Open Source Summit + Embedded Linux Conference + OSPOCon 2021

Supply-chain security has lagged behind network and service security for years, but it's time to fix that! Zero-trust technologies have dramatically improved enterprise security, but haven't been applied to supply-chain security yet. Traditionally, workload security relied on trusted "perimeters". Firewalls, internal networks and physical security provided defense against attackers by keeping them out. This type of architecture is simple and effective when all assets are in one place, the firewall doesn't need many holes and all hardware is on the same physical network. This obviously isn't true today. The workplace is distributed. Devices are mobile and environments are ephemeral. Enter zero-trust security. Zero-trust focuses on protecting assets, not perimeters. Services authenticate users against hardware instead of network endpoints. Users authenticate with MFA and devices authenticate with hardware-roots-of-trust. The end result is a system focused on fine-grained access control. Instead of trusting everything on a network, you control exactly which users and systems have access to which services. This presentation explores how zero-trust can be applied to build systems **today**, with working demos of the Sigstore, TektonCD and SPIFFE/SPIRE projects.