Jun 4, 2020 12:16:48 PM

How DevOps & InfoSec Can Join Forces to Stop Certificate Outages

For all the gaps that exist between DevOps and security teams as enterprises try to balance speed of development and security simultaneously, there’s one thing that can bring these two teams together: the fight to stop disruptive and costly outages. 

Outages to applications create headaches for DevOps and security teams alike, and joining forces to stop this shared enemy might be just the thing to help these teams collaborate better. 

Why Outages Affect Both DevOps & Security 

There are a lot of reasons why outages might occur, but one of the most common causes of outages is expired X.509 certificates -- which affects both DevOps and security. 

Most enterprises today use Public Key Infrastructure (PKI) to manage digital security. PKI governs the issuance of X.509 certificates to protect sensitive data, authenticate users, devices and applications and secure end-to-end communications. This approach has become increasingly important in today’s highly connected, fast-paced DevOps environments where cloud-native applications and tool sets now require numerous points of connection, each of which requires an X.509 certificate for authentication. 

In short, certificate management in DevOps is hard. The complexity of today’s applications has increased the need for secure machine-to-machine communications, while the fast pace at which DevOps teams build new solutions and update applications has also increased the velocity at which these certificates need to be issued.  

As the volume and velocity of X.509 certificates in the enterprise has increased, many security teams have lost control. This happens as a result of developers issuing their own certificates through open-source tools or built-in CAs like Let’s Encrypt, AWS, Microsoft Azure, Kubernetes and HashiCorp Vault, often without the knowledge of their security teams.  

Ultimately, this situation of DevOps teams introducing shadow processes for issuing X.509 certificates has made it nearly impossible for security leaders to track and manage those certificates throughout their lifecycle. And when the security team lacks certificate management in DevOps, such as discovery and renewal of certificates before they expire, outages are likely to occur. 

5 Steps DevOps & Security Teams Can Take to Prevent Outages 

The situation of developers and operations teams circumventing security and issuing their own certificates has created enormous problems around visibility and certificate management in DevOps that make outages more common. 

Fortunately, there is a way for DevOps and security teams to partner to not only maintain the necessary speed for development processes, but also give security the visibility and control they need to provide best-in-class certificate management in DevOps and avoid outages as a result. 

The solution starts with five key steps: 

 

1) Increase visibility for security teams 

Security teams need a solution that can provide complete visibility into all certificates within the organization in the form of a real-time view that shows details about where certificates live, who issued them and when they expire.  

Achieving this end-to-end visibility requires direct integrations to both the CAs that issue the certificates and the end-devices and applications that consume them. This visibility is essential for giving security teams the insight they need to proactively avoid issues with misconfigured or expired certificates and prevent outages as a result. 

 

2) Introduce self-service options for developers 

Introducing a fast, simple self-service model to request certificate that fits into the diverse toolsets developers use today makes the process of getting new certificates easy and accessible for DevOps teams. Importantly, certificate management in DevOps that provides APIs and interfaces for quick, easy certificate enrollment and can plug into the back-end of solutions that developers already use, like HashiCorp Vault, Kubernetes and AWS, also provides visibility and control for security teams. This means the front-end experience for developers appears the same as the shadow processes they’ve adopted, but the back-end is governed by the security team’s certificate management tool to ensure compliance and provide full visibility into certificates. 

 

3) Automate certificate management in DevOps 

Automating the end-to-end lifecycle of certificate-related tasks provides enormous benefits. Specifically, it ensures that handling any certificate-related DevOps needs requires minimal to no effort, so as not to slow down developers as they work against tight timelines and therefore protect against DevOps teams creating shadow processes that security can’t track.  

Meanwhile, it also helps avoid issues like outages by streamlining security processes to make best practice certificate lifecycle management across hundreds of thousands of certificates far easier and more efficient. End-to-end automation means everything from request intake to issuance, renewal, provisioning and revocation. 

 

4) Give security teams tighter policy control 

Giving security teams visibility into all certificates, automating certificate management and ensuring DevOps teams use certificates issued through the appropriate channels, paves the way for tighter policy control. In turn, it allows security teams to enforce consistent policy and governance across all CAs and tools throughout the organization and more effectively monitor and report on certificates to manage, revoke and reissue as needed. This type of policy control ensures that accountability sits with the security team, which is important for driving proactive protection against issues and understanding responsibilities if issues like outages do occur. 

 

5) Improve scalability to move at the necessary speed 

Finally, certificate management in DevOps must be scalable to move as fast as necessary, which in some cases, can mean issuing and renewing thousands of certificates per second. This level of scale and speed are critical to ensuring DevOps teams consistently follow procedure and issue compliant certificates every time, rather than falling back to non-compliant alternatives. 

One of the most important capabilities for delivering this scalability, particularly when it comes to avoiding outages, is the ability to rapidly scale PKI infrastructure and certificate management processesAutomation helps increase speed (with accuracy) and makes it easier for security teams to monitor and manage hundreds of thousands of certificates. However, you must also ensure that the backend CAs and revocation infrastructure can handle increasing velocity and volume of certificatesIt may be time to re-think the way you build and maintain your PKI to ensure that it keeps pace with DevOps and enterprise requirements. 

 

Can a Common Enemy Bring Together Your DevOps & Security Teams? 

Outages occur far more often than they should, especially given how preventable many of them are. However, stopping most of these outages from occurring requires DevOps and security teams to collaborate to increase security’s visibility into X.509 certificates and allow for better certificate management in DevOps. In a world where the two teams are often at odds, collaboration sounds like a tall order, but it is possible. And when it does happen, the benefits -- from preventing outages and beyond -- are undeniable. 

Ready to find out more about what it takes to help DevOps and security join forces? Click below to download the eBook Security at the Speed of DevOps: How Security & DevOps Can Collaborate to Mitigate Risk:

DOWNLOAD EBOOK

Comments