Developing a Zero Trust Framework at Anthem Using SPIFFE and SPIRE

In healthcare, collaboration among stakeholders and organizations can help the industry take significant strides toward a consumer-centric experience that is more affordable. Earlier this year, Anthem, Inc., an innovation leader dedicated to improving health, launched the Health OS platform. Health OS enables us to digitally connect disparate care providers, integrate our data and clinical insights bi-directionally with key stakeholders, and deploy Health Apps to deliver better insights to care providers and make administrative processes much more efficient. By maximizing our data, we are able to simplify and enhance the healthcare experience and, more importantly, drive better health outcomes.

However, digital collaboration across organizational and network boundaries introduces new security challenges that go beyond the capabilities of traditional perimeter-based security. Users in this paradigm include both staff and health plan members, who no longer access digital resources exclusively with desktops that are hard-wired to a data center. They can be anywhere on-site or off, using laptops, tablets, and even smartphones to log into the networks. The security approach has to shift from physical to logical network topographies with zero trust strategy until trust claims are fully verified.

Anthem partnered with HPE and open-source communities to develop a zero trust network security model to ensure the security guarantees and assurances needed for successful collaboration between key stakeholders on our Health OS platform. SPIFFE and SPIRE provide the cryptographic, platform-agnostic identity foundation to secure services across heterogeneous environments and organizational boundaries. On Health OS, all Health Apps, developers, and engineers share zero trust as a common framework to collaborate and transform healthcare. 

Embracing a New Security Paradigm

To address the challenges of securing infrastructure that lacks traditional perimeters, we adopted a new security paradigm called zero trust.

Zero trust provides secure access across hybrid environments by assuming that every device on a network is hostile, and then defining the smallest possible perimeter from within an application to authenticate and enable permissions. Instead of using static credentials like user logins or authorizing IP addresses, ports, and protocols, zero trust treats all network traffic as a threat, whether it originates internally or externally.

Rather than defending the network perimeter, zero trust validates workload attributes and then allows or blocks these workloads from communicating with the network or with each other. This approach is environment-agnostic and platform-independent. It can scale across physical and virtual infrastructure and is better tailored to a company like Anthem that operates hybrid environments across multiple sites.

Anthem processes and tracks a sea of data every day, including supply chain, billing, scheduling, insurance claim information, lab results, prescriptions, diagnoses, patient data, and electronic health records. And we have to comply with both our internal policies and HIPAA guidelines on data privacy and security.

We need to unlock this data without compromising it. We have to connect the data points and sort through vast quantities of healthcare and transactional information while protecting our members' safety, security, and privacy. And we have to get dozens of smaller networks and applications talking to one another while keeping everything away from prying eyes and unauthorized access. 

We use zero trust to deploy new platforms and tools from scratch, as well as modernize 50-year-old assets that predate TCP/IP stacks, and build systems for our digital incubators and AI initiatives. At Anthem, we are adopting zero trust as a framework from cloud native to established legacy applications.

Identity Management and Authorization with SPIFFE and SPIRE

Zero trust security is based on identity management and authorization. There are several tools and vendors available, but Anthem went with a two-pronged open-source, cloud-based solution called SPIFFE (Secure Production Identity Framework for Everyone) and its SPIRE (SPIFFE Runtime Environment) API. 

SPIFFE provides a secure identity for every workload in our production environment in the form of a time-limited X.509 certificate. It replaces application-level authentication and complex network-level ACL (Access Control Level) configuration. SPIRE is SPIFFE's production-ready API that manages platform and workload attestation and coordinates certificate issues and rotation.

Traditional bearer tokens, paired with passwords in two-factor identification schemes, or issued by browsers, are long-lived secrets that can last up to a year. They enable security but are also an operational risk. SPIFFE and SPIRE move us away from that approach. Instead of asking "What do you have?" and verifying a token, we are asking, "What are you?" and confirming a cryptographic identity tied to a specific workload. 

SPIRE speaks the SPIFFE protocol in cloud-based environments and allows you to manage attestations that establish connectivity between systems, organizations, and Kubernetes clusters. It handles the generation and rotation of time-based certificates and the definition, issuance, and relocation of identities. The API lets you control who gains access to these workload identities and lets you scale them across internal and external Kubernetes clusters.

SPIFFE and SPIRE in Action

Here are two examples of how this works. In a typical security scenario, a pod is a Kubernetes workload that generally asks for a long-living secret from a vault. In our zero trust system, the application requests an online-based X.509 certificate from SPIRE. If the certificate is approved, the application may use that certificate to authenticate itself to other workloads using a mutual Transport Layer Security (TLS) connection. It will then bubble the identity up to the application level. Instead of asking for a traditional security token, SPIRE maintains a registry that includes the conditions it must verify to issue a workload identity. It is a unified L4-L7 process that is not tied down to TLS handshakes.

In a second scenario, SPIRE can establish trust across organizations by sharing automatically rotating CA (certificate authorities) public certificates. Once it has established that trust, SPIRE can continue validating workload identities across different clusters, domains, and organizations. You can then use OpenID Connect Federation to connect a specific Kubernetes pod to an AWS S3 user bucket or another external system, like a database. 

These two instances demonstrate how zero trust authentication with SPIFFE and SPIRE has transformed Anthem's deployments. By automating security and making it part of the software development lifecycle, we can go from an idea to a production deployment in two weeks instead of two or three months. We are no longer focused on securing the perimeter of static infrastructure but are managing and authenticating identity at the workload level.  

The Last Piece of the Puzzle

There's one more piece to our zero trust puzzle. In 2020, HPE acquired Scytale, the startup that created SPIFFE and SPIRE, and has continued to promote that security platform. 

Working with HPE and SPIFFE-SPIRE has freed Anthem's engineers to focus on rapidly deploying scalable cloud-native applications that streamline our processes and ensure the best healthcare outcomes for our members. At the end of the day, that’s what’s most important. We’re only partway through our journey, but we’re incredibly excited by our direction. The support from both corporate partners like HPE and the open-source community will help us change how companies work, and how our members experience healthcare.