The term DevOps hasn’t been around very long. Patrick Debois may have coined the term when he launched the devopsdays conferences in 2009. But it’s a very useful concept. Software developers need to work with information technology teams within organizations in order to maintain their software and overall coding. New patches, fixes, and features must be optimally deployed to respond to the immediate needs of a network. Effective DevOps can keep a network at top functionality with proper security. And it’s not a “set it and forget it” paradigm. Effective DevOps is work that must be done constantly to keep a network operating in the best interests of an organization every day.
An environment of constant change
We need DevOps because networks are becoming increasingly advanced, but also increasingly complex. Network applications and services have become ever more numerous. More and more is being done with the cloud, with machine learning, with virtualization and with automation. Applications which were once monolithic are now modular with many shared services. Where organizations used to rely on a smaller numbers of physical machines, they now grapple with greater numbers of often virtualized machines with short lifecycles and lots of cross application dependence. Datacenters which used to be completely on-premises are now partially or completely in the cloud. Sporadic releases must now evolve to become more frequent and agile to respond to fast changing networks and computing needs. A few large servers have now given way to greater numbers of often virtualized or containerized servers.
In this environment of constant change, manually managed machine identities is becoming really impractical, possibly even problematic. If DevOps try to get in the middle of rapidly changing network environments, where some network entities may have a lifespan of only a few days, chaos ensues. DevOps team members will be over-burdened with many forms of access control changes, secrets rotation, security updates, support tickets, deployment requests and network reconfiguration.
Each container or machine will require a machine identity in order to properly authenticate throughout the network. They can take the form of certificates, keys, or other forms of access tokens. Containers, microservices, and virtual servers are constantly deployed, and they also are constantly “killed.” Imagine having to manually manage machine identities in that sort of environment! The old-fashioned ways of managing machine identities are no longer practical, or even feasible.
Trying to manage machine identities manually
Inevitably if DevOps try to manage machine identities manually these days, some specific cybersecurity problems will arise. For one, DevOps are expected to be agile, and agility is obviously lost when they have to do more manual work. Time spent tinkering with key management is time not spent developing and deploying patches or other improvements. Untracked certificate expirations leave stray access tokens free for the taking by possible cyber attackers. That’s right, manual machine identity management techniques, which were better suited for yesterday’s networks, make it easier for cyber attackers to spoof trusted machines within a network. DevOps teams also have to do a lot of different things at once. Under pressure to meet deadlines to deploy new features and fixes, if they have to manually manage machine identities in the process, they may not be able to take the time needed to configure them effectively.
DevOps can work much more quickly, more efficiently, and be much more agile when proper automation systems are implemented for machine identity deployment. Role-based access control (RBAC) systems are more responsive to the dynamic demands of privileged access management. DevOps teams can make their jobs much easier and make their networks much more secure if they thoroughly embrace automation in their authentication systems.
As much as possible, DevOps should work with properly secured test certificates rather than production certificates. That way, cyber attackers can’t easily hijack development and testing environments to access larger code repositories and machine identities throughout the organization.
DevOps teams can also improve the secure functioning of their networks by having systems built for continuous monitoring, enabling them to release code in smaller chunks for faster and more efficient deployment. Smaller patches and fixes are also less likely to have bugs which can introduce new security vulnerabilities. If new bugs are released, they can be found and patched much quicker.
Automate - as much as possible
Ultimately the best way for DevOps to improve their usage of machine identities is to automate as much as possible. But implementing that automation must be done with great care. Human error can also be removed from the equation. And automation helps keep applications more secure throughout the development lifecycle, with new certificates automatically being assigned to applications when they request them.
Want to learn more about the benefits of automating machine identities for your DevOps teams? Watch this video. /resource/creating-a-partnership-between-infosec-and-devops/