DevOps strives to deliver faster response times, increased customer satisfaction, and better operational efficiency
But, to ensure Fast IT, DevOps often avoids encryption due to slow, manual key and certificate provisioning
You don’t need to sacrifice security to increase the speed of your DevOps delivery
Automation, visibility, and integration of key and certificate provisioning secures DevOps at the speed of business
The digital world is changing the way businesses work with their customers, partners, and employees. This digital transformation leverages DevOps speed, agility, and innovation to capitalize on market opportunities and create competitive differentiation in the application economy. However, information security has been notably absent from the DevOps movement because security is viewed as hindering speed of delivery. But speed doesn’t have to compromise security.
So why is it so hard to implement good security practices like encryption for DevOps? The primary reason is acquisition of keys and certificates in a DevOps environment takes too long and results in bottlenecks—so DevOps teams often avoid using encryption unless it’s critical. And, when they have to include encryption, the DevOps teams do it themselves without giving IT security team’s visibility or control.
How to eliminate the security risks introduced by DevOps
Nearly 80% of CIOs are concerned that DevOps makes it more difficult to know what’s trusted and what’s not. Let’s review how the lack of visibility or control of keys and certificates can negate the benefits of DevOps and how to address these issues to get the most out of your DevOps efforts:
Automate security to support Fast IT
Faster response time to market changes may help increase the bottom-line, but 25% of app costs are wasted, including resources spent on manually acquiring keys and certificates. This is valuable time wasted that directly impacts project delivery schedules.
Recommendation: Implement procedures to automate the creation and distribution of encryption keys and certificates throughout the build process so that DevOps teams don’t have to do it themselves. By doing so, IT security will be able to align with Fast IT practices while decreasing the number of vulnerabilities potentially introduced via manual processes.
Get visibility into keys and certificates to ensure service availability and customer confidence
Customer satisfaction is an ongoing endeavor; one service outage and your customer satisfaction rating can plummet. Failure to track expiration dates for certificates used for HTTPS services can result in an average downtime cost of up to $1 million per hour.
DevOps teams are not PKI experts, nor should they be. However, in most cases, DevOps teams acquire and install certificates themselves and IT security teams don’t know about the certificates to track them.
Recommendation: Make sure you are able to discover where all application certificates are being used and bring them under IT security control. Then you can apply policies to certificates and track expiration dates to avoid service outages and maintain customer confidence.
Integrate key and certificate provisioning with DevOps builds
The improvement of operational efficiency is a primary driver for DevOps. For legacy IT practices, it’s acceptable to spend 4.5 hours to provision each certificate manually. However, for New IT and DevOps teams, relying on a UI to acquire and install keys and certificates simply takes too long. They need to be able to integrate provisioning of keys and certificates as part of the automated build process to deliver thousands of certificates in a matter of seconds—nothing less will suffice.
Recommendation: DevOps teams are accustomed to using APIs. Make use of recipes that utilize APIs to fully automate the process of provisioning keys and certificates.