Machine Identities and Secrets

Stop Configuring mTLS. Start Describing Your Network

Tom McNamara

June 11, 2026

Lane 7 Blueprints deploy Korvette sidecars with applications to eliminate the pain points of automated PKI and mTLS and deliver stronger security

How Lane7 Blueprints replace weeks of Kubernetes security configuration with a production-ready, cryptographically secured application network — delivered to you, ready to deploy.

If you have spent more than a few days configuring mutual TLS across a multi-pod Kubernetes application, you already know the experience. The certificate chain that works in your local k3d cluster breaks at the EKS boundary. The intermediate CA you thought was trusted turns out not to be recognized by the sidecar in pod three. The rotation schedule you set up works fine until a workload restarts mid-rotation and the handshake fails silently, causing the upstream service to queue requests until your on-call engineer notices traffic has stopped flowing at 2am.

Then there is the multi-cloud case. mTLS terminates at identity domain boundaries — the point where your AWS environment hands off to your GCP environment, or where your internal cluster meets a third-party API. At those boundaries, the encryption you spent weeks configuring simply stops. Data crosses the gap in plaintext. The security posture you believed you had does not match the security posture you actually have.

This is not a configuration skill problem. It is an architectural one. mTLS was designed for a world where workloads live inside a single trust domain with a shared certificate authority. Modern application networks — microservices spanning multiple clouds, AI inference pipelines, cross-organizational API transactions — do not live in that world. Trying to secure them with mTLS is the right security instinct applied to the wrong tool.

This article introduces a different approach: Lane7 Blueprints, Hopr's production-ready, cryptographically defended Kubernetes application network framework. The core idea is simple enough to state in one sentence, though the implications take longer to appreciate: instead of configuring security on top of a running application network, you describe the network you need to Hopr, and you receive a complete, deployment-ready blueprint with the security built in — cryptographically enforced, requiring zero certificates, zero certificate authorities, and zero operator-managed rotation.

The Problem With How We Currently Do This

Before getting into Lane7, it is worth being precise about why the conventional approach fails, because the failure is not obvious until you have lived it.

mTLS Assumes a Trust Foundation It Cannot Verify

Mutual TLS works by having each party in a connection present a certificate issued by a trusted Certificate Authority. The idea is that if both sides trust the same CA, and both sides hold a valid cert from that CA, then both sides can trust each other.

The problem is that the CA verification step does not actually verify the workload. Automated PKI systems — the kind used in every enterprise Kubernetes environment at scale — issue certificates to any workload that requests one. The process is designed for speed. Tools like cert-manager and Let's Encrypt are optimized to get TLS running quickly, not to establish that the entity requesting a certificate is the legitimate workload it claims to be.

What this means in practice: a compromised workload can obtain a valid certificate. An attacker who has gained access to a pod can request a new cert. The certificate is valid. mTLS accepts the connection. The attacker is inside the secured channel.

There is a second structural weakness. When a certificate expires and is renewed, the new certificate is a complete identity replacement. The workload is the same. Its history of trusted communication is not. Every renewal resets the identity to zero — a brand new entity with no provenance. In PKI systems, the chain of trust lives with the CA chain, not with the workload.

The Multi-Cloud Gap

mTLS encryption terminates at identity domain boundaries. In a single-cluster deployment with a unified CA, this is manageable. In any topology that crosses cloud environments, organizational boundaries, or separate Kubernetes clusters, it is not.

At every domain boundary, TLS terminates. Traffic crosses the gap. A new TLS session begins on the other side. The encryption you see in your monitoring covers the segments within each domain. The gaps between domains — often the highest-risk segments, carrying inter-organizational data or cross-cloud API traffic — are exposed.

Platform engineers who have debugged this in production know the specific experience: the security audit that discovers a segment of traffic between your EKS cluster and a third-party API that was never encrypted at all, despite weeks of mTLS configuration effort.

The Operational Burden That Never Goes Away

Even when mTLS is correctly configured — which typically takes experienced DevOps engineers weeks to achieve, longer in multi-cloud environments — the ongoing operational burden is substantial:

  • Certificate rotation scheduling and monitoring
  • CA chain management across environments
  • Debugging handshake failures that surface as silent traffic drops
  • Vault integration for credential storage, which introduces its own API surface and its own secrets to manage
  • Reconfiguration every time the network topology changes

None of this work produces application features. It produces a security layer that, as established above, has structural gaps it cannot close. The engineering time cost is real and the security return is incomplete.

