If your developers or your IT staff have recommended DevOps, you may be left wondering what they’re referring to. They may have thrown out terms like “agile” and “continuous deployment.” They may have even made a reference to “tossing software over the wall.” If you’ve struggled to stay afloat in those conversations, you’re not alone.
Tech-based occupations like system administrators (sysadmin) and developers (devs) tend to be steeped in a lot of computer-related language. That’s because they consume a lot of computer-related literature, both because they’re interested in it, and because they want to be good at their jobs. And somewhere along the line in their studies, they came across this “DevOps” term.
What is DevOps?
DevOps is an outgrowth of Agile, which itself is an iterative approach to programming. The agile approach means that you develop software incrementally, rather than all at once. DevOps takes this a step further, by offering a philosophy and methodology where the dev team and the production/operations team work together, so that development and implementation can happen in a near-continuous flow.
In a nutshell, DevOps is a methodology of cooperation—rather than function in isolation, development teams, quality assurance, and operations collaborate to improve the quality of software, and the speed at which it is developed and implemented.
What DevOps terms should I know?
While this is far from a crash course in programming, this list should get you started, and help you hold your ground in conversations with the devs and the ops team.
- Agile—an iterative approach to programming that breaks work into “user stories” and then delivers that work in two-week cycles called iterations.
- Lean—originally a production term, it refers to an approach where waste and excess is reduced in a software development process.
- Build automation—the process of automating the compiling source code.
- Agile iteration—a one-to-two-week period during which development happens.
- Software iteration—an instance or version of a program.
- Provisioning — “The process of preparing new systems for users”.
- Continuous deployment—an umbrella term that refers to the continuous development, integration, testing, and implementation of new software.
How to manage keys and certificates in DevOps?
Businesses are adopting bimodal IT—relying both on traditional (slow) IT and newer methods that deliver faster time-to-market and continuous improvement of business technology. DevOps, one of the most popular new philosophies, provides IT services quickly to support innovation and faster development of new features.
There is no doubt that DevOps accelerates the deployment and rapid evolution of business technology and delivers numerous advantages such as:
- Faster response times address market changes or customer requirements more quickly. Companies that have embraced a DevOps methodology increased their speed to market by 20 percent.
- Increased customer satisfaction through frequent product updates based on continuous feedback from users.
- Better operational efficiency due to automation, resulting in more than 60 percent of organizations adopting DevOps approaches.
However, as with every new technology, the rewards do not come without risks. In fact, nearly 80 percent of CIOs are concerned that DevOps makes it more difficult to know what’s trusted and what’s not. To maximize the speed of delivery of these services, it’s not uncommon for DevOps teams to overlook security. This oversight can have costly consequences, including data breaches, application outages and failed audits.
Let’s look closely at one example of how DevOps is being challenged by today’s slow security processes. Cryptographic keys and digital certificates comprise the foundation of trust and privacy. This foundation enabled explosive growth of the Internet in the 1990s and allows us to trust Internet-based transactions. Recently, cryptographic keys and digital certificates have expanded to include the cloud and the Internet of Things (IoT).
Keys and certificates turn on private, encrypted communications and let us know that a website should be trusted over Hypertext Transfer Protocol Secure (HTTPS). Without them, any website could pretend to be your bank, favorite online store, or cloud provider. They’re used to connect applications, administrators, and clouds over Secure Shell (SSH). Digital keys and certificates authorize digitally signed code to run on iOS and Android devices, Windows, and OS X operating systems and even Boeing and Airbus aircraft.
But the process to issue and deploy keys and certificates has historically been slow and complicated – the exact opposite of DevOps’ goals and objectives. Getting trusted digital certificates can take days, not the seconds the automated and orchestrated DevOps environment expects. DevOps teams frequently “engineer” their way around this problem. In some cases, DevOps teams use untrusted or unauthorized certificates like those freely available from Let’s Encrypt or GoDaddy. In other cases, they don’t use certificates at all. Either approach makes it more difficult to identify threats, and without HTTPS encryption, data is exposed to attackers. Complicating things further, if HTTPS is used, it’s difficult for security systems to inspect encrypted traffic for threats and attacks.
