Failure Pattern
Cloud native systems depend heavily on metadata for identity. Attackers manipulate metadata to impersonate workloads.
What We See in the Field
A compromised node changes labels or tags and gains access to sensitive services. Cloud native systems treat it as legitimate because metadata matches rules.
Underlying Causes
Label-driven access control
Metadata drift
Orchestrator inheritance
No verification of underlying workload
Attackers manipulating cloud metadata APIs
Trust-Native Network Resolution
DTL ties identity to cryptographic fingerprints, making metadata manipulation useless. Policies evaluate actual workload identity.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.