A Different Model: Describe Your Network, Receive Your Blueprint

Lane7 Blueprints start from a different premise. Security is not something you configure on top of an application network. It is something that is built into the network at the point of composition — derived deterministically from a description of the network you need, and enforced cryptographically from the first deployment.

The process is straightforward: you describe your application network to Hopr — the workloads, how they connect, what protocols they use, where the external access points are, and what security mode fits your use case. Hopr composes a complete, validated, deployment-ready blueprint and delivers it to you. You deploy it to your Kubernetes cluster.

What you receive is a complete package: Kubernetes manifests for every pod, application code with your business logic stubs ready to fill in, deployment and teardown scripts, boundary access configuration, and a generated README documenting your network's security posture. Every inter-pod communication channel is protected by Hopr's WoSP (Workload Security Proxy) technology from the moment the network starts.

What Hopr Composes on Your Behalf

To illustrate what this looks like, here is how Hopr represents a three-pod HTTP network internally — a gateway that accepts external triggers, a relay processor, and a sink that stores results:

my-api-network/

├── README.md              # Network guide with Pod Map and Network Details table

├── blueprint.yaml         # Machine-readable summary with per-pod security posture

├── deploy.sh              # Ordered namespace + manifest application

├── teardown.sh            # Ordered namespace deletion

├── pinhole-setup.sh       # TLS cert generation for boundary pods

├── gateway/

│   ├── app/

│   │   ├── app.py         # Section 1 business logic stubs + Section 2 WoSP layer

│   │   └── Dockerfile

│   ├── 01-namespace.yaml

│   ├── 02-secrets.yaml

│   └── 03-deployment.yaml

├── processor/

│   └── ...

└── sink/

    └── ...

Every manifest is deterministic and version-controllable. When your network requirements change — a new pod, a different protocol, an updated access policy — Hopr recomposes the blueprint and delivers a new package whose diff shows exactly what changed in the network and security configuration. This makes Lane7 blueprints fully compatible with GitOps pipelines and security audit trails.

What Hopr Needs From You

The conversation with Hopr to produce a blueprint is not a lengthy requirements process. You need to be able to describe:

  • The workloads in your network and their roles (entry point, processing, aggregation, exit)
  • How they connect to each other and in what direction data flows
  • What protocols they use (HTTP, WebSocket, gRPC, or a mix)
  • Where external callers need to enter and exit the network
  • Any multi-cluster or multi-cloud requirements
  • Which security mode fits your use case (see below)

Hopr handles everything else — the Envoy filter configurations, the cryptographic identity assignments, the namespace and DNS structure, the deployment ordering, and the security validation. You receive a blueprint that is ready to deploy without any security engineering work on your part.

How the Security Actually Works

Lane7's security is not implemented through certificate management. It is implemented through three patented Hopr technologies that work together to make unauthorized connections cryptographically impossible.

CHIPS™ — No Key Exchange, No Interception

The foundational technology is CHIPS™ (Codes Hidden in Plain Sight). CHIPS uses a special algorithm that draws on naturally dynamic information available across the Internet as shared entropy to generate a cryptographic seed. That seed feeds a symmetric cryptographic library — AES-256 GCM — to produce a symmetric encryption key.

The critical property: two workloads in entirely different cloud environments can run their CHIPS™ algorithms at the same time and generate an identical key — without exchanging any information with each other.

There is no key handshake. There is no key transmission. The attack surface that Man-in-the-Middle attacks and key interception depend on does not exist. Each key is generated locally, used for the duration of a single communication session, and discarded when the session closes. There is nothing in memory worth stealing.

This also solves the multi-cloud encryption gap problem completely. Because CHIPS™ keys are generated independently at each endpoint using the same algorithm, end-to-end encryption covers the entire route between workloads — including the segments between cloud environments and organizational boundaries where mTLS terminates. There are no unencrypted gaps.

