Chapter 2. Identity

Traditionally, infrastructure access has never been identity-based. Instead, it has relied on data associated with an identity—mainly in the form of usernames, passwords, private keys, and other secrets—which can be easily compromised, leaving critical systems open to attack. This chapter explores the difference between credentials and identity, the types of identities involved in infrastructure access, and secure forms of credentials that are not vulnerable to human error and, therefore, not prone to leaking.

We begin with your identity. An identity is the fact of you being who you are, usually recognized by a unique set of physical attributes that distinguish you from anyone else. These attributes include your face, your fingerprint, your DNA, and other aspects of your physical self. A server, container, applications—anything that exists—has an identity, too. The identity of an infrastructure resource is defined by its physical attributes as well, as we’ll cover later in this chapter.

Establishing and proving identity is a tricky problem. It quickly becomes necessary to use credentials or claims about the identity of a person or other entity. Various kinds of credentials have been invented to prove identity, and they all have their deficiencies.

At some point, whether at birth or later in your life, you’re issued a national identification number such as a Social Security number (SSN).¹ You probably also have a license to operate a motor vehicle, including ...