Agentic Zero Trust
Frederick F. Kautz IV
Reality/Assumption Gap
Drivers
Change comes with Risk
Uncoincidentally, staying still also comes with risk
Triangle of Trust
Identity
Policy
Control
Perimeter Defense -> Zero Trust
Before we can describe an Agentic Zero Trust approach, we need to look at where we are at. In the following slides, we describe Perimeter Defense and contrast it with Zero Trust.
Perimeter Defense
An untrusted client connects to a trusted server through a firewall.
Untrusted
Trusted
π₯
Weβre defending our infrastructure with
11th century techniques!
Source: https://commons.wikimedia.org/wiki/File:KronborgCastle_HCS.jpg
Weβre defending our infrastructure with
11th century techniques!
What if the attack starts here?
Source: https://commons.wikimedia.org/wiki/File:KronborgCastle_HCS.jpg
Perimeter Defense
Trusted
Network
Trusted
Network
VPN
Workload
Workload
Workload
Workload
Workload
Workload
Zero Trust Environment
Untrusted
Network
Untrusted
Network
Attested
Workload
Attested
Workload
Secure Connection
Zero Trust Environment
Untrusted
Network
Untrusted
Network
Attested
Workload
Attested
Workload
Secure Connection
πΉ
Attacker
Perimeter Defense
Untrusted
Network
Untrusted
Network
π₯οΈ
VPN
π₯οΈ
π₯οΈ
π₯
π₯
π₯οΈ
π₯οΈ
π₯οΈ
πΉ
Attacker
Zero Trust Environment
Untrusted
Network
Untrusted
Network
π₯οΈ
π₯οΈ
π₯οΈ
π₯
π₯οΈ
π₯οΈ
π₯οΈ
π₯
π₯
π₯
π₯
π₯
π₯
π₯
π₯
π₯
πΉ
Attacker
How do we achieve this?
Establish Trust Domain
CA
Attest Workloads
CA
Agentic Service 1
Attest
Agentic Service 2
Establish Policy
CA
Agentic Service 1
Agentic Service 2
Policy:
package envoy.authz
import input.attributes.request.http as http_request
# allow only the frontend service to GET /pets/owners
default allow = false
allow {
http_request.path == "/pets/owners/{id}"
http_request.method == "GET"
source_spiffe_id == "spiffe://domain.test/frontend"
}
source_spiffe_id = client_id {
[_, _, uri_type_san] := split(http_request.headers["x-forwarded-client-cert"], ";")
[_, client_id] := split(uri_type_san, "=")
}
Source: openpolicyagent.org (with modifications)
Establish Trust between Organizations
Org 1
CA
Agentic Service 1
Agentic Service 2
Org 2
CA
Establish Trust between Organizations
Org 1
CA
Agentic Service 1
Agentic Service 2
Org 2
CA
Allow connections from:
source_spiffe_id == "spiffe://org1.test/user_agent"
Allow connections to:
dest_spiffe_id == "spiffe://org2.test/calendar_agent"
Agentic System Workflow
User
User Agent
Scheduling Agent
Hotel Agent
Translating the pattern
Control Plane
Data Plane
User Client
Sarahβs
App
User Agent
User Agent
Scheduling Agent
Scheduling Agent
Hotel Agent
Hotel Agent
Establishing Trust
User
Internet
User Agent
Scheduler Agent
Hotel Agent
Org 1
CA
Org 2
CA
Trust
Attest
Attest
OPA implementing policies at each relevant location
Tie to the hardware!
Identity
Identity
Identity
Agent
Service Mesh
Pod
Hardware
TPM
Infra
Hardware
TPM
Agent
Service Mesh
Pod
Hardware TPM
Thank You!