SEE™ — Synchronous Ephemeral Encryption

The SEE™ (Synchronous Ephemeral Encryption) protocol uses CHIPS™ keys to encrypt every API call between trusted workloads. The encryption is bidirectional and quantum-proof.

The practical consequence for API security is immediate and decisive: when an API call arrives at a Lane7-protected endpoint, SEE™ decryption is applied. A call using a stolen or compromised API key fails decryption at arrival. The stolen key is discovered, the call is logged, and it is dropped — before it reaches the application, before any data is returned, without notifying the sender that the attempt was detected.

This is not anomaly detection. It is cryptographic rejection. No behavioral baseline. No alert queue. No human review. The unauthorized call simply cannot decrypt.

MAID™ — Workload Identity Rooted in Deployment History

MAID™ (Machine Alias ID) is the workload identity credential. Unlike a PKI certificate — which is issued without vetting the requesting workload and which creates a new identity with each renewal — the MAID™ credential is assigned to a workload at first deployment by a trusted DevSecOps team and builds an immutable chain of trust from that point forward.

As communication sessions with other trusted workloads occur, the MAID™ credential hops to new values that are a blockchain derivative of its prior sessions. The credential represents provenance — a verifiable history of trusted behavior from the moment of deployment.

Hopr operates an observation plane that verifies each workload's MAID™ credential at the start of every session. If verification fails — if the presenting credential does not match the expected next state of the identity chain — the connection is blocked and the security team is alerted.

The operational implication for your team is significant: credential rotation is automatic and continuous, driven by session activity, not by a rotation schedule anyone manages. The five-to-thirty-second rotation window means that even a successfully intercepted credential is worthless before an attacker can act on it.

The Two-Section Application Model

Every Lane7 blueprint application is structured around a clean separation between security and business logic. When you receive a blueprint, each pod's application file (app.py) is divided into two sections.

Section 1 — Business Logic (yours to fill in):

This is the only section your development team touches. It contains stub functions that you replace with your production logic. The framework guarantees these hooks are called with the correct payload types in the correct order relative to inter-pod communication.

# ============================================================

# SECTION 1 — BUSINESS LOGIC (EDIT THIS SECTION)

# ============================================================

async def on_trigger(payload: dict) -> dict:

    Called when a new task enters the network via /trigger.

    Replace this stub with your entry validation and processing logic.

    task_id = payload.get("task_id", "unknown")

    data = payload.get("data", {})

    # Your business logic here

    result = {"processed": True, "task_id": task_id, "output": data}

    return result

async def on_receive_relay(payload: dict) -> dict:

    Called when a relayed message arrives from an upstream pod.

    Replace this stub with your transformation logic.

    # Your relay processing logic here

    return payload

Section 2 — WoSP Networking Layer (do not modify):

Section 2 contains the WoSP connection management, egress port routing, and AMTD session establishment. It is composed and managed by Hopr. Your developers never touch it and never need to understand its internals to build correctly on top of it.

The framework guarantees that Section 1 hooks are called in the correct order. A developer filling in business logic stubs inherits full AMTD protection — session-bound encryption, continuous credential rotation, and topology-enforced microsegmentation — without writing a single line of security code.

This separation is deliberate and significant: your development team moves fast on business logic while the security layer operates beneath it, immutably, exactly as Hopr composed it.

Choosing a Security Mode

When working with Hopr to define your blueprint, you choose between two WoSP security modes. Hopr applies the mode uniformly across all pods in the generated blueprint.

Armored Tunnel (Default — All Protocols)

Armored Tunnel deploys a network-layer (L4) Envoy WASM filter that intercepts raw TCP byte streams and applies AMTD authentication before any application-layer framing is parsed. The application never receives unauthenticated traffic.

Armored Tunnel supports HTTP, WebSocket, and gRPC traffic identically. CHIPS™ credentials rotate per TCP session. This is the right choice for general-purpose API networks, streaming applications, persistent WebSocket connections, and gRPC workloads.

Armored Car (HTTP Only — Per-Request Rotation)

Armored Car deploys an HTTP-layer (L7) filter that applies a fresh CHIPS™ key rotation for every individual HTTP request, then closes the connection. Zero key reuse across requests — each call carries its own cryptographic identity.

