Application development teams need to move fast. Yet they often need to reinvent the wheel when it comes to machine identities such as SSL/TLS certificates. They frequently create their own security infrastructure, using a combination of Open SSL, secrets management tools, DevOps platforms and scripts. Then, as environments and tools change, apps are migrated and regulatory frameworks change, those same developers need to spend time re-coding applications, updating scripts or learning new certificate authority APIs.
Developers prefer to stay within their existing toolchain and often view Information Security has a barrier rather than an enabler. Often, security processes for SSL/TLS certificates are antiquated and require manual steps such as submitting a ticket, which are incompatible with the dynamic, ephemeral DevOps environments. As a result, developers take on the burden of creating their own security infrastructure, even though they are not PKI experts. This diverts resources away from their core responsibilities, ultimately slowing them down.
What are the challenges with the status quo?
DevOps teams pay the price because ad-hoc security infrastructure introduces heterogeneity across environments, applications, and teams. This introduces a maintenance burden, inadvertently creates vendor lock-in and increases the risk of certificate-related outages. In addition, these unstructured approaches significantly increase the security and operational risks that result from certificates that are improperly issued, configured and managed.
And, without visibility and control over the certificates used in DevOps environments, security teams cannot enforce policy or respond to compliance and audit checks. Security teams are also unable to respond to crypto-events such as a CA compromises, breaches, or other wholesale PKI changes (e.g. migrating from SHA-1 to SHA-2) so this burden falls back on application development teams, disrupting their value stream.
How should security approach these challenges?
Because the application development lifecycle is moving at a faster pace than ever, security teams who used to leverage periodic or manual processes have to get involved much earlier in the lifecycle and find and fix the issues in partnership with the application development teams before they ever make their way into production.
In order to adapt to a faster pace of development, both application development and security teams must invest in automation, otherwise they can’t keep up with the speed using manual processes. Security teams need to look at what tools developers are using and how to embed security into their automation to 1) relieve the burden on DevOps so they can move faster 2) improve security posture.
How can security speed up DevOps?
Security teams have to push machine identity processes left into the pre-production phase, hooking directly into the CI/CD pipeline or automated configuration management tools to embed trusted machine identities across the entire application development lifecycle. By delivering a standardized set of consumable services for autonomous application development teams, security relieves DevOps of the burden of creating their own security infrastructure and makes it easy for them to comply with corporate machine identity policies so they can ultimately, move faster more securely.
How can my organization set up a certificate service?
Attend the May 30th webinar hosted by DevOps.com, “Use the Same Certificate Process Across Your DevOps Toolchain” to learn more about the best practices and solutions that allow organizations to scale digital certificate provisioning for DevOps environments. Helen Beal, DevOpsologist at Ranger 4 and Sandra Chrust, Senior Manager over DevOps and Cloud Solutions at Venafi will discuss the challenges, best practices, and available solutions in a lively format.