Trust Anchors In Modern Systems; Don’t Overlook The Bottom Turtle

Mike Maxey
Mike Maxey
, 4 min read

As you move between industries you pick up on different phrases commonly used between experts in the space. It’s a nerd form of slang and phrases which can leave you feeling completely lost (while comprehending every word). One such phrase I’m hearing as I dive into the identity and access management space is: ‘It’s turtles all the way down’. This phrase is associated with a few things, so to be clear, I’m not talking about the new book, the classic science fiction book, the country music ballad, or the metalcore song. Instead, I’m referring to the concept of infinite regress. It typically goes something like this:

q) How do you secure Y?

a) You run A, so we use A.

q) Ok, but to trust A I need to trust B, so how do you secure B?

a) Well B uses C which you run so we use C.

q) Ok, but to trust C…

…repeats a few times…then…

a) It’s turtles all the way down

People in the room nod in agreement and conversations continue.

What just happened was a discussion about the trust anchor and dependencies of systems, and while a clever turtle reference often satisfies the room, getting a real answer to this question is fundamental to modern security practices. Why? Because the trust anchor is exactly as it sounds. The anchor for a chain of trust that flows across components of the system. It’s the lynchpin of the system, aka the bottom turtle.

The Bottom Turtle

According to Wikipedia, The lore behind the turtle analogy is based on a “mythological idea of a World Turtle that supports the earth on its back. It suggests that this turtle rests on the back of an even larger turtle, which itself is part of a column of increasingly large turtles that continues indefinitely (i.e., “turtles all the way down”).”

While the mythology has endless turtles, you have already selected your bottom turtle (whether you recognize it or not). If you are like most modern enterprises your bottom turtle is your cloud provider. You trust AWS to provide a machine image to run your processes. You put your data into an Azure database. Your kubernetes cluster runs in GKE. Embedded in these cloud offerings, beyond CPUs, network bandwidth, and GBs of storage, is trust, trust in the provider to operate and secure your workloads.

Star step cli
Star step certificates

At smallstep we’ve built an Open Source framework for production identity that users can deploy anywhere. It serves as an identity authority for services, machines, applications and the people who manage them, and empowers end-to-end encryption everywhere. It’s deep tech which requires responsible defaults to deliver secure, automated bootstrap into any environment. It’s that last part, secure bootstrap anywhere, that is what requires us to find the bottom turtle. The anchor in the trust train.

Bootstrapping the Trust Anchor

Smallstep makes it embarrassingly easy to bootstrap trust in cloud environments using Instance Identity Documents (IID). These documents are simply credentials that identify an instance’s name and owner. By presenting an IID in a request, a workload can prove it’s running on a VM instance you own. It’s only available from that virtual machine and serves as proof you can trust this process. When combined with our Open Source framework it becomes simple to deliver production identities to workloads running on any cloud (without having to build your own enrollment system and integrating it into your deploy pipeline).

Smallstep’s latest release includes support for operators getting certificates using IIDs. This functionality is supported on all the major cloud provider platforms though you will find small differences depending on the provider. For example, GCP uses the term instance identity tokens and Azure likes access tokens. If you want to use TLS to secure service-to-service communication in the cloud (and here is why you should), this update from smallstep will make your life 100% easier.

We encourage you to try using smallstep and IIDs with your favorite cloud provider. We think you will find it easy to start using production identity to secure your distributed applications. You can find out more details about each cloud implementation by visiting our integrations web page. If you would prefer to dive into the technical details, please read Embarrassingly easy private certificate management for VMs on AWS, GCP, and Azure and as always, please reach out to the community with any questions or send us direct feedback, we are here to help.


What you have just consumed is the latest issue of an ongoing series of Modern Security for Leaders posts. In each edition, I break down a complex security concept into a simple to understand format and highlight where it brings true business value.