Armored Car is HTTP only. Use this mode for high-security REST APIs where per-request credential freshness is the requirement — financial transaction endpoints, healthcare data APIs, or any surface where regulatory frameworks demand maximum credential granularity.

Every delivered blueprint README includes a Network Details table that documents the active security mode unambiguously — so the security posture is visible to every stakeholder from the moment the blueprint arrives.

Topology-Enforced Microsegmentation

One of the most powerful security properties of a Lane7 blueprint is how microsegmentation is enforced. It is worth being precise about this because it differs fundamentally from every network-policy-based approach.

When Hopr composes your blueprint, the declared connections between pods are not a description of preferred routing. They are the security policy. Undeclared connections produce no Envoy cluster entries and no network listeners in the generated manifests. There is no path for traffic to flow on an undeclared route — not because a network policy blocks it, not because a service mesh rule rejects it, but because the receiving pod's WoSP sidecar has no listener configured for that traffic.

The practical consequence: a compromised pod cannot reach any workload beyond its declared authorization footprint. An attacker inside a compromised pod cannot scan for adjacent services, probe backend databases that were not in the network description, or reach high-value internal APIs by pivoting through a compromised boundary pod. Every unauthorized connection attempt is immediately rejected and generates a security alert.

This microsegmentation is enforced at the cryptographic level — it cannot be misconfigured away, cannot be bypassed by a namespace escape, and does not depend on NetworkPolicy enforcement being correctly implemented across all nodes.

Lane7 blueprints do not rely on namespace isolation, NetworkPolicy, or service mesh configuration correctness as security primitives. These remain useful as supplementary hardening layers. The cryptographic AMTD layer is the primary control.

A Worked Example: The Agentic AI Blueprint

The most demanding Lane7 reference architecture is the 6-pod Agentic AI blueprint — a production-ready AI inference pipeline that illustrates heterogeneous protocol support, fan-out/fan-in patterns, and AMTD protection across a complex multi-hop network.

Network Architecture

The blueprint connects six pods in a secured inference pipeline:

  External Caller

       │

       ▼ HTTPS port 19000 — pinhole

  ┌─────────────┐

  │ ai-gateway  │  ← HTTP boundary entry, field validation

  └─────────────┘

       │ HTTP / WoSP port 18000

       ▼

  ┌──────────────────┐

  │ ai-orchestrator  │  ← ReAct loop dispatcher, HTTP fan-out

  └──────────────────┘

       │ WebSocket / WoSP          │ WebSocket / WoSP

       ▼                           ▼

  ┌─────────────┐         ┌───────────────┐

  │ llm-gateway │         │ tool-executor │  ← Parallel branches

  └─────────────┘         └───────────────┘

       │ HTTP / WoSP               │ HTTP / WoSP

       ▼                           ▼

  ┌──────────────────────────────────┐

  │          nlp-processor           │  ← HTTP fan-in aggregator

  └──────────────────────────────────┘

       │ HTTP / WoSP

       ▼

  ┌──────────────────┐

  │ ai-results-sink  │  ← HTTP boundary exit, results at /output

  └──────────────────┘

       │ HTTPS port 19000 — pinhole

       ▼

  External Caller (GET /output)

What the Delivered Blueprint Documents

Every blueprint arrives with a generated README containing a Pod Map that makes the network structure and security posture explicit. For this blueprint it looks like this:

| Pod ID          | Role       | Protocol  | Pinhole | Namespace                     |

|-----------------|------------|-----------|---------|-------------------------------|

| ai-gateway      | initiator  | HTTP      | Tier 2  | agentic-ai-ai-gateway-ns      |

| ai-orchestrator | relay      | HTTP      | —       | agentic-ai-ai-orchestrator-ns |

| llm-gateway     | relay      | WEBSOCKET | —       | agentic-ai-llm-gateway-ns     |

| tool-executor   | relay      | WEBSOCKET | —       | agentic-ai-tool-executor-ns   |

| nlp-processor   | aggregator | HTTP      | —       | agentic-ai-nlp-processor-ns   |

| ai-results-sink | terminator | HTTP      | Tier 2  | agentic-ai-ai-results-sink-ns |

