Skip to content

Core Concepts: Zero Trust Identity for Workloads

Target Audience: Platform Engineers, DevSecOps, Site Reliability Engineers (SRE)

In the era of ephemeral microservices, static network perimeters are obsolete. This document outlines the architectural primitives of the Hopr.co platform, designed to solve the Security-Velocity Paradox: enabling developer speed ("The Golden Path") while enforcing rigorous Zero Trust security through Non-Human Identity (NHI).

1. The Paradigm Shift: From Network to Identity

Legacy tools attempt to secure workloads using Layer ¾ network segmentation (IP whitelisting, firewalls). This approach fails in Kubernetes environments where IPs churn rapidly and "East-West" traffic volume explodes.

Hopr shifts the enforcement boundary from the Network to the Identity and the application layer.

  • Identity First: We verify the the ephemral cryptographic identity of the workload (the MAiD™ credential) at the start of every connection (session) between two workloads (apps/pods).
  • Machine-to-Machine (M2M) Focus: Unlike human-centric PAM tools (SSH/RDP), our architecture is built specifically for high-velocity, automated service-to-service communications and trust.
  • Zero Trust by the Transaction: Trust is not a static firewall rule; it is a decision made on every single request using ephemeral credentials.

2. Automated Moving Target Defense (AMTD)

Static credentials (long-lived API keys, static certs) are the primary vector for modern breaches. If a secret exists on a disk, it can be stolen.

AMTD is the core defensive doctrine of Hopr. By continuously rotating identities and secrets, we turn your infrastructure into a moving target.

  • Ephemeral by Design: Access to workloads and data exists only for the duration they are needed, and only when its needed (just-in-time).
  • High-Frequency Rotation: Identities and secrets are rotated in minutes or seconds, destroying the attack window for adversaries.
  • Invisible Infrastructure: Services are authenticated and encrypted, making them invisible to unauthorized network scans. Traffice may be observed, but any attempted access by a threat causes the endpoint to vanish from the network (acting like a mirage on the threat reconnaissance map).

3. The Solution Stack

The Hopr platform is composed of two parts: the Lane7 Blueprints (Solution Configuration & Delivery) and the Korvette-S (Runtime Security and Access Control).

A. Lane7 Blueprints

The "Golden Path" for GitOps Integration.

Lane7 is a catalog of Infrastructure-as-Code (IaC) blueprints (actually, a zip file of kubernetes manifests) designed to drop directly into your existing CI/CD pipelines.

  • Artifacts: A blueprint contains an App, Dockerfile, and kubernetes manifests. The kubernetes manifests are organized in pod directories. Each pod directory contains the pre-configured namespace, secrets, and deployment yamls for a pod.
  • Function: Lane7 creates the "Golden Path" for developers to simply and quickly deploy app workloads that are Zero Trust and Secure by Default. Instead of asking developers to manage PKI certificates or secret rotation manually or mTLS complexity, Platform Engineers deploy Lane7 blueprints which are pre-configured to produce a secure Layer 7 network of applications.
  • Compliance Packs: Pre-configured blueprints for high-compliance environments (PCI-DSS, HIPAA) that enforce strict rotation policies out-of-the-box.
  • Protocol Packs: Pre-configured blueprints for different app communication protocols (HTTP/REST, gRPC, HL7, OPC UA) that enforce strict authorization and authentication access contorls out-of-the-box.

B. Korvette-S

The The Sidecar Proxy for Strong Security.

Korvette-S is the Workload Security Proxy (WoSP) that operates as a sidecar to a containerized app (workload) during runtime. It is a lightweight, high-performance sidecar (built on Envoy proxy) that acts as the gatekeeper for the host application. It allows Zero Trust connections among workloads and rejects untrusted access attempts. It also ensures that all traffic is bi-directionally encrypted end-to-end at the application layer (no TLS or mTLS)

  • Enforcement Point: Korvette-S intercepts all ingress and egress traffic for the workload.
  • Invisible Engcyption Keys: It handles encryption and decryption of data without a key exchange, without a complex handshake, without secrets vaulting and retrieval. Encryption keys are self-generated at each endpoint and never leave the WoSP container. The application logic remains unaware of the underlying networking and security.
  • Performance: Built for speed, Korvette-S ensures that adding Zero Trust security does not introduce unacceptable latency to high-throughput microservices once a communication session starts.

