Skip to main content

Conceptual Overview

Introduction​

Aembit, derived from 'ambit' (meaning boundary or scope), is an Identity and Access Management (IAM) Platform for managing access between workloads—Workload IAM. Unlike traditional User IAM, Aembit facilitates secure interactions between automated systems, like applications and APIs, across various environments using various identity types (non-human, machine, service account, and others).

"Workload Definition: A workload is any application or program utilizing computing resources to perform tasks—ranging from CI/CD jobs to databases and third-party APIs."

The Aembit architecture comprises two major systems, Aembit Cloud and Aembit Edge. The sections below describe these systems.

Aembit Cloud​

Aembit Cloud is a scalable, cloud-native SaaS platform offering the following capabilities:

  • Administrative Interfaces: Includes the Aembit Web UI and Aembit Platform API.
  • Workload Directory: Manages workload identities.
  • Access Policy Engine: Controls and audits workload access.
  • Event Analysis: Stores and analyzes workload activity.
  • Credential Management: Securely stores and retrieves credentials.
  • Edge Management: Handles the Aembit Edge components in customer environments.

Aembit maintains, secures, and updates the cloud infrastructure and software.

Aembit Edge​

Aembit Edge is a collection of components deployed in your environment that handle identity and authentication functions for your workloads. The primary component in this system is the Aembit Agent/Proxy, which performs the following tasks:

  • Collects workload identity and other contextual information from your operating environments
  • Facilitates workload access to services

Workloads​

Aembit manages access between Client Workloads and Server Workloads. Aembit administrators can configure workload representations using the Aembit Admin Web UI or programmatically using the Aembit Platform API or the Aembit Terraform Provider.

Client Workloads​

Client Workloads are software applications that access services provided by Server Workloads. Examples include custom applications, CI/CD pipelines, daemons, one-off or batch jobs, and deployment scripts. Typically, Client Workloads run as background processes and require access to services without user intervention.

Server Workloads​

Server Workloads are software applications that serve requests from Client Workloads. Examples may include third-party SaaS APIs, API gateways, databases, and data warehouses.

Server Workload configuration settings include Service Endpoint and Authentication, among other properties. The Service Endpoint is where you define the networking details of your Server Workload. Authentication refers to how your Server Workloads authenticate client requests.

Access Policies​

Access Policies specify the conditions that must be satisfied for Aembit to grant Client Workloads access to Server Workloads.

Aembit evaluates access in the following way:

  • Does the Client Workload and Server Workload match an Access Policy?
  • Does the Trust Provider attest to the identity of the Client Workload?
  • Does the Client Workload satisfy all Access Conditions specified in the Access Policy?

Once Aembit Cloud authorizes access, it will deliver a credential suitable for authenticating to the target service.

Trust Providers​

Trust Providers are third-party systems or services, such as AWS, Azure, and Kubernetes for cloud-based deployments and Active Directory for on-premise / data center deployments. Trust Providers attest to workload identities and provide information about the environment in which they operate with high reliability and trustworthiness.

By federating Aembit with Trust Providers, Aembit can authenticate Client Workloads without requiring operators to introduce long-lived secrets into their environments.

Access Conditions​

Access Conditions are criteria Aembit checks when evaluating an Access Policy to determine whether or not to grant a Client Workload access to a target Server Workload.

Some examples of Access Conditions are:

  • Querying third-party products to check the security posture of virtual machines hosting your workloads
  • Verifying the geographic location of a workload based on its IP address

Please refer to the Access Conditions section of the documentation for a complete and up-to-date list.

Credential Providers​

Credential Providers are systems that provide access credentials, such as OAuth tokens, service account tokens, API keys, or username-and-password pairs.

In scenarios where third-party token services implement the OAuth 2.0 Client Credentials flow, or Workload Identity Federation, Aembit can automatically request access tokens on behalf of Client Workloads. Aembit can natively store and retrieve simple credential types like API keys or passwords when needed without relying on a third party.

Logging and Reporting​

Aembit logs administrative changes and workload access attempts, providing detailed reports on:

  • Audit Logs: Tracks system changes made by administrators.
  • Access Authorization Events: Monitors and logs workload access requests.
  • Workload Events: Records workload interactions, excluding sensitive payload data.