DevOps is comprised of developers who are focused on application development and patch deployment, and IT teams who are focused on running applications within network infrastructure and meeting the performance metrics expectations of clientele. DevOps is a wonderful model for continuously delivering and maintaining network-based applications in a responsive, efficient, and dynamic manner. DevOps thrives when each participant focuses on the tasks which they're best qualified to do, in constant communication and collaboration with all the other teams that are involved.
Developers know that bugs are inevitable in all code, and new software features frequently need to be delivered to suit the changing needs of business clients. DevOps works best when changes can be made to software as quickly as possible. Unfortunately, when there aren't sufficient security practices and systems in place, the speed expected of DevOps can lead to massive vulnerabilities and exploits. Recent such incidents are mentioned in Learning From Data Breaches: Integrating Security in DevOps:
“On September 6, 2018, airline giant, British Airways, disclosed that the company had suffered a data breach that affected the personal and financial data of approximately 382,000 customers. A similar breach was reported by Ticketmaster in June of 2018, and this month marks one-year anniversary of Equifax data breach, wherein half of US population was impacted. A common denominator of all these data breaches is the speed at which code was published.”
“Companies jump into the DevOps bandwagon with an assumption that automation is the sole driver for adoption. However, these data breaches are strong evidence that it takes a blend of automation, cultural change, and the integration of security processes throughout the development lifecycle to achieve effective layered security in such agile environments.”
Manual machine identity deployment contradicts the main objective of DevOps- to deliver and maintain applications in an agile and dynamic manner. Role-based access control is also a lot more effective when the possibility of human error is taken from the TLS certificate process. And DevOps teams are usually under a lot of pressure to deploy patches, application improvements, and new features. Clients want their needs and feedback to be responded to as quickly as possible. Under those circumstances, the risk of human error in manual machine identity configuration is even greater.
That's why security must be built into every aspect of the DevOps lifecycle. Development and IT teams aren't encryption specialists. Their work must be focused on the tasks which they do best. Therefore, there needs to be mechanisms to automatically produce, deploy, and implement machine identities at the speed of all the work that DevOps does, especially TLS certificates.
A June 2018 Forrester Consulting study commissioned by Venafi, which you may download here, illuminated how challenging machine identities are for organizations. 116 cybersecurity professionals from financial services and insurance organizations in the UK, Australia, the US, France, and Germany participated.
71% of respondents believed that effective machine identity protection is vital to the security and viability of their companies over the long term. That’s great! Unfortunately, only 34% tracked SSH keys which serve as machine identities. A mere 28% tracked the machine identities of containers, and just 26% tracked the machine identities of microservices. Those are all entities which are involved in DevOps! Tracking machine identities, and their overall visibility is absolutely crucial. Lost and stray machine identities in your organization’s networks can be easier for cyber attackers to find than house keys slipped under doormats. Automating machine identity management is the only effective way to make sure that the only certificates in your networks are ones which are secured and in deployment. Especially given the really short lifespans of the containers and microservices which DevOps uses, manual machine identity management is a cumulative recipe for disaster.
Additional study findings just make the need for automated certificates in DevOps even more obvious. 41% of respondents said that system administrators can’t focus on machine identity use and protection. It’s not their fault, they have so many other responsibilities, especially in DevOps. 45% of respondents said that machine identity protection will be a higher priority than human identity protection within the next two years. That’s a really significant shift for identity access management within DevOps.
The needs and demands of DevOps are changing rapidly, as are all of the pertinent cyber threats. Development teams are constantly patching and deploying new features. Plus, they often have to keep on top of stuff like changes to APIs and how a client’s needs change over time. On the operations side, IT has to focus on changes made to the networking infrastructure itself, and the constant tasks of system and network administrators. It’s not realistic or appropriate to add manual machine identity management on top of everything else.
So, what can DevOps do to improve machine identity management and automate the process as much as possible? And what about the cultural change, and the integration of security processes throughout the development lifecycle that are increasingly necessary to prevent catastrophic cyber attacks? That’s what my next post is about. Stay tuned!