Why digital certificates are so important to your DevOps teams
DevOps needs to increase the visibility of their certificates to avoid unnecessary outages.
Organizations are increasingly integrating DevOps into their app development processes. According to Amazon Web Services (AWS), DevOps holds so much promise with organizations because it has the potential to increase the speed and ability to deploy new apps and services. It does this by having the development and operation teams work together across the entire application lifecycle. (Security teams might also get involved in a process known as DevSecOps.) Together, development and operations personnel use extended technology stacks and tools to automate processes that they’ve traditionally fulfilled manually.
Needless to say, organizations can reap many benefits by adopting a DevOps model. When left to their siloes, developers, operations personnel, security professionals and even folks from Quality Assurance don’t necessarily know the roadblocks that could stand in the way of a project finishing up on time. That’s because these groups add something different to an assignment. As noted by Digital.ai, they do not necessarily approach their work from the same understanding of a new application’s business context or value. As such, these teams could even have opposing goals that could hold a project back and lead to infighting.
Digital Certificates: A Challenge for DevOps to Keep up with Security
Organizations want to get the most out of integrating their different teams together under a DevOps model. Acknowledging that fact, it’s not surprising that DevOps as a mindset is constantly changing in an attempt to fit the ever-evolving technology landscape. DevOps must therefore keep up with the information security field.
Sid Phadkar, senior product manager at Akamai, made this point clear to TechRepublic:
With the rising number of data breaches and increased emphasis on data privacy regulations such as PSD2 and GDPR both in the U.S. and globally, DevOps-savvy organizations will be forced to prioritize diligence in security measures overtime to market in the year ahead. As new regulations are put into place, more application developers will be mandated to build strict security policies directly within code. There will be an uptick in DevOps tools that cater to automating more compliance-related tasks within infosec teams, thus incorporating security and compliance measures into every day CI workflows.
The issue is that it’s not always easy to align DevOps with security. Indeed, Keyfactor noted that many organizations struggle to enforce consistent security policies around DevOps because of the conflicts discussed above. Good security practices commonly come into contact with the timely delivery of a new application or a service. Without the right tools to support DevOps, security personnel therefore can’t support developers in a way that they need to be supported. Devs will therefore be more inclined to resist new security practices and find non-compliant alternatives to new processes that slow them down.
These challenges are of special concern for certificate lifecycle management. Organizations need to secure the DevOps lifecycle with PKI via code signing or creating a certificate. But as noted by AppViewX, this implementation of PKI often suffers from poor visibility into certificate lifecycles and inconsistent communication with Certificate Authorities.
Conventional DevOps pipelines also commonly rely on manual requests to obtain trusted certificates. These types of requests undermine the agility of the software development lifecycle. Most containers aren’t up for very long, so if those requests take days to complete, the resulting digital certificates will be effectively useless unless the organization slows down its delivery of applications. Such dynamism also makes it difficult for DevOps to manage and monitor those certificates on their own. Team members could therefore look for shortcuts, resort to ad hoc processes or purchase certificates that use multiple cryptographic standards—variations that increase the organization’s security risk.
These concerns don’t resonate only with industry analysts. They’re also shared by DevOps professionals. In a 2019 survey, 74% of DevOps professionals told Venafi they were concerned that issuing certificates could slow down development. Just over a third (39%) of developers said they should be able to circumvent those policies to meet their service-level agreements, while less than half (48%) of respondents voiced their belief that developers in their organization always request certificates through channels and methods approved by the security team.
How DevOps Teams Can Best Handle Their Certificates
In response to the challenges discussed above, DevOps teams can best handle their certificates by automating their certificate management processes. As noted by DevOps.com, orchestration tools like Kubernetes support certificate management via the ACME protocol. Kubernetes stores private keys in the Kubernetes Secret or Hashicorp Vault, thus providing seamless integration for the certificate management system. DevOps teams can also digitally sign their containers with a private CA to help verify a given container as it communicates over a TLS connection.
Aside from automation, DevOps needs to increase the visibility of their certificates to avoid unnecessary outages. Team members need to be able to renew certificates before they expire and to address improper configurations to make sure that critical services remain up. TechBeacon notes that DevOps should use API-driven automation collections called “recipes” to orchestrate their processes involving keys and certificates in an attempt to balance both agility and security.
- How to implement continuous testing in DevOps?
- AWS DevOps engineers are making a KILLING – jumpstart your career with this $30 course bundle
- How DevOps can protect customer data
- How DevOps is transforming software development
Editor’s Note: David Bisson is an information security writer and security junkie. He’s a contributing editor to IBM’s Security Intelligence and Tripwire’s The State of Security Blog, and he’s a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.