Putting Workload Identity to Work: Taking SPIFFE past day 0
Dave Sudia
fwd:cloudsec North America 2025 · Day 1 · Track 1 - Crystal
Dave Sudia, a former platform engineer, delivers a lightning talk on moving **SPIFFE (Secure Production Identity Framework for Everyone)** from proof of concept to production at scale. SPIFFE is a graduated **CNCF project** that provides a standard for issuing cryptographic identities to workloads using **X.509 certificates** with custom extensions, enabling true zero trust without long-lived static secrets. Sudia draws on his experience working with several large organizations (including unnamed financial institutions) to share practical implementation strategies, common failure modes, and a structured approach to adoption that begins with a single enthusiastic team and a tightly scoped use case before expanding organization-wide.
AI review
A competent overview of SPIFFE adoption patterns with useful case studies from unnamed financial institutions, but this is fundamentally an implementation guide for infrastructure plumbing, not security research. No new vulnerabilities, no novel techniques, no exploits. Useful if you're evaluating workload identity; skippable if you're here for the sharp end of the stick.