In today’s fast-paced business environment, organizations must streamline software development as coding new applications and software updates are an everyday task. Enterprise-class code development has evolved on two fronts to handle this volume: Globally dispersed development teams; and DevOps tools that include the Agile process.
While this paradigm shift has enabled organizations to keep up with growing and quickening business needs, it can also expose a company to security risks. From development through deployment, code sections and full applications (micro-services) have to pass between contributors that could be geographically distant. Without strong security that maintains a Root of Trust, data protection cannot be ensured.
How to balance strong security with the fast pace of DevOps?
Oftentimes, organizations leave the task of figuring out what encryption and device identity management solutions to use to the development team. Security professionals may find open source and free tools are easy to obtain, and, at first glance, appear to be “good enough”. This might be “good enough” for a new application that is incubating, but once it nears deployment and “graduates” to an enterprise-class product, end-to-end security is required to protect customer data as well as the organization’s reputation.
For reference, let’s look at a high-level view of the steps involved in a secure DevOps process:
- The developer needs to check-in the new micro-service as part of Continuous Integration / Continuous Development (CI/CD) Agile development process
- A secure machine identity is required for the micro-service code
- A Certificate Signing Request (CSR) is sent to a trusted Certificate Authority to be fulfilled
- The new CSR is received back to the developer and installed in the micro-service
- The security of the micro-service code is now assured and can now be submitted, as the identity of the code can be assured
If we take a closer look at the steps above, it’s easy to see how the steps required to establish code security could negatively impact the efficiency and productivity of the developer. Essentially the developer would be trading speed for security. Even worse, if the developer uses an unproven solution that is not enterprise-class, the chances of machine identities being compromised increases greatly.
Another way to slow down the DevOps process is to force developers to use different tools to meet DevSecOps policies and global compliance regulations. Learning new tools, or using tools that are not well known to the developer, may add training time and possible errors that are avoidable if the developer can stick to the tools they know best.
End-to-end DevOps solution offers the best of both worlds
To address the security needs of DevOps while maintaining the speed of the Agile process, Thales, Venafi, and HashiCorp have integrated and tested a complete end-to-end DevOps solution. With Venafi’s Trust Protection Platform, HashiCorp’s Vault Enterprise Platform and Thales Luna Hardware Security Modules (HSMs), an organization’s DevOps team will have a comprehensive encryption key and device identity management solution.
To learn more about the solution, please visit Thales on the Venafi Technology Network or download our joint solution brief, “Simplifying DevOps Security with Thales, Venafi & HashiCorp”.
Why Do You Need a Control Plane for Machine Identities?
Related posts