Security at DevOps speed: Mind your keys and certificates
DevOps may be rapidly gaining traction, especially with large companies, but it presents risks as well as benefits. In particular, the speed of DevOps makes it more challenging for organizations to effectively manage the cryptographic keys and digital certificates used to secure all types of communications.
In a recent study commissioned by Venafi, nearly 80 percent of CIOs said they're concerned that DevOps environments make it more difficult to know what’s trusted and what’s not. The race to deliver services faster can cause DevOps teams to take security shortcuts, leading to costly consequences such as data loss, application outages, and compliance issues.
So how do you balance the agility that DevOps requires with the need for rock-solid security? You need to establish controls and automation for your keys and certificates.
Crypto keys: Too slow for DevOps?
Cryptographic keys and digital certificates form the foundation of trust and privacy, and it was this foundation that enabled the explosive growth of the Internet in the 1990s. It also allows us to trust Internet-based transactions.
Keys and certificates enable private, encrypted communications, and signal that a website should be trusted over Hypertext Transfer Protocol Secure (HTTPS). Without these foundational elements of security, any website could pretend to be your bank, favorite online store or cloud provider. Keys and certificates are used to connect applications, administrators, and clouds over Secure Shell (SSH). They authorize digitally signed code to run on iOS and Android devices, Windows and OS X operating systems, as well as Boeing and Airbus aircraft.
But the process used to issue and deploy keys and certificates has been slow and complicated, and that conflicts with DevOps’ goal of speed and efficiency. Getting trusted digital certificates typically takes days, rather than the seconds that fully automated and orchestrated DevOps environments require.
As a result, DevOps teams often end up trying to engineer their way around the problem, in some cases using untrusted or unauthorized certificates, such as those offered for free by Let’s Encrypt, GoDaddy and similar services. In other cases, DevOps teams don’t use certificates at all.
Both approaches make it challenging to identify and mitigate threats in a timely manner. Without HTTPS encryption, data may be exposed to attackers. But with HTTPS, it’s difficult for security systems to inspect encrypted traffic for threats and attacks.
It's a troubling paradox: How do you capitalize on the benefits of DevOps without confronting additional security risks? To address this you need to take a different approach: You must build security into DevOps in a way that is fast and easy, without compromising security.
Achieving a balance
Security teams need to reassure the CIO that they can identify what's trusted and what's not, and prove that security has not been compromised in the process. Enterprises need successful best practices that can help DevOps teams balance speed and security through effective management of keys and certificates.
Automation is key
Organizations should create processes that automate the creation and distribution of keys and certificates so that DevOps teams don’t have to do it themselves. This approach lets security teams eliminate keys and certificate kludges (a.k.a. “re-engineering”) and keep data and applications safe and secure.
Increase visibility to eliminate outages
Failure to renew certificates before they expire, and improper configurations (as with the Microsoft Azure outage) can be costly. Service failures with applications that use HTTPS can result in a downtime of up to $1 million per hour for high-volume services.
To avoid unnecessary outages, make sure you are able to discover where all application certificates are in use and replace those that are unreliable or expired.
Use a catalog of recipes
For slow IT applications, teams typically spend up to 4.5 hours to provision each certificate manually. But DevOps teams may need to deliver hundreds of certificates in an instant. Fortunately, it’s possible to create “recipes”—collections of automation driven through APIs —to orchestrate all of the steps needed to use keys and certificates.
DevOps teams can do to balance agility and security, instead of sacrificing one for the other. By implementing controls and automation for keys and certificates, DevOps can move at the speed of business without sacrificing security.