Jun 15, 2020 12:14:40 PM

Crossing the Aisle: How InfoSec Teams Can Stop Driving Engineering Crazy

No one is denying the need for high levels of security in today’s enterprise. Security has been a top priority for a long time and will continue to remain one for the foreseeable future. 

But now there’s a new top priority that must sit alongside security -- and that’s speed. 

Download eBook: Security at the Speed of DevOps

The New Enterprise Priority: Speed to Market 

Increasing the speed of development might not sound anywhere near as important as security to InfoSec teams, but in today’s fast-paced, innovative market, speed is essential to success.  

Beyond the enormous first-to-market advantage, consumers of technology (whether it’s B2C or B2B technology) expect regular, speedy updates to keep up with their insatiable appetite for innovation. And they’re willing to switch if they don’t get what they expect. 

This landscape has put incredible pressure on engineering teams to deliver more, faster. After years of transitioning to new development methodologies, such as DevOps and Continuous Integration/Continuous Delivery (CI/CD), and introducing new technology to meet this demand, engineering teams are finally well positioned to deliver at the necessary speed. Now, there’s only one problem: Security. 

 

InfoSec Teams Are Taking a Stand 

As engineering teams amassed the necessary speed to deliver more, faster, a roadblock emerged in the form of security. There are plenty of challenges between developers and security teams, but one pain point that comes up more often than not is the struggle to manage secrets, such as cryptographic keys and X.509 certificates in DevOps environments. 

Most enterprises today use Public Key Infrastructure (PKI) to issue X.509 certificates that help protect sensitive data, sign code, and connect end-users securely to applications. This means that much of what engineering teams build requires X.509 certificates in DevOps and multi-cloud operations to authenticate communications. 

Unfortunately, most engineering teams have found that the process to request X.509 certificates in DevOps from the PKI or InfoSec team, not to mention the follow-on management activities throughout that certificate’s lifecycle, are slow, manual processes. In a world driven by speed, this doesn’t work. 

To avoid this slow-down, many engineering teams issue their own certificates through familiar tools like AWS Certificate Manager, Azure Key Vault, Kubernetes and HashiCorp Vault. These are powerful tools can be used to improve security, but in many cases, they are used in a way that circumvents security policies and creates gaps in visibility, so many of the resulting certificates don’t fall in line with enterprise security standards. 

 InfoSec teams focused on reducing risk often put processes in place to steer engineers through more controlled, but slower manual certificate request pipelines. While their efforts may be intended to reign in security, they’re also significantly slowing down engineering teams who put in a lot of work to speed up development processes. Now, the two teams are often at odds. 

 

How InfoSec Teams Can Maintain Security Without Driving Engineering Crazy 

Despite the challenges that exist, there are steps InfoSec teams can take to satisfy the needs for both speed and security simultaneously -- and stop driving engineering teams crazy as a result. 

Instead of putting the brakes on everything engineering teams have done to amass the necessary speed, InfoSec teams should partner with their engineering counterparts to find a solution that works for both teams. To do so, InfoSec teams can take the following steps: 

 

  1. Understand the engineering perspective: To start, InfoSec teams need to understand the full scope of the current situation. This involves recognizing that engineering teams need to move fast and that many aren’t all that concerned about where certificates are issued from and what policies they comply with, so long as they have what they need to keep moving forward at speed. In other words, engineering teams aren’t purposely trying to circumvent security policies by issuing their own certificates, they’re simply trying to maintain a certain speed of development. 
  2. Identify the tools and processes engineering uses: Next, InfoSec teams should identify exactly how their engineering teams are issuing X.509 certificates in DevOps (assuming they’re doing so on their own). This step should provide insight about the tools and processes that security protocols will need to fit into so as not to disrupt everything the engineering team has built. 
     
  3. Introduce back-end controls within existing self-service processes: The best way forward for InfoSec teams is to fit into existing engineering architectures. Doing so requires introducing a PKI solution that offers the back-end controls required for security and visibility while plugging into engineering tools and processes on the front-end. Ideally, this approach should allow engineers to continue with business as usual, issuing their own certificates on demand as needed, while providing InfoSec teams with high levels of control on the back-end that dictate where those certificates get issued from and that provide centralized visibility into all the certificates that get issued. 
  4. Automate certificate management to avoid outages and slow-downsFinally, InfoSec teams should use the same PKI solution to automate certificate management. This automation allows InfoSec teams to manage hundreds of thousands of X.509 certificates in DevOps more efficiently to better keep up with the increased volume and velocity at which they get issued. In turn, it helps ensure InfoSec teams can continue to avoid slow downs throughout the life cycle of certificates and issue new ones as needed to avoid outages. 

 

Speed and Security Can Coexist, and InfoSec Teams Should Lead the Way 

Although speed and security seem at odds in today’s enterprise, both are essential to success. Fortunately, InfoSec and engineering teams no longer have to battle it out to promote one priority over the other, as solutions now exist that can satisfy both needs. 

The way forward lies in introducing back-end controls for engineering tools and processes along with automated issuance of X.509 certificates in DevOps processes. Doing so provides the necessary oversight and visibility for InfoSec teams to maintain security without disrupting the architecture engineering teams have built to increase the speed of development. 

Critically, it’s up to InfoSec teams to lead the way by partnering with their engineering teams to have these conversations and introduce the necessary solutions. 

 
Ready to learn more about what it takes? Click here to download the eBook Security at the Speed of DevOps: How Security & DevOps Can Collaborate to Mitigate Risk