The open-source community, like Lemur from the Netflix security and operations team, has found ways to make it easier for DevOps teams to use keys and certificates. But so far these attempts to improve the security of DevOps systems have only created new, more complex security blind spots.
The question remains: How can enterprises reap the benefit of DevOps without exposing themselves to additional security risks? Solving this problem requires security teams to think differently – we need to build security into DevOps in a way that is fast and easy. In the same way Formula 1 engineers enable drivers to push the limits, security teams need to find creative ways to empower DevOps to go faster, without compromising security.
What are 3 steps to accelerate DevOps?
1. Automation: Make it Fast and Easy
Organizations should implement procedures to automate the creation and distribution of keys and certificates for use with HTTPS and SSH throughout the build process so that DevOps teams don’t have to do it themselves. Give DevOps a simple, easy-to-use API and bake it in everywhere. This approach allows IT security to eliminate keys and certificates kludges (aka “re-engineering”) and keeps data and applications safe and secure.
2. Maximize Visibility to Eliminate Certificate Outages
Customer satisfaction is an ongoing endeavor; one service outage and your customer satisfaction rating can plummet. Failure to renew certificates before they expire, or improper configurations (as with the Microsoft Azure outage) can be costly. Service failures with applications using HTTPS can result in a downtime of up to $1 million per hour for high volume services. To avoid unnecessary outages, make sure you can discover where all application certificates are being used.
3. Build for New: Use a Catalog of Recipes
For “slow” IT applications, it’s typical to spend up to 4.5 hours to provision each certificate manually. However, DevOps teams may need to deliver tens or even hundreds of certificates in a matter of seconds. It’s possible to create “recipes” – collections of automation driven through APIs – to orchestrate all the steps needed to use keys and certificates. Catalogs of recipes that work across development and orchestration environments are critical to making the provisioning of keys and certificates fast and easy and preserve cross-cloud compatibility and mobility.
Your DevOps teams should never have to choose between agility and security. By implementing controls and automation for keys and certificates you can keep DevOps moving at the speed of business without sacrificing security.
What do I need to know to manage DevOps?
DevOps can mean a lot of positive changes, but it’s fast-paced, agile-based methodology lends itself to at least one kind of corner-cutting. It’s regarding digital security in the form of digital signatures and certificate authorities.
Because developers aren’t necessarily experts in PKI, and because the process of acquiring digital certificates can sometimes be lengthy, developers will sometimes shortcut the process by spinning out their own certificate authorities and issuing self-signed digital certificates. These “test” certificates should, ideally, be replaced once the software gets pushed out to production, but that isn’t always the case. Often, these self-signed certificates are not stored securely which may leave DevOps certificates vulnerable to weak cryptographic security.
If you work outside the Dev team, the Ops team, or the InfoSec team, you may not have understood any of that, so here’s the CliffsNotes version: sometimes, in favor of ease and agility, developers leave security holes in the software they’re writing. The biggest problem is the possibility that hackers may steal your company’s digital “signature,” and pass malware off as software your team wrote. It’s a common problem, and one even non-techie administrators need to be aware of.
There is a solution to problems like this—it’s having a team of experts on hand that can quickly issue you secure digital certificates.
DevOps is a deep topic, and it’s difficult to parse (that’s a computer pun) for those of us who don’t think in binary. That doesn’t mean you can’t be an effective leader of those who will implement it, though, and with a little research, you can be a significant value add to the process by helping implement the changes.
TLS Machine Identity Management for Dummies
Machine Identity Security Summit 2024
Help us forge a new era of cybersecurity
☕ We're spilling all the machine identiTEA Oct. 1-3, but these insights are too valuable to just toss in the harbor! Browse the agenda and register now.