Security problems are experiencing a ‘shift left’ as secrets management is increasingly being moved into the CI/CD pipeline. But without properly securing the automated build, test and deployment tools of DevOps, those secrets could leak. In this blog, we will walk through how secrets define identities, the challenges of securing identities within DevSecOps automation, and what can be done to ensure their safety within that environment.">
You prove identity by validating credentials; secrets are the digital credentials used for that purpose. With the proper validation, you can authenticate a user (human or machine) and authorize them to access privileged services, accounts, and applications. Therefore, securing secrets is a priority because internal network access rests on secrets.
As machines and humans both have identities that require authentication, the list of credentials to keep track of and protect can include:
To ensure the safety of these credentials, developers first need to know where they are within the Continuous Integration, Continuous Delivery (CI/CD) pipeline, and then how to configure, manage and deploy the credentials correctly. As you can imagine, the number of identities requiring validation within a fast-moving DevOps environment can by myriad.
DevOps is born of speed, and to that end, technologies like Ansible, Puppet, Chef and Jenkins are used to bring process and product closer together. However, to be able to do so, these tools must be the hub of thousands of services, machines and applications that comprise the Development and Operations lines.
It’s no surprise then that “CI/CD tools are the biggest consumers of secrets and have access to a lot of sensitive resources such as other apps and services and information like codebases and databases,” as Identity Defined Security Alliance states in a recent blog post. And “as the number of secrets grows, it becomes harder to store, transmit, and audit secrets securely.”
The problem is exacerbated by the complexity of the development process as well. While once you only needed to authenticate between tools, now it is not uncommon for virtual machines, services, or other resources to be able to authenticate to each other during the build process, just to get the job done. As Identity Defined Security Alliance states, “this is particularly important in hybrid cloud and microservices deployments, and with the automated scaling capabilities of tools like Kubernetes.”
Processes need to stay agile, and if authenticating during build time is cumbersome or friction-heavy, chances are those security processes (as important as they are) might get overlooked, carelessly done or omitted entirely.
What can be done to ensure we keep the ‘Sec’ in DevSecOps, without compromising speed, efficiency and agility?
To secure your CI/CD pipeline and all secrets on it, you need complete visibility and monitoring across the length of the toolchain. This includes locking down configuration managers, systems where repositories are hosted, and build servers. Here are several best practices:
Managing identities – both human and machine – within the context of a DevOps environment is an inevitable reality of the digital revolution.
Jetstack Secure is the Kubernetes machine identity management solution that provides automated PKI protection at the speed of DevSecOps. It gives you control and visibility over your X.509 certificates, allowing you to control their configuration status automatically across Kubernetes and OpenShift clusters. Jetstack Secure provides developers a consistent deployment process with workload security built in, rooting out poorly configured certificates and alerting you so you can take action to defend your secrets.
Use Jetstack Secure to proactively monitor ingress from inside the cluster and get ground-level visibility that allows you to use your existing PKI to control workload security across the service mesh.
Keeping track of secrets – be they human or machine identities – across today’s complex architecture is only possible with the right solutions. As organizations rush to the cloud, hybrid environments, containerization, virtualization and everything else encompassed in the DevOps sweep, it is important that security maintain a primary role.
Jetstack Secure gives you the automated security solution designed to keep up with change and allow you to continue to evolve quickly, viably and securely into the digital age.