4. Architecture and Technology Foundations

Underpinning Lane7 and Korvette-S are several fundamental technology and protocol mechanisms:

Architecture Foundation

Lane7 Blueprints are based on Layer 7 (application layer of the OSI model) and on a sidecar proxy for containerized applications (i.e., workloads) in cloud environments (e.g., Kubernetes, Docker). Sidecar proxies are common in cloud infrastructure and service mesh solutions to abstract the complexity of communications network from the application itself. Lane7 build on the networking abstraction and extend it to also abstract identity and secrets (credentials) management for the workload. App developers do not need to be concerned with PKI identity managment, TLS/mTLS, or other static secrets. And DevOps and Platform Engineers don't need to worry about them or security of deployed applications either. The WoSP abstracts those concerns from applications and deployments, greatly simpliying and accelerating the deployment of networked appllications that ae secure by default.

MAID™ (Machine Alias ID)

★ The Machine Alias ID is the decentralized, dynamic identity credential automatically assigned to a workload when it is first deployed and then rotated by the WoSP thereafter. The technology is critical to achieving an important Zero Trust principle: verification of identity trust at every transaction.

  • Chain of Trust: A MAID is not just a random string; it is cryptographically bound to the workload's history of trusted activity with other workloads. It represents a chain-of-trust in the workload that is not possible with automated PKI identities.
  • Self-Sovereign: It reduces reliance on a central bottleneck for authorization of workload connections and every authentication decision that occur when workloads connect to share data.

CHIPS™

Codes Hidden In Plain Sight is a technology comprised of a large library of algorithms whose purpose is to generate a cryptographic seed from random high entropy data. The magic of CHIPS is the ability of an algorithm to generate the same key when it runs within two different WoSPs at nearly the same time.

  • Just-in-Time Key Generation: A CHIPS seed is used by a well-proven cryptographic library to generate a secret when needed and destroyed immediately after use.
  • Eliminating Secret Sprawl: There are no static .env files or Kubernetes Secrets objects waiting to be scraped. CHIPS ensures that if an attacker dumps memory, they find only expired noise.

SEE™

Synchronous Ephemeral Encryption is a protocol whose purpose is to establish a bi-directional WoSP-to-Wosp encrypted communication channel between to trusted workloads. The protocol runs at the start of a communication session between the WoSP sidecars attached to two workloads.

  • No Key Exchange or Handshake: SEE builds secure communication lanes for data in transit without needing to exchange the symmetric key in a handshake. It relies on the CHIPS algorithm to generate an identical key at each WoSP endpoint.
  • No Identity or Crypto Boundary: The SEE-enabled communication channel can secure data in transit over the entire route between workloads and is not vulnerable to early termination. It eliminates complicate and vulnerable identity federation across TLS encryption boundaries.

5. Semantic Comparison: Identity vs. Networking

For Platform Engineers evaluating the stack, it is crucial to understand where Hopr fits relative to CNIs (e.g., Calico, Cilium).

Feature Network Segmentation (Calico, Cilium) Hopr Identity (Lane7 + Korvette-S)
Control Plane Layer 3 / Layer 4 (IP/Port) Layer 7 (Identity/API)
Primary Artifact NetworkPolicy (YAML) Machine Alias ID (mTLS Cert)
Enforcement Kernel / eBPF Korvette-S Sidecar
Secret Mgmt None (Out of Scope) CHIPS (Automated Rotation)
Defense Type Static Perimeter AMTD (Dynamic Rotation)

6. The "Day 2" Operations Advantage

Lane7 Blueprints are designed for the long haul.

  • Zero-Touch Rotation: The Blueprints handle the entire lifecycle of credential management. No pager fatigue from expired certs. No secrets vaults or secrets sprawl.
  • Future-proof: The Blueprints are future proof to quantum attacks and AI-driven attacks.
  • Auditability: Every transaction is cryptographically attributable to a specific workload via the MAID, providing a forensic audit trail that IP logs cannot match.
  • Drift Detection: Because security is defined as code (Korvette-S sidecars), any drift in the runtime environment is easily detected and remediated via GitOps reconciliation loops.