Driven by the benefits of increased productivity and faster delivery, organizations are transitioning from traditional software development to DevOps and Continuous Integration/Continuous Delivery (CI/CD) practices. However, DevOps is changing the way we need to think about security, which oftentimes is considered as a barrier.
Gartner predicts that by 2022, more than 75% of global organizations will be running containerized applications in production, a significant increase from what we are witnessing today. While DevOps is not a technology, it is supported by a huge variety of tools which enable the transition to continuous integration and continuous delivery (CI/CD)—from container orchestration platforms like Kubernetes to CI/CD management tools like Jenkins.
By its very nature, CI/CD creates a continuous stream of new machines, whether they are containers, microservices or API integrations. To securely communicate with other machines, all of these new machines need identities. However, this can prove to be challenging. The keys and certificates that make up these machine identities are not managed by the DevOps teams. They are managed by security or Public Key Infrastructure (PKI) teams.
NIST and other organizations have highlighted the critical importance of keys and certificates in code signing, encryption, and authentication across DevOps. Despite that, security teams often find themselves with limited visibility on the number and owners of these machine identities. The key reason is the inconsistency between sometimes slow certificate provisioning and speedy DevOps. As a result, developers may tend to put aside corporate certificate management practices and employ open-source tools to get certificates when and where they need to.
However, this practice introduces security and compliance risks as certificates often go untracked or unmanaged. Certificate service teams feel helpless and they find it almost impossible to prevent unknown or non-compliant certificates from causing disruptive outages and security gaps.
DevSecOps: promises and challenges
Although security may seem isolated from DevOps processes, it still plays an important role. In fact, the intersection of security and DevOps, known as DevSecOps, promises to close this gap.
DevSecOps integrates security with DevOps workflows by prioritizing processes that make security a seamless and automated process. The core principles of DevSecOps are:
- Collaboration between stakeholders around security
- Automation of processes that promote security
- Integration of security into the CI/CD pipeline
- Use of DevOps-friendly technologies that promote strong security
Although DevSecOps is a powerful concept to adopt, integrating security into DevOps strategies does not come without challenges. Here are the most pressing:
- Velocity. Robust secure software development takes time, and time-consuming processes are at odds with the objective of fast, continuous software delivery.
- Expertise. Software developers are not security experts. As a result, effectively integrating security and achieving collaboration might be a tenuous exercise for many of the stakeholders in the software delivery process.
- Security tradeoffs. Many of the technologies that facilitate DevOps have security tradeoffs. For example, containers make software deployment agile and faster, but they also introduce more potential security risks.
- Code signing. Distributed development teams must be able to sign code quickly, without disruption. The fast pace of software development risks the proper tracking or protection of signing keys.
How PKI can secure CI/CD automation
Because the use of digital certificates is critical in securing the containers and microservices used by DevOps, these machine identities play a very important role in CI/CD pipelines.
Automated and fast provisioning of infrastructure relies on Infrastructure-as-a-Service (IaaS) and Infrastructure-as-Code (IaC) platforms. Their management and configuration are outsourced to third-party vendors. Digital certificates can help DevOps teams verify the identity of the teams responsible for setting up and maintaining infrastructure.
A consistent DevOps workflow relies heavily on a CI/CD pipeline that allows code to move automatically from development to testing to deployment. A typical CI/CD pipeline involves many components, such as integration servers, test servers and deployment containers. Certificates can help identify these components and ensure that they are authentic, making CI/CD pipelines more secure and easier to manage.
DevOps workflows also involve many discrete units of code. This code is written in dispersed units and is included in different pipelines, each dedicated to different applications. Keeping track of these code components and ensuring that the code is authentic and secure is critical. Digital certificates solve these challenges by allowing DevOps teams to sign code securely and automatically.
Finally, certificates play a critical role in bringing together the microservices that comprise modern DevOps apps. Digital certificates are a key component of applications, and evolving platforms like Kubernetes use certificates to separate nodes within clusters.
Certificate lifecycle automation and DevSecOps
Integrating digital certificates into the CI/CD pipeline creates an explosion of certificates that need to be managed by security teams. Assigning ownership to processes and services is quite different than assigning certificates to physical persons. These challenges make the manual management of digital certificates a mission impossible. The only solution is to automate certificate lifecycle management.
By automating certificate management, DevOps teams can achieve the necessary security automation and integration. Having a centralized PKI platform for certificate management, enterprises can benefit a great deal and achieve the following objectives:
Visibility. Automated certificate management allows the discovery of keys and certificates for any software components at all stages of the DevOps workflow and CI/CD pipeline. PKI services provide a central root of trust allowing DevOps engineers to keep track of code they are developing and infrastructure they are working with, during the development, testing or production phase of the pipeline.
Policy enforcement. For an effective security integration into the fast-paced DevOps cycle, automated and continuous enforcement of security rules at all stages of the CI/CD pipeline is critical. With automated certificate management, certificate enrollment is enforced for any object within DevOps workflows, minimizing the risk of security oversights caused by human error.
Automation and integration. Using protocols such as ACME, DevOps teams can easily integrate technologies such as containers, container orchestrators, and CI/CD management with their certificate enforcement strategy. Integrating distributed DevOps resources under one centralized solution becomes feasible, minimizing the integration challenges associated with DevSecOps.
Digital certificates are critical to allow organizations to implement and benefit from DevSecOps. While automated certificate management is not a panacea for making DevOps more secure, it certainly is a critical component of healthy DevSecOps workflows.
- DevOps and the Proliferation of Secrets
- Accelerate DevOps by Offering a Certificate Service for CI/CD Pipelines
- How Can You Be More Successful in a Compliance Conversation with DevSecOps?
- X.509 Certificate Issuance: Too Slow for DevOps?