Skip to main content
banner image
venafi logo

Understanding Certificate Security Issues in DevOps: Protecting Machine Identities in Hybrid Clouds [Part 2]

Understanding Certificate Security Issues in DevOps: Protecting Machine Identities in Hybrid Clouds [Part 2]

hand outstretched as 3 clouds float above it, against a dark background - it looks like the hand is holding the center cloud.
November 11, 2019 | Guest Blogger: Anastasios Arampatzis


What Enterprises and Experts Say about Hybrid Cloud

In my first post in this series, I discussed factors that are driving the growth of hybrid clouds. And now I’d like to highlight some of the reasons that growth is troubling for machine identity protection.
 

At Venafi we like to listen to what our customers say. And they say at an increasing percentile that “We are moving everything to the cloud.” They are taking all of their applications and data out of the physical on-premises servers to cloud environments. Because of this cloud mitigation our customers argue that “We don’t need to manage as many certificates in our data center” because “We’ll just use native certificate management tools from our cloud provider.”
 


This is exactly what surveys on hybrid cloud adoption highlight. A Forrester report titled “Top 10 Facts Every Tech Leader Should Know About Hybrid Cloud” says that “74% of North American and European enterprise infrastructure decision makers defined their strategy as hybrid.” In addition, Forrester found 62% of public cloud adopters are using more than two unique cloud environments/platforms.
 

The question we need to ask at this point, is why do organizations embrace hybrid cloud. Gartner points out that there is an increasing demand to “democratize software”, hence “organizations seek interoperable functionality that enables highly integrated, synchronized and orchestrated hybrid environments” and for this reason “IaaS and PaaS are driving the next wave of cloud infrastructure adoption.”
 

Interoperability, synchronization, and orchestration

Interoperability, synchronization, and orchestration are the root causes behind hybrid cloud adoption. How can enterprises manage a multi-cloud or hybrid cloud environment? The ideal would be “to have a coordinated approach to multicloud management and governance. This includes enabling standardization of some policies, procedures and processes.” The latter highlights the importance of having a policy in a hybrid cloud environment.


 

 

What are the Ramifications of Hybrid Cloud to Machine Identities?

It is important to understand that even though the means in a public or hybrid cloud environment are different than a traditional, on-premises environment, machines are still the same non-person entities (NPEs). Machines are devices, be it desktop computers, mobile devices, IoT sensors or devices or servers such as load balancers, Apache and web servers, IIS servers, and databases. In addition, machines could be code, not running only in devices, but also code running in a more abstract way in a serverless environment. Finally machines are also services, like APIs, and algorithms or blockchains. Identities to these machines are established by either TLS/SSL certificates, SSH keys, code-signing certificates or mobile and IoT certificates.
 


The biggest challenge to be met, though, is the heterogeneous nature of public and/or hybrid cloud services providers. Hence, poor planning for easily predicted problems and inconsistencies in the adopted hybrid cloud strategy increase the complexity of managing machine identities certificates.
 

Managing machine identities effectively and centrally is one of the biggest challenges enterprises face. The number of outages due to poor certificate management and expired certificates is growing. Ericsson, the Conservatives Party in the UK, Pokemon Go and LinkedIn have one thing in common: they all have suffered outages due to expired certificates. Certificate expiration was one of the main reasons for the 2017 massive Equifax breach.
 

Myths and Misconceptions

When speaking about certificates management and services provided by various cloud providers, there certain myths and misconceptions that shape the way enterprises are making decisions. First of all, enterprises believe that cloud providers actually offer native certificate management services and therefore, they don’t need solutions like the ones offered by Venafi. Unfortunately this isn’t true.
 

Public cloud providers are making it pretty simple to get certificates to infrastructure that’s native such as Amazon Elastic Load Balancers or Cloud Front for AWS, but when it comes non-native infrastructure such as hosted F5s, certificate services are not built-in or are not set up to auto renew. In addition, public cloud providers cannot serve the needs of security and enterprise-wide certificate management, but rather, they are configured to make things as easy as possible for application development teams that want to move fast. Security teams in large enterprises are running into huge challenges because DevOps teams often independently set up AWS and Azure accounts. In some organizations, there may be 2,500 AWS accounts and 1,500 Azure accounts! With that many different cloud accounts, this makes it impossible for security teams to enforce the usage of certificates that comply with policy. As a result, security teams are left in the dark with no way to enforce policy or get the visibility and reporting they need to respond to compliance and audit checks.
 


Another myth is that when moving to the cloud, enterprises can the same type of infrastructure for certificate management as on-premises. Effectively, what happens is that they are shifting the certificate management problem from on-premises to the cloud. Same problem, different location. It is important to understand that most large organizations, despite “moving to the cloud” will continue to have infrastructure on-premises. Therefore a machine identity protection platform that can manage certificates across both on-premises and cloud infrastructure is still needed.
 

Does Security Slow DevOps Down?

DevOps' perception of security as a factor that slows them down has made it difficult for security teams to be involved in the early stages of software development. The lack of information security tools to be adopted easily by DevOps teams, has forced the latter to adopt tools and services they feel comfortable with. However, the use of these tools creates more challenges and risks for the information security community: lack of control and visibility of the required machine identities, non-compliance with existing policies, inability to audit or remediate, weak certificate usage and unprotected keys. So the question that arises is “How can more secure machine identities increase speed?”

 


Finally, Forrester says that 74% of organizations are leveraging a hybrid or multi-cloud strategy. If your corporate strategy caters for cloud agility, why should your certificate strategy be pinned to one cloud provider? Organizations that want to be agile and avoid vendor lock-in need a cloud-agnostic solution that not only provides the ability to centrally enforce security policy but also the ability to standardize how certificates are issued and installed so that applications can truly live within one or more clouds, without fear of breaking or slowing operations.
 

So what can you do about protecting machine identities in hybrid clouds. Watch for our next post on security strategies for the hybrid cloud.

DevOps is a double-edged sword. Find out why, and how to use it to your advantage when considering security in your enterprise.

 


 

Related posts

 

Like this blog? We think you will love this.
image of three people seated behind a contemporary conference table in a glass meeting room
Featured Blog

How ‘Chaos Engineering’ and ‘Security Differently’ Improve DevOps [Interview with Aaron Rinehart]

Helen: What was the trigger that made you devel

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Guest Blogger: Anastasios Arampatzis
Guest Blogger: Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat