In today's dynamic cloud-native environments, relying on network perimeters for security is obsolete. True Zero Trust demands strong authentication and fine-grained authorization for every interaction, especially between microservices. This session explores how to achieve this end-to-end security using complementary open-source projects.

First, we address the challenge of reliably identifying who is making a request. We'll delve into establishing cryptographic, verifiable workload identities using open-source frameworks like SPIFFE/SPIRE. Learn how services can automatically obtain short-lived, platform-agnostic identities (SVIDs), eliminating the need for managing secrets like API keys or passwords for service-to-service authentication.

With a trusted identity established, we then tackle what that service is allowed to do. We'll demonstrate how to leverage these workload identities within open-source authorization engines like Open Policy Agent (OPA). See how to define and enforce granular, context-aware access control policies based on the verified identity of the calling service, rather than just its network location.