Identity Control Plane: The Unifying Layer for Zero Trust Infrastructure
Surya Teja Avirneni
TL;DR
The paper tackles the fragmentation of identity across humans, workloads, and automation within Zero Trust architectures. It introduces the Identity Control Plane (ICP), a unified, ABAC-driven enforcement layer that integrates SPIFFE-based workload identity, OIDC/SAML user identity, and brokered automation tokens, leveraging IETF WIMSE principles and OAuth-style token exchange. Core contributions include a detailed ICP architecture with four components, concrete integration patterns, diverse use cases, a policy-simulation capability, and a compliance-alignment discussion (FedRAMP/SLSA). The work argues that runtime, intent-aware policy enforcement across trust domains can reduce audit gaps, improve observability, and scale secure access in multi-cloud, multi-tenant environments, though it remains theoretical without prototype deployment. Overall, ICP provides a scalable foundation for verifiable, cross-domain Zero Trust, moving identity from a prerequisite to a runtime control surface with practical adoption steps and future research directions.
Abstract
This paper introduces the Identity Control Plane (ICP), an architectural framework for enforcing identity-aware Zero Trust access across human users, workloads, and automation systems. The ICP model unifies SPIFFE-based workload identity, OIDC/SAML user identity, and scoped automation credentials via broker-issued transaction tokens. We propose a composable enforcement layer using ABAC policy engines (e.g., OPA, Cedar), aligned with IETF WIMSE drafts and OAuth transaction tokens. The paper includes architectural components, integration patterns, use cases, a comparative analysis with current models, and theorized performance metrics. A FedRAMP and SLSA compliance mapping is also presented. This is a theoretical infrastructure architecture paper intended for security researchers and platform architects. No prior version of this work has been published.