The Network Details table documents the security posture for every stakeholder:

| Field     | Value                                                                      |

|-----------|----------------------------------------------------------------------------|

| Network   | Agentic AI Inference Pipeline                                              |

| Protocol  | Heterogeneous — HTTP (4 pods), WEBSOCKET (2 pods)                         |

| WoSP Mode | Armored Tunnel — xtra4 (per-session CHIPS rotation, persistent TCP tunnel) |

| Pods      | 6                                                                          |

What This Means for AI Pipeline Security

Three properties of this architecture are directly relevant to the risks unique to AI inference pipelines:

Prompt injection via network interception is structurally defeated. Every message between ai-orchestrator, llm-gateway, tool-executor, and nlp-processor traverses a WoSP AMTD-protected channel. Even if an attacker captures a TCP stream, the session identity rotates every 5–30 seconds — before the attacker can inject a modified payload into a captured stream.

Tool call authorization is scoped by the blueprint topology. The tool-executor pod can only communicate with nlp-processor as its downstream. The connection graph limits which workloads can be reached from any given pod. A compromised tool-executor cannot make lateral API calls to backend data services that are not in its declared authorization footprint.

LLM inference traffic is protected end-to-end. The WebSocket legs to llm-gateway and tool-executor use persistent connections with per-session CHIPS™ rotation. The Armored Tunnel applies AMTD authentication identically at L4 regardless of application-layer protocol — WebSocket frames traverse the same cryptographically protected channel as HTTP.

Your Development Work: Replacing the Stubs

The blueprint is fully functional end-to-end with the delivered stubs. All inter-pod communication, AMTD protection, fan-out/fan-in synchronization, and pinhole access work before your team writes a single line of production business logic. You can verify the network is wired correctly — confirm messages flow from gateway to sink through the trail logs — before any stub replacement begins.

When ready for production, each stub has a documented replacement target:

Pod

Stub Function

Production Replacement

llm-gateway

_llm_inference_stub()

OpenAI / Anthropic / AWS Bedrock SDK

tool-executor

_tool_dispatch_stub()

MCP tool integrations

nlp-processor

_nlp_enrichment_stub()

spaCy / Hugging Face pipeline

ai-results-sink

_webhook_dispatch_stub()

Set RESULTS_WEBHOOK_URL

ai-gateway

on_trigger()

Extend for your task schema

Deploying Your Blueprint

When Hopr delivers your blueprint, deployment is designed to be executable by a DevOps engineer in a single session. The blueprint includes everything needed:

# 1. Generate TLS certs for boundary pod pinhole listeners

#    (required for Envoy to start on boundary pods)

bash pinhole-setup.sh

# 2. Deploy — applies namespaces, secrets, and deployments

#    in dependency order

bash deploy.sh

# 3. Verify — WoSP sidecars auto-establish AMTD sessions

#    Auto-trigger sends test messages through the full network

kubectl logs -n agentic-ai-ai-results-sink-ns \

  deployment/ai-results-sink -c web-app | grep trail

The deploy.sh script handles sequencing automatically — namespaces before secrets, secrets before deployments — managing the ordering that Kubernetes engineers typically handle manually. The auto-trigger sends test messages through the full network on startup, so the trail log at the sink pod confirms end-to-end delivery before any production traffic flows.

Teardown is equally straightforward:

bash teardown.sh    # deletes all namespaces in reverse dependency order

When your network requirements change — a new workload, a different protocol, an updated access policy — you describe the change to Hopr and receive a recomposed blueprint. The updated manifests are diffable against the previous version, showing exactly what changed in the network structure and security configuration.

Honest Scope: Where Lane7 Applies Today

Lane7 Blueprints are designed for containerized, Kubernetes-native workloads. The framework is the right choice for new application networks being built on Kubernetes — microservices architectures, AI inference pipelines, event-driven processing networks, and inter-organizational API exchanges.

For teams with existing Kubernetes workloads not yet on Lane7 blueprints, the WoSP sidecar can be added to existing pod specs independently. Lane7 Blueprints are the accelerated path for new development; standalone WoSP deployment is the integration path for existing infrastructure.

For legacy, non-containerized workloads, the path runs through containerization first. If that work is already planned — as it is for most organizations on a cloud-native journey — Lane7 can be the target security architecture for the containerized version.

