The DevOps Evolution: What It Means for PKI

This blog is co-written with Robert Masterson from Thales

“Doing DevOps” does not happen overnight – there are stops and starts, wrong turns, and incremental improvements along the way – but there’s no doubt DevOps is making an impact on the way we build and deliver applications, and the tools we use to do that. It’s also changing the way we need to think about security, which often falls behind our push toward more productivity and faster delivery.

To put things in perspective, Gartner predicts that by 2022, more than 75% of global organizations will be running containerized applications in production, a significant increase from fewer than 30% today. While DevOps isn’t defined by technology, it’s certainly driven an increase in the number of tools that we can use to support the transition to continuous integration and continuous delivery (CI/CD) – from container orchestration platforms to collaboration tools. Not to mention the variety of programming languages and multi-cloud configurations.

Our question is, where does security fit in? Over the past year, we’ve attended countless conferences and presentations introducing new DevOps tools, but rarely do we ever hear about security – particularly when it comes to cryptographic keys and digital certificates. Despite the critical importance of keys and certificates in code signing, encryption, and authentication across the DevOps environment, security teams often have next to no visibility or control over them.

Most organizations struggle with enforcing consistent security and governance around DevOps processes – but should we really be surprised? Security teams may be tasked with mitigating risk, but good security practices will almost always come second to feature delivery in the eyes of developers. Without the right tools at their disposal, security teams struggle to match the level of automation and flexibility that developers need to willingly embrace good security practices.

Most DevOps teams still operate within a silo that enables them to run on the infrastructure and tools they prefer, while staying at arm’s length from corporate IT and security policies. They avoid guardrails that security teams put in place, and instead of embracing these policies, they opt for non-compliant alternatives. Manual and ticket-based processes to install certificates take time that developers don’t have, so they use homegrown scripts and unauthorized or insecure PKI sources instead.

Cloud services, open-source tools, and orchestration platforms with built-in capabilities make it easier for developers to get certificates when and where they need to, but this introduces security and compliance risks as certificates often go untracked or unmanaged. Infosec groups tasked with getting it right often find it near impossible to prevent unknown or non-compliant certificates from causing disruptive outages and security gaps as a result.

Without the right platform to manage these certificates at scale, security teams are left shorthanded.

Keyfactor Command offers a single platform to enable DevOps teams with quick and easy access to keys and digital certificates, while security teams retain full visibility and control, enforce consistent policies, and ensure that certificates only come from trusted public and internal CAs.

The platform also integrates with tools throughout your CI/CD pipeline like Docker, Jenkins, and HashiCorp Vault (among others) to provide a single trusted source for certificates. Direct integrations via REST API or ACME can make processes entirely transparent and automated as well. That way, developers don’t have to leave their workflow to procure and install certificates. This alleviates manual, time-consuming security processes that DevOps teams previously avoided.

Better yet, enterprises can run all of this on top of our complete PKI as-a-Service offering – a purpose-built and dedicated PKI – hosted in the cloud. Our roots as a consulting service provide us with years of experience understanding how to build and run a proper PKI, which allows DevOps and security teams to focus on their core competencies, not spinning up and managing multiple internal CAs, or relying solely on free open-source tools that don’t often meet corporate IT and security policies.

Keyfactor continues to evolve its platform, including the recent introduction of support for the ACME protocol and HashiCorp Vault. These, along with an extensive portfolio of automation capabilities, APIs, and integrations, make it simple to embed much needed certificate management for DevOps teams. It facilities a streamlined lifecycle for digital certificates and signing across the entire pipeline – from development through continuous deployment and runtime.

Thales cloud-based HSM – known as Data Protection on Demand (DPoD) – and on-premises SafeNet Luna HSM provide a hardware root of trust for the Keyfactor platform. Our platform integrates natively with Thales HSMs to ensure that critical CA private keys and code signing keys are kept secure at all times. HSMs offer high-assurance, tamper-resistant storage to protect private keys from misuse or theft, as attackers increasingly target these assets to sign malicious code or impersonate trusted entities.

The DevOps journey can be a challenging one. Doing DevOps well means security must be integrated throughout the software development lifecycle, but of course, you’ll need the right tools to get there. When it comes to PKI, Keyfactor and Thales have partnered to ensure that both DevOps and security teams can achieve mutual goals through integrated security, policy enforcement, and automation. We enable them to move fast and stay ahead of their competition, without sacrificing security.

Discover how certificate lifecycle automation can help you achieve DevOps and security goals. Download the DevOps.com eBook: