes and bugfixes.
Check out the GitHub Release for the full list of changes!
Coming Up…
What’s happening soon in the world of Workload Identity
KubeCon EU
April 1st to the 4th - London
Find out more at https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/
That’s all for this month’s edition of What’s Up in Workload Identity. If you’ve found this interesting, please subscribe and share!
Got something you’d love to see in the next edition? I’m particularly keen to start including some short editorial pieces within WUIWI. Please get in touch at wuiwi@noahstride.co.uk