Identity Control Plane: The Unifying Layer for Zero Trust Infrastructure

πŸ“… 2025-04-24
πŸ“ˆ Citations: 0
✨ Influential: 0
πŸ“„ PDF

career value

215K/year
πŸ€– AI Summary
In zero-trust architectures, fragmented identities across human users, workloads, and automated systems hinder unified access control. Method: This paper introduces the Identity Control Plane (ICP)β€”the first cross-domain identity governance framework integrating SPIFFE identity primitives, OIDC/SAML-based federated authentication, and scoped transactional tokens. It designs a composable, standards-compliant ABAC enforcement layer aligned with IETF WIMSE and OAuth specifications; integrates OPA/Cedar policy engines; and establishes FedRAMP/SLSA compliance mapping mechanisms. Contributions: (1) Unified multi-source identity modeling with fine-grained, dynamic authorization; (2) Transaction-token-driven real-time credential lifecycle management; and (3) A complete theoretical architecture, component specifications, performance modeling, comparative analysis against mainstream zero-trust models, and a production-ready, compliance-validated deployment pathway.

Technology Category

Application Category

πŸ“ Abstract
This paper introduces the Identity Control Plane (ICP), an architectural framework for enforcing identity-aware Zero Trust access across human users, workloads, and automation systems. The ICP model unifies SPIFFE-based workload identity, OIDC/SAML user identity, and scoped automation credentials via broker-issued transaction tokens. We propose a composable enforcement layer using ABAC policy engines (e.g., OPA, Cedar), aligned with IETF WIMSE drafts and OAuth transaction tokens. The paper includes architectural components, integration patterns, use cases, a comparative analysis with current models, and theorized performance metrics. A FedRAMP and SLSA compliance mapping is also presented. This is a theoretical infrastructure architecture paper intended for security researchers and platform architects. No prior version of this work has been published.
Problem

Research questions and friction points this paper is trying to address.

Enforcing identity-aware Zero Trust access across diverse systems
Unifying SPIFFE, OIDC/SAML, and automation credentials via tokens
Proposing composable ABAC policy engines for access control
Innovation

Methods, ideas, or system contributions that make the work stand out.

ICP unifies identity-aware Zero Trust access
Composable ABAC policy engines enforce access
Broker-issued tokens integrate diverse credentials
πŸ”Ž Similar Papers
2024-02-04IEEE Communications Surveys & TutorialsCitations: 11