Multi-cluster deployments are fully supported. GPU-intensive pods — LLM inference, embedding generation — can be assigned to a dedicated GPU cluster while coordination pods run on a CPU cluster, with no application code changes required. Hopr handles the cross-cluster DNS resolution and WoSP session establishment in the composed blueprint.

The Result: Security That Scales With Your Network

The conventional mTLS workflow produces a security layer whose operational burden grows with the size and complexity of the network. More pods mean more certificates. More environments mean more CA configurations. More cross-domain connections mean more termination gaps to audit and more rotation schedules to manage.

Lane7 inverts this relationship. When your network requirements grow, you describe the updated network to Hopr. The recomposed blueprint handles the Envoy configurations, the namespace assignments, the secret injection, and the deployment ordering. The security posture of every pod in the network is identical, by construction, without additional configuration work on your part.

The security model grows stronger over time in another direction too. MAID™ identity credentials accumulate trust with every communication session. A workload that has been running and communicating correctly for six months carries a provenance record that a newly compromised or spoofed workload cannot replicate. Trust deepens automatically, without operator involvement.

This is what it means to have security built into the deployment model rather than configured on top of it: the security layer does not compete with development velocity. It is a property of the network that Hopr maintains on your behalf.

Getting Started

Describe your application network to Hopr. Tell us the workloads, how they connect, the protocols, and where your external access points are. We compose the blueprint, validate it against correctness and security rules, inject your Workload IDs and credentials, and deliver a deployment-ready package.

Your team deploys it, fills in the business logic stubs, and goes to production — without spending weeks on certificate chain configuration, CA management, or Vault integration.

Schedule a free 15-minute discovery call.

© 2024–2026 Hopr Corporation. All Rights Reserved.

Korvette-S WoSP | Lane7 Blueprint Suite | Hopr CHIPS™ · SEE™ · MAID™ technologies

Keep Reading

When Identity Is the Blast Radius

Recent cyberattacks reveal a fatal flaw in enterprise security: relying on centralized human identity providers (IdPs) for Machine-to-Machine (M2M) communication. When threat actors use cheap infostealer malware to bypass the perimeter, they weaponize static credentials to execute lateral movement, paralyzing critical business logic and the IT/OT boundary. True Zero Trust architecture requires decoupling human identity from machine identity. This article explores how Automated Moving Target Defense (AMTD) and workload security proxies eliminate static secrets. By enforcing cryptographic isolation and eradicating policy debt, organizations can secure M2M trust and protect their application networks against catastrophic credential-based breaches.

Author Avatar
Tom McNamara

March 31, 2026

The Complexity Tax for Platform Engineers and DevOps

Platform Engineers and DevOps teams are struggling with the 'service mesh' model because of massive overhead, extreme complexity, and a steep learning curve. The articles proposes a lightweight, simpler, and more integrated decentralized solution to the problem that is currently their biggest headache. They don't need the complexity of a full-blown service mesh to secure east-west traffic. The Hopr WoSP delivers the same workload-to-workload authorization without the YAML hell, and without the massive operational overhead.

Author Avatar
Tom McNamara

November 14, 2025

What Does Hopr Replace In An Enterprise Security Architecture?

Innovative solutions can often challenge conventional thinking. Conventional cyber defenses such as API Security, Firewalls, Gateways, and others exist to filter out "bad stuff" before it reaches the digital engine of your business - your application workloads and data. This article helps CISOs understand the value of the WoSP through the analogy of an automobile engine with three conventional filters.

Author Avatar
Tom McNamara

June 5, 2025

AI and the Crisis of Machine Credentials (and How to Avoid It)

Machines [also known as Non-Human Identities (NHI)] that operate within and across enterprises is exploding. Led by the emergence of Artificial Intelligence (AI) agents, these machines represent a significant risk to enterprises. The combination of static secrets, ungoverned NHIs, and autonomous AI agents is creating a perfect storm of complexity, risk, and visibility gaps. Organizations that wait for a breach before acting will find themselves overwhelmed. But those who act now — embracing ephemeral credentials, zero-trust principles, and machine-native identity security — will emerge stronger, more resilient, and future-ready.

