Skip to main content
banner image
venafi logo

Will the Rise of DevOps Lead to a Decline in Machine Identity Protection?

Will the Rise of DevOps Lead to a Decline in Machine Identity Protection?

devops vs security
June 12, 2018 | Terrie Anderson

Let’s face it, business has changed quite a lot over the past 10-15 years. 15 years ago, the IT department was quite powerful. By the IT department I mean everyone in the CIO’s department. However, because IT projects tended to be long, drawn-out affairs, they were somewhat slow in delivering the technology that was needed for innovation. As a result, the business units started to take over responsibility for pushing their own IT development projects ahead.

This was the birth of DevOps. And with the success of continuous development, we’ve seen the development teams increase their influence, as well as power and authority, within organizations. The rapid-fire results that they have been able to deliver have become so important to business results that other groups within IT hesitate to do anything that might slow them down. But this hesitation can lead to some problematic trade-offs resulting from conflicting priorities within security and IT departments.

Today, DevOps teams are so powerful that they can actually stop IT teams from deploying technology.

Here’s an example, which came out of a conversation I had with a CIO just the other day. He mentioned that one of his DevOps teams was stopping part of the Venafi deployment that was ultimately going to help DevOps teams! This particular DevOps team was so focused on solving the immediate compromised certificate issue, that they didn’t want to allow testing for a solution that would actually help them speed things up and prevent future occurrences of the same problem. The DevOps team’s commitment to timely results, for their business outcome, rendered the IT team powerless to keep the deployment moving forward in time to help the DevOps team achieve a longer term, positive outcome.

That’s when I started to wonder if the immediate value of DevOps might come at the expense of some longer-term IT and security projects. In the case of machine identity protection, this certainly seems to be true. Very few DevOps people actually understand the technology around certificates—how to use them properly and how to ensure that the appropriate security configurations are applied. They just can’t slow down enough to learn about how important certificates are in protecting the machine identities of their containers, clusters and microservices.

For DevOps teams, certificates are just something that they have to use. Simply put, developers are generally not security people. To them a certificate is a certificate is a certificate. It’s just a checkmark in the process. Perhaps, they will engage as far as asking, “Is there a certificate in there? Yeah. There’s a certificate in there. We’re good to go then.” But that’s pretty much it.

But that lack of awareness can have far-reaching impacts. If no one is thinking about the bigger security picture, then nobody is thinking about whether the same private key is signing thousands of servers. That’s how you can get virtual servers spun up with the same certificate used and reused and reused over and over. And nobody knows where that certificate is anymore. When the original certificate expires, it is impossible to be sure you have renewed ALL the copies.

It’s easy to speculate why this is happening. Keys and certificates are a relatively old technology that is being used to secure innovative new technological breakthroughs. This attitude is particularly applicable to new DevOps practitioners, who are sourced from GenX and Millennial talent pools. They’re like, “What is this stuff? Why is it still here? Oh. We have to have this but why isn’t there something better?”

But the reality is that the value of a technology often has very little to do with how old or new it is. This is certainly true of PKI and has a real impact on machine identity protection. As I wrote in a previous blog, “Instead of becoming less relevant, PKI is becoming more relevant as we increase our adoption of cloud and DevOps infrastructure. Both of these technologies consume large numbers of certificates that are only used for short periods of time.” The reality is that no one has been able to develop an alternative that is as ubiquitous and easily deployed, or one that is as cost effective.

PKI is not going to die. And it’s not likely that there is going to be a replacement anytime in the near future. Given the long-term importance of PKI to the protection of machine identities, it’s critical that we equip developers with easier ways to incorporate the safe use of certificates into their DevOps processes. Equipping developers with self-service certificate portals can help speed up the development process and, at the same time, help ensure integrity and compliance of the security attributes of your certificates. And integrating secrets acquisition into DevOps recipes will help foster best practices in applying keys and certificates to development efforts.

As your DevOps teams become more powerful, funded and supported by the business, outcome focused, rarely project or process focused and begin to call more of the shots, make sure that they don’t inadvertently shoot down security.

Related blogs

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

machine identity security automation

Are You Leaving Your Machines Naked and Afraid?

certificate management costs

Management Mayhem, Part 3: How to Avoid the Hidden Costs of Certificate Management

Australia encryption backdoor law

Australia’s New Encryption Laws Are Disappointing

About the author

Terrie Anderson
Terrie Anderson

Terrie is Country Manager (ANZ) for Forescout Technologies Inc., and a speaker and futurist in Digital Enterprise Leadership, Cyber Security Strategy and Workplace of the Future.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat