Skip to main content
banner image
venafi logo

Why Manually Managing Machine Identities Destroys DevOps Automation

Why Manually Managing Machine Identities Destroys DevOps Automation

image of a bored man in a bowtie typing with his finger on a keyboard
June 18, 2020 | Guest Blogger: Kim Crawley

The term DevOps hasn’t been around very long. Patrick Debois may have coined the term when he launched the devopsdays conferences in 2009. But it’s a very useful concept. Software developers need to work with information technology teams within organizations in order to maintain their software and overall coding. New patches, fixes, and features must be optimally deployed to respond to the immediate needs of a network. Effective DevOps can keep a network at top functionality with proper security. And it’s not a “set it and forget it” paradigm. Effective DevOps is work that must be done constantly to keep a network operating in the best interests of an organization every day.


An environment of constant change

We need DevOps because networks are becoming increasingly advanced, but also increasingly complex. Network applications and services have become ever more numerous. More and more is being done with the cloud, with machine learning, with virtualization and with automation. Applications which were once monolithic are now modular with many shared services. Where organizations used to rely on a smaller numbers of physical machines, they now grapple with greater numbers of often virtualized machines with short lifecycles and lots of cross application dependence. Datacenters which used to be completely on-premises are now partially or completely in the cloud. Sporadic releases must now evolve to become more frequent and agile to respond to fast changing networks and computing needs. A few large servers have now given way to greater numbers of often virtualized or containerized servers.

In this environment of constant change, manually managed machine identities is becoming really impractical, possibly even problematic. If DevOps try to get in the middle of rapidly changing network environments, where some network entities may have a lifespan of only a few days, chaos ensues. DevOps team members will be over-burdened with many forms of access control changes, secrets rotation, security updates, support tickets, deployment requests and network reconfiguration. 


Each container or machine will require a machine identity in order to properly authenticate throughout the network. They can take the form of certificates, keys, or other forms of access tokens. Containers, microservices, and virtual servers are constantly deployed, and they also are constantly “killed.” Imagine having to manually manage machine identities in that sort of environment! The old-fashioned ways of managing machine identities are no longer practical, or even feasible.

Trying to manage machine identities manually

Inevitably if DevOps try to manage machine identities manually these days, some specific cybersecurity problems will arise. For one, DevOps are expected to be agile, and agility is obviously lost when they have to do more manual work. Time spent tinkering with key management is time not spent developing and deploying patches or other improvements. Untracked certificate expirations leave stray access tokens free for the taking by possible cyber attackers. That’s right, manual machine identity management techniques, which were better suited for yesterday’s networks, make it easier for cyber attackers to spoof trusted machines within a network. DevOps teams also have to do a lot of different things at once. Under pressure to meet deadlines to deploy new features and fixes, if they have to manually manage machine identities in the process, they may not be able to take the time needed to configure them effectively.

DevOps can work much more quickly, more efficiently, and be much more agile when proper automation systems are implemented for machine identity deployment. Role-based access control (RBAC) systems are more responsive to the dynamic demands of privileged access management. DevOps teams can make their jobs much easier and make their networks much more secure if they thoroughly embrace automation in their authentication systems.

As much as possible, DevOps should work with properly secured test certificates rather than production certificates. That way, cyber attackers can’t easily hijack development and testing environments to access larger code repositories and machine identities throughout the organization.

DevOps teams can also improve the secure functioning of their networks by having systems built for continuous monitoring, enabling them to release code in smaller chunks for faster and more efficient deployment. Smaller patches and fixes are also less likely to have bugs which can introduce new security vulnerabilities. If new bugs are released, they can be found and patched much quicker.

Automate - as much as possible

Ultimately the best way for DevOps to improve their usage of machine identities is to automate as much as possible. But implementing that automation must be done with great care. Human error can also be removed from the equation. And automation helps keep applications more secure throughout the development lifecycle, with new certificates automatically being assigned to applications when they request them.

Want to learn more about the benefits of automating machine identities for your DevOps teams? Watch this video.


Related Articles


Like this blog? We think you will love this.
Featured Blog

A Guide to Popular DevOps Tools and How They Work

What is Infrastructure as Code (IaC)?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley

Kim Crawley writes about all areas of cybersecurity, with a particular interest in malware and social engineering. In addition to Venafi, she also contributes to Tripwire, AlienVault, and Cylance’s blogs. She has previously worked for Sophos and Infosecurity Magazine.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more