Despite the maturity of their programs, many DevOps teams can introduce cryptographic security risks into their environments.
Security compromises in development or test environments can easily spread to production systems and applications. Cyber attackers often target a DevOps team’s unprotected certificates and misuse them to hide in encrypted traffic. After all, a recent report from A10 Networks revealed that 41% of cyber attacks used encryption to evade detection.
DevOps tends to live outside the purview of standard security strategies. So, are security teams comfortable with how DevOps teams handle cryptographic risks? Venafi recently conducted a study analyzing the security practices of DevOps teams. Respondents included over 430 IT professionals responsible for cryptographic assets in companies with DevOps programs. Unsurprisingly, the study revealed that many organizations fail to enforce vital certificate security measures in their environments.
This lack of enforcement was especially acute among organizations that were in the midst of adopting DevOps practices. However, even organizations that said their DevOps practices were mature often did not follow security measures designed to protect cryptographic keys and digital certificates.
Interesting highlights from the survey included the following:
Kevin Bocek, chief security strategist for Venafi, offered his thoughts on the survey results: “It’s clear that most organizations are still struggling with securing the cryptographic keys and digital certificates used to uniquely identify machines. Although DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates, they clearly aren’t translating that awareness into meaningful protection. This inaction can leave organizations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.”
Tim Bedard, director of threat intelligence and analytics for Venafi, stressed that the security of keys and certificates requires more attention: “If the keys and certificates used by DevOps teams are not properly protected, cyber criminals will be able to exploit SSL/TLS keys and certificates to create their own encrypted tunnels. Or attackers can use misappropriated SSH keys to pivot inside the network, elevate their own privileged access, install malware or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected.”
For a full breakdown of the survey results, please visit: https://www.venafi.com/research/mature-devops-study
Does your DevOps team effectively address key and certificate risks?