Skip to main content
banner image
venafi logo

3 Steps that Stop the Speed of DevOps from Introducing Security Risk

3 Steps that Stop the Speed of DevOps from Introducing Security Risk

shutter
June 22, 2016 | Gavin Hill
Key Takeaways
  • DevOps strives to deliver faster response times, increased customer satisfaction, and better operational efficiency
  • But, to ensure Fast IT, DevOps often avoids encryption due to slow, manual key and certificate provisioning
  • You don’t need to sacrifice security to increase the speed of your DevOps delivery
  • Automation, visibility, and integration of key and certificate provisioning secures DevOps at the speed of business

The digital world is changing the way businesses work with their customers, partners, and employees. This digital transformation leverages DevOps speed, agility, and innovation to capitalize on market opportunities and create competitive differentiation in the application economy. However, information security has been notably absent from the DevOps movement because security is viewed as hindering speed of delivery. But speed doesn’t have to compromise security.

MORE Get the white paper, Securing DevOps at the Speed of Business

Business benefits of DevOps

There are clear benefits to leveraging DevOps for the enterprise:

  • Faster response times address market changes or customer requirements more quickly. Companies that have embraced a DevOps methodology increased their speed to market by 20%.
  • Increased customer satisfaction is achieved through frequent product updates based on continuous feedback from users.
  • Better operational efficiency due to automation has resulted in more than 60% of organizations adopting DevOps approaches.

Why security is often lacking in DevOps

So why is it so hard to implement good security practices like encryption for DevOps? The primary reason is acquisition of keys and certificates in a DevOps environment takes too long and results in bottlenecks—so DevOps teams often avoid using encryption unless it’s critical. And, when they have to include encryption, the DevOps teams do it themselves without giving IT security team’s visibility or control.

Securing DevOps at the Speed of Business

How to eliminate the security risks introduced by DevOps

Nearly 80% of CIOs are concerned that DevOps makes it more difficult to know what’s trusted and what’s not. Let’s review how the lack of visibility or control of keys and certificates can negate the benefits of DevOps and how to address these issues to get the most out of your DevOps efforts:

  • Automate security to support Fast IT
    Faster response time to market changes may help increase the bottom-line, but 25% of app costs are wasted, including resources spent on manually acquiring keys and certificates. This is valuable time wasted that directly impacts project delivery schedules.

    Recommendation: Implement procedures to automate the creation and distribution of encryption keys and certificates throughout the build process so that DevOps teams don’t have to do it themselves. By doing so, IT security will be able to align with Fast IT practices while decreasing the number of vulnerabilities potentially introduced via manual processes.
     
  • Get visibility into keys and certificates to ensure service availability and customer confidence
    Customer satisfaction is an ongoing endeavor; one service outage and your customer satisfaction rating can plummet. Failure to track expiration dates for certificates used for HTTPS services can result in an average downtime cost of up to $1 million per hour.

    DevOps teams are not PKI experts, nor should they be. However, in most cases, DevOps teams acquire and install certificates themselves and IT security teams don’t know about the certificates to track them.

    Recommendation: Make sure you are able to discover where all application certificates are being used and bring them under IT security control. Then you can apply policies to certificates and track expiration dates to avoid service outages and maintain customer confidence.
     
  • Integrate key and certificate provisioning with DevOps builds
    The improvement of operational efficiency is a primary driver for DevOps. For legacy IT practices, it’s acceptable to spend 4.5 hours to provision each certificate manually. However, for New IT and DevOps teams, relying on a UI to acquire and install keys and certificates simply takes too long.  They need to be able to integrate provisioning of keys and certificates as part of the automated build process to deliver thousands of certificates in a matter of seconds—nothing less will suffice.

    Recommendation: DevOps teams are accustomed to using APIs. Make use of recipes that utilize APIs to fully automate the process of provisioning keys and certificates.

By implementing these recommendations, you gain the advantage of faster project completion time without compromising security. By implementing controls and automation for keys and certificates you can remain secure while keeping DevOps moving at the speed of business.

How does your DevOps team provision keys and certificates? Is this process slowing down your DevOps delivery or leaving services insecure? Please share your challenges and solutions.

Like this blog? We think you will love this.
hand outstretched as 3 clouds float above it, against a dark background - it looks like the hand is holding the center cloud.
Featured Blog

Understanding Certificate Security Issues in DevOps: Protecting Machine Identities in Hybrid Clouds [Part 2]

The question we need to ask at this point, is why do organizations

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat