Source: