All posts
June 18, 20264 min read

FFIEC for non-human identities: governing machine access end to end (on Kubernetes)

Current practice for machine identities on Kubernetes The FFIEC standard makes clear that unmanaged machine credentials are a compliance nightmare. In many organizations the default approach is to create a service account, grant it a cluster‑admin role, and embed the long‑lived token in CI pipelines, Helm charts, or custom scripts. Engineers copy the token into Git repositories, store it in plaintext in secret‑management tools that are not tied to any access request, and let the workload use it

Free White Paper

End-to-End Encryption + Non-Human Identity Management: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Current practice for machine identities on Kubernetes

The FFIEC standard makes clear that unmanaged machine credentials are a compliance nightmare. In many organizations the default approach is to create a service account, grant it a cluster‑admin role, and embed the long‑lived token in CI pipelines, Helm charts, or custom scripts. Engineers copy the token into Git repositories, store it in plaintext in secret‑management tools that are not tied to any access request, and let the workload use it for the lifetime of the cluster. The result is a shared credential that can be invoked from any pod, any node, or any external script without a fresh authorization check. When a compromise occurs, the attacker inherits the same unrestricted rights and can exfiltrate data, modify workloads, or delete namespaces. Auditors looking at FFIEC‑required evidence will see a single static token and no record of who actually invoked it, making it impossible to prove that access was limited, reviewed, or logged.

Why FFIEC demands more than static service accounts

FFIEC’s guidance for financial institutions stresses “end‑to‑end governance of non‑human identities,” meaning that every machine‑initiated request must be traceable to a business purpose, approved by a responsible party, and limited to the minimum set of permissions required for that purpose. The standard also requires that any privileged operation be recorded in an immutable audit trail and that sensitive data returned to a machine be protected from accidental exposure.

Applying those principles to Kubernetes means three things must change:

  • Just‑in‑time (JIT) issuance. A service account should receive a short‑lived credential only when a specific job needs to run.
  • Approval workflow. Before a credential is minted, a designated approver must verify the request’s intent.
  • Runtime enforcement. While the workload is executing, the platform must be able to block dangerous API calls, mask sensitive fields in responses, and record every request for later review.

Even if an organization adopts OIDC‑based authentication for its service accounts, the request still travels directly to the Kubernetes API server. The API server validates the token, but it does not provide the JIT approval step, inline masking, or session‑level recording that FFIEC expects. In other words, the setup layer (identity federation, least‑privilege RBAC) solves “who can talk to the cluster,” but it does not solve “what happens once the call reaches the API server.”

Putting the enforcement point in the data path with hoop.dev

To satisfy FFIEC’s end‑to‑end requirements, the enforcement mechanism must sit in the data path between the machine identity and the Kubernetes control plane. That is exactly what hoop.dev provides. hoop.dev is a Layer 7 gateway that proxies every Kubernetes API request. It authenticates the caller via OIDC/SAML, then applies policy before the request reaches the API server. Because the gateway is the only place the traffic can be inspected, it can:

  • Record each session. hoop.dev writes a detailed log of every API call, the identity that issued it, and the response payload.
  • Mask sensitive fields. When a response contains credit‑card numbers, SSNs, or other regulated data, hoop.dev can redact those fields in real time, ensuring downstream services never see raw values.
  • Require just‑in‑time approval. A request for a privileged operation (for example, creating a ClusterRoleBinding) is held for manual approval. Only after an authorized reviewer signs off does hoop.dev forward the request.
  • Block disallowed commands. If a workload attempts to delete a namespace that is marked as protected, hoop.dev can terminate the request before it reaches the API server.

All of these enforcement outcomes exist only because hoop.dev occupies the data path. The initial identity verification (the Setup phase) still decides who may start a request, but without hoop.dev the request would travel straight to the Kubernetes API server, bypassing every control required by FFIEC.

Continue reading? Get the full guide.

End-to-End Encryption + Non-Human Identity Management: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How the architecture aligns with FFIEC evidence requirements

FFIEC auditors look for three categories of evidence: authentication logs, authorization decisions, and activity records. hoop.dev generates each of those automatically:

  • Authentication logs are produced when the gateway validates the OIDC token.
  • Authorization decisions are captured when a JIT request is approved or denied, including the approver’s identity and timestamp.
  • Activity records contain a complete, replayable trace of every API call, which can be exported for audit purposes.

Because the logs are created outside the workload that initiated the request, they cannot be tampered with by a compromised service account. This separation satisfies the “immutable evidence” principle without requiring a separate logging pipeline.

Getting started

Deploying hoop.dev follows the standard quick‑start pattern: run the Docker Compose file, configure an OIDC provider, and register your Kubernetes clusters as connections. The gateway stores the service‑account credentials, so workloads never see long‑lived tokens. Detailed steps are available in the getting‑started guide. Once deployed, you define policies that reflect your FFIEC control framework, JIT approval for privileged scopes, field‑level masking rules, and command‑blocking profiles.

FAQ

Does hoop.dev replace Kubernetes RBAC?

No. RBAC continues to enforce role‑based permissions inside the cluster. hoop.dev adds a layer of verification and recording before the request ever reaches the RBAC engine, providing the audit and approval capabilities that RBAC alone cannot deliver.

Can existing CI pipelines use hoop.dev without code changes?

Yes. Because hoop.dev acts as a transparent proxy, pipelines point their kubectl or client libraries at the gateway endpoint. The underlying client libraries remain unchanged; the gateway handles authentication, policy, and logging.

Is the audit data stored securely?

hoop.dev writes logs to a storage backend of your choice. The platform itself does not claim any special cryptographic guarantees, but it ensures that logs are generated at the gateway, outside the workload, and can be routed to tamper‑evident storage you control.

Ready to see how machine‑identity governance can meet FFIEC requirements? Explore the source and contribute on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot