Certificate management is an important element of ensuring DevOps processes run smoothly
Organizations are increasingly integrating DevOps into their app development processes. According to Amazon Web Services (AWS), DevOps holds so much promise with organizations because it has the potential to increase the speed and ability to deploy new apps and services. Together, development and operations personnel use extended technology stacks and tooling to automate processes that they’ve traditionally fulfilled manually.
Organizations want to get the most out of integrating their different teams together under a DevOps model. It’s not surprising, therefore, that DevOps is constantly changing in an attempt to fit the ever-evolving technology landscape, including IT security.
Sid Phadkar, senior product manager at Akamai, made this point clear to TechRepublic:
With the rising number of data breaches and increased emphasis on data privacy regulations such as PSD2 and GDPR both in the U.S. and globally, DevOps-savvy organizations will be forced to prioritize diligence in security measures overtime to market in the year ahead. As new regulations are put into place, more application developers will be mandated to build strict security policies directly within code. There will be an uptick in DevOps tools that cater to automating more compliance-related tasks within infosec teams, thus incorporating security and compliance measures into everyday CI workflows.
The issue is that it’s not always easy to align DevOps with security. Good security practices commonly come into contact with the timely delivery of a new application or a service. Without the right tools to support DevOps, security personnel can’t support developers in a way that they need to be supported. As a result, developers will be more inclined to resist new security practices and find non-compliant alternatives to new processes that slow them down.
These challenges are of special concern for certificate lifecycle management. Organizations need to secure the DevOps life cycle with PKI via code signing or creating a certificate. But, this implementation of PKI often suffers from poor visibility into certificate life cycles and inconsistent communication with Certificate Authorities.
Conventional DevOps pipelines also commonly rely on manual requests to obtain trusted certificates. These types of requests undermine the agility of the software development life cycle. Most containers aren’t up for very long, so if those requests take days to complete, the resulting digital certificates will be effectively useless unless the organization slows down its delivery of applications. Such dynamism also makes it difficult for DevOps to manage and monitor those certificates on their own. Team members could therefore look for shortcuts, resort to ad hoc processes or purchase certificates that use multiple cryptographic standards—variations that increase the organization’s security risk.
These concerns don’t resonate only with industry analysts. They’re also shared by DevOps professionals. In a 2019 survey, 74% of DevOps professionals told Venafi they were concerned that issuing certificates could slow down development. Just over a third (39%) of developers said they should be able to circumvent those policies to meet their service-level agreements, while less than half (48%) of respondents voiced their belief that developers in their organization always request certificates through channels and methods approved by the security team.
How DevOps Teams Can Best Handle Their Certificates
DevOps teams can best handle their certificates by automating their certificate management processes. Orchestration tools such as Kubernetes support certificate management via the ACME protocol. Kubernetes stores private keys in the Kubernetes Secret or Hashicorp Vault, thus providing seamless integration for the certificate management system. DevOps teams can also digitally sign their containers with a private CA to help verify a given container as it communicates over a TLS connection.
Aside from automation, DevOps needs to increase the visibility of their certificates to avoid unnecessary outages. Team members need to be able to renew certificates before they expire and to address improper configurations to make sure that critical services remain up. API-driven automation can help orchestrate their processes involving keys and certificates in an attempt to balance both agility and security.