Increased Attack Surface

Long-lived credentials stored in CI/CD pipelines increase an organization’s attack surface. Compromising these credentials grants attackers broad access to the infrastructure, potentially leading to severe security breaches.

Workload Identity Federation as a Best Practice

Workload identity federation offers a robust solution for securing CI/CD pipelines. Workload identity federation is a method used by cloud services to allow applications to access cloud resources without needing to store and manage long-term credentials, like service account keys. Instead, it uses short-lived tokens based on the identity of the application’s workload.

Here’s how workload identity federation addresses the security risks of long-lived credentials.

Short-Lived Tokens

Workload identity federation solutions integrate with access token issuers like Google Cloud’s Workload Identity or AWS Security Token Service to generate short-lived tokens with limited lifespans. These tokens automatically expire after a predefined period, reducing the window of opportunity for attackers to exploit them.

No Credential Storage

Workload identity federation eliminates the need to store long-lived credentials within CI/CD pipeline configurations or environment variables. Instead, pipelines can be dynamically authenticated using attestation, and the identity federation service can generate short-lived tokens appropriate for the target service just in time.

Automated Credential Rotation

Workload identity federation automates credential rotation, regularly refreshing tokens to maintain security. Automated rotation mechanisms reduce manual effort and minimize the risk of credential compromise due to outdated secrets.

Simplifying Identity Federation with Workload IAM

Identity federation provides step-function improvements in security for your CI/CD platform (and frankly, for all your platforms that require workload-to-workload access). Yet, identity federation may also be complex to set up and maintain effectively. That’s where workload identity and access management systems can help.

Workload IAM provides a central control plane for workload-to-workload access. It can leverage the native workload identity federation capabilities provided by SaaS services and the cloud providers, with additional features for simplicity, security, and management. With Workload IAM, you can:

• Eliminate the need for pairwise federation relationships. If you were implementing federation for your GitHub environment, for example, you would set up a federation relationship with AWS, one for GCP, and maybe another few for downstream services that are used, like Terraform, Jira, and Slack… you get the picture. With Workload IAM, you can set up each service once and define access policies.
• Use Conditional access. Conditional access policies are not necessarily inherent to the concept of workload identity federation but should be incorporated into access authorization decisions. Considerations like time-of-day, day-of-week, and geolocation can be critical in some CI/CD scenarios. For example, to ensure access is granted only to CI/CD systems operating within expected parameters.
• Centralize access authorization logs. With a centralized log source that can automatically move data to downstream SIEMs, compliance reports, and other previously time-consuming audit tasks, you can easily see when systems were granted access to each other. 

Conclusion

Securing CI/CD pipelines is paramount to protecting the integrity, confidentiality, and availability of software delivery processes. Long-lived credentials pose significant security risks, but workload identity federation provides a robust solution for mitigating these risks. By leveraging short-lived tokens, eliminating credential storage, automating credential rotation, and implementing RBAC, organizations can better secure their CI/CD pipelines and safeguard against potential threats.