Author Avatar
Tom McNamara

June 5, 2025

Redefining Multi-Cloud Application Networking with a Workload Security Proxy

Most enterprises operate with applications in different cloud environments and may even be part of a digital ecosystem that shares application data with third party organizations. But conventional credential management make this a complicated and vulnerable task. Hopr.co's Workload Security Proxy is a solution that simplifies and secures multi-cloud application networks.

Author Avatar
Tom McNamara

June 5, 2025

Why TLS 1.3 and Automated PKI Fall Short of Zero Trust Principles

Enterprises running sensitive business operations in the cloud confront difficult security and privacy challenges. One of them is data loss prevention. While it's true that cloud providers do offer experienced security professionals and tools, it is not true that cybersecurity will be stronger. This article explains some of the reasons why CISOs and security professionals need to take a close look at their application networks and cloud infrastructure. The good news is that innovative solutions to overcome the vulnerabilities and gaps exist and are easy to adopt and implement.

Author Avatar
Tom McNamara

June 5, 2025

Machine Identity - Avoid the Crisis

Machines operating across the Internet outnumber humans by a ratio of three-to-one. This will rise dramatically as more Internet of Things (IOT) devices arrive. Existing approaches for managing identity and trust for a massive number of machines rely on centralized and legacy solutions that won't work for the machine era. A decentralized solution capable of speed, trust, and agility is needed to avoid a crisis and enable a graceful transition to high trust machine identities.

Author Avatar
Tom McNamara

June 5, 2025

IAM in a Box

Containers are an important part of modern cloud engineering. They evoke the idea of portability and relocation. But in the cloud this is often inhibited because they become anchored to external services within a particular cloud environment, and it becomes difficult to relocate them to a different environment. This article describes how containers can be freed and portability restored.

Author Avatar
Tom McNamara

June 5, 2025

An Unintentional Secret - Automated TLS and its Zero Trust Fallacy

Transport Layer Security (TLS) and its companion, mutual TLS (mTLS) are stalwart security protocols known for encrypting communications over the Internet. When they are applied to root domains (such as is the case for Web domains and browsers) they represent identity trust. However when they are implemented with automated PKI certificates, they lose an important security quality: identity trust. Due to the speed and scale of cloud automation, the intermediate certificate authorities that issue PKI certificates eliminate vetting of the receiving identity (a containerized workload).

Author Avatar
Tom McNamara

June 5, 2025

Machine Identity - Who’s Who in the Cloud?

Identities for machines operating in the cloud, like humans in the natural world, are an important quality that is essential to trust, authorization, and authentication. Machines are identified by cryptographic material that takes the form of a certificate. But in the cloud, it is challenging to find, track, and manage the many certificates that are dynamically assigned and used. New approaches to managing machine identities in a zero trust cloud environment are needed to realize secure business operations in the cloud.

Author Avatar
Tom McNamara

June 5, 2025

Keeping Secrets Is Hard

Keeping secrets is hard because they have to stay secret to deliver security. And for machines and workloads in the cloud the consequences to lost secrecy can ripple through the entire business and bring down many digital operations in an instant. Leakage of digital secrets occurs almost naturally over time; disclosure eventually happens and secrecy is lost. But the risk of lost secrecy and the impact to cloud operations is minimized with the right tools.

Author Avatar
Tom McNamara

June 5, 2025

Subscribe to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Case StudiesHow It WorksUnique FeaturesPricingContact usSecurityWeb Retriever OSSAboutPrivacy policiesTerms of service
Hopr provides true Zero Trust access control for workloads and APIs, powered by a Cloud Native Automated Moving Target Defense.

We use ephemeral machine identities, credential hopping, and application-layer post quantum end-to-end encryption of data in transit.

And Hopr verifies identity trust at every API transaction and eliminates the risks from static credentials across clouds, clusters, and organizations.

And Hopr's novel Korvette-S Workload Security Proxy (WoSP) is simple and fast to deploy into a Zero Trust application network using a FREE Lane7 Blueprint.
Copyright 2021-2026 | Hopr Corporation
CHIPS™, MAID™, SEE™, and Cloud Native AMTD™
are protected by US Patents and patents pending.