Maybe you’ve heard this one before. You’re a global bank in the process of migrating to a multicloud infrastructure using Kubernetes. And then suddenly you find yourself falling victim to outage after outage, one of which knocks out an important customer-facing app for several hours. How do you tackle the problem?
InfoSec vs platform development teams
First you might discover—unsurprisingly—a lack of synchronicity between your InfoSec and platform development teams. The latter group may have assumed that the machine identity management tools used for on-premise infrastructure didn’t apply to them, given that the high volume of Kubernetes workloads being deployed on faster release cycles are consuming way more TLS certificates. The former group, meanwhile, has no visibility into how certificates are being used and configured in Kubernetes clusters, which might have enabled them to catch a misconfigured or expiring certificate before an outage could occur.
Prevent outages: Venafi TLS Protect for Kubernetes
If you’re already a Venafi customer, you know how well TLS Protect works to manage machine identities. And you may be aware that Jetstack, now Venafi, created cert-manager and is popular among your developers. After all, cert-manager, an open source tool, automates the issuance and management of TLS certificates in Kubernetes environments—and it’s been downloaded more than 1 million times a day since 2021.
But like any global financial institution, you need a solution that not only can stop outages in cloud native environments but one that also gives your security teams visibility into your TLS certificate inventory, enforces policies and standardizes all instances of cert-manager while letting developers use their preferred tools. And, most important perhaps, it can scale easily.
That’s where TLS Protect for Kubernetes comes in. Built on top of cert-manager, TLS Protect for Kubernetes is designed specifically for enterprise usage. And our new case study, Global Bank Eliminates Kubernetes Certificate-Based Outages with TLS Protect for Kubernetes describes just how TLS Protect for Kubernetes helped one global bank do just that.
An excerpt from the case study:
“The first task for TLS Protect for Kubernetes was to help the bank identify in-cluster certificates that could potentially trigger an outage—and the bank was surprised to find several hundred of them. With JTLS Protect for Kubernetes, the platform team easily revoked the offending certificates and replaced them with ones that complied with corporate security policies defined within the Venafi platform. TLS Protect for Kubernetes enforced this automatically.”
This took a load off the minds of the security team. In addition:
“The security team was pleased that TLS Protect for Kubernetes automates tasks such as centralized logging and monitoring because it gave them confidence that their cloud environments were managed at the same level as their on-premise ones.”
Meanwhile, development teams appreciated how TLS Protect for Kubernetes brought about truly frictionless certificate-as-a-service:
“Development teams were thrilled that they no longer had to worry about the various aspects of certificate management that used to hobble speed of development—including requesting tokens, managing private keys and maintaining cert-manager across hundreds of clusters. Moreover, they could now procure and manage valid Venafi-approved certificates without having to worry about whether certificates adhered to policy.”
Want to read more? Click here to read the case study. But before you go, here’s a money quote from the bank’s vice president of security:
“Venafi and the TLS Protect for Kubernetes team also provide best practice blueprints to maintain cloud security and compliance as we scale, as well as the ability to seamlessly extend our visibility across both classic on-premise and modern cloud infrastructure. That’s the closest thing to a silver bullet I’ve seen in my 25 years as a security professional.”