Static, long-lived credentials for workload authentication create untenable security risks that violate Zero-Trust principles. This paper presents a multi-cloud framework using Workload Identity Federation (WIF) and OpenID Connect (OIDC) for secretless authentication. Our approach uses cryptographically-verified, ephemeral tokens, allowing workloads to authenticate without persistent private keys and mitigating credential theft. We validate this framework in an enterprise-scale Kubernetes environment, which significantly reduces the attack surface. The model offers a unified solution to manage workload identities across disparate clouds, enabling future implementation of robust, attribute-based access control.
@article{arxiv.2510.16067,
title = {A Multi-Cloud Framework for Zero-Trust Workload Authentication},
author = {Saurabh Deochake and Ryan Murphy and Jeremiah Gearheart},
journal= {arXiv preprint arXiv:2510.16067},
year = {2025}
}
Comments
Cyber Security Experimentation and Test (CSET) at the Annual Computer Security Applications Conference (ACSAC) 2025