Skip to main content
banner image
venafi logo

Certificate Management for DevOps

Certificate Management for DevOps

certificate-management-for-dev-ops
December 23, 2020 | David Bisson

Digital transformation is driving today’s business. Adopting a DevOps framework is no longer a future possibility for most businesses but has been firmly embraced by organizations everywhere.  According to GlobeNewswire in April 2020, DevOps market valuation is estimated to reach $17 billion by 2026. Such growth will help organizations increase their business productivity by meeting market demand for quickening application delivery schedules.

Embracing DevOps doesn’t just help organizations stay current in a changing world. Pluralsight makes the point that DevOps can also help to benefit operations teams that haven’t invested the same amount of time and resources in building agile work processes. In effect, organizations can use DevOps to help operations personnel release software at the same pace with which it’s developed.

They can also further assist developers in reaching their deadlines by shifting their development model away from big releases to gradual releases. In this type of framework, developers and technologies can use automation to save time and address issues week by week without sorting through multiple problems at one time right before the application is released.

Understanding DevOps’ Security Challenges

Notwithstanding the benefits discussed above, DevOps is creating new security risks for organizations. As noted by CCSI, organizations need to keep their data secure while they’re moving to the cloud in support of DevOps. In addition, because DevOps focuses on machine automation, machine-to-machine communication must be secured.  Machine-to-machine communication is usually secured with digital certificates and encryption keys such as X.509 certificates, SSH keys, tokens, and code signing keys. Failure to protect these digital credentials could result in an attacker breaching the DevOps pipeline to disrupt an organization’s operations and/or make off with its sensitive information.

The Pluses and Minuses of Digital Certificates for DevOps

Organizations need to be able to trust what’s going on in their DevOps processes. In response, many are embracing digital certificates as a means to foster security. These electronic credentials already help organizations to protect other parts of their infrastructure using a pair of encryption keys. Subsequently, organizations are looking to these assets to protect their secrets and DevOps-related information.

There’s just one problem: using digital certificates with DevOps isn’t as straightforward as it might appear. One of the main issues is that digital certificates may aggravate an already pertinent DevOps security issue: the challenge of trying to balance security and speed. In a traditional development model, security teams take their time testing an application at the end of the pipeline before it is launched into production. Spreading this security testing throughout the development process could make it more difficult for DevOps teams to meet their deadlines.

Along this same line of thinking, requiring DevOps pipelines to obtain trusted certificates via manual requests undermines the agility of the software development lifecycle. This is especially a problem with containers, notes DevOps.com. Containers aren’t up for long, so if manual requests for certificates take days to complete, organizations might find themselves in a position where they’re forced to slow down their software delivery processes.

DevOps professionals share this same worry. In a December 2019 Venafi survey, three-quarters of respondents expressed their concern that policies for issuing certificates slow down development. Over a third (39%) of survey participants went on to voice their opinion that developers should be able to circumvent those policies to meet those deadlines.

Sidestepping recognized security best practices pose a danger to the organization. Indeed, if team members decide to purchase certificates on their own or set up rogue PKIs, they add more encryption assets that security teams need to manage.

Venafi notes elsewhere that attackers could pose as the legitimate owner of a key set in order to steal a victim’s sensitive information. They could also use those keys to sign malicious software to overcome browser filters and other security mechanisms that help to block malware.

The presence of more keys and certificates increases complexity, which raises the possibility of the organization experiencing a certificate outage and/or an attacker misusing an expired certificate for all kinds of nefarious purposes. To counter this tsunami of new certificates, organizations need certificate management solutions that bridge the gap between traditional IT and DevOps development cycles.

Certificate Management Best Practices for DevOps

Acknowledging the threats discussed above, organizations need to follow best practices in managing certificates for their DevOps. They can begin by following the guidance of NIST’s Special Publication 1800-16, “Securing Web Transactions: TLS Server Certificate Management,” in creating a certificate management program. Another useful NIST publication for securing machine identities is one of the best practices for protecting code signing credentials: “Security Considerations for Code Signing.”

They can then tailor these best practices specifically for DevOps by incorporating automation into their certificate management processes, notes DZone. In particular, organizations can consider using a catalog of recipes, or collections of automation driven through APIs, to orchestrate the steps that are required to use keys and certificates. Such recipes work across development and orchestration environments, thereby improving visibility across multiple environments.

Speaking of visibility, organizations can invest in machine identity management solutions that enhance their ability to discover where all application certificates are being used. This will help security professionals find violations of the organization’s security policies and address any unauthorized certificates they find before these encryption assets cause a problem. And if it’s implemented strategically, it will also give developers the freedom they need to meet aggressive SLAs.
 

 

Learn how Venafi’s platform can help organizations manage all of their keys and digital certificates for their DevOps processes.


Related posts

Like this blog? We think you will love this.
shannon-lietz-devsecops-interview-with-venafi
Featured Blog

Why We Need DevSecOps [Interview with Shannon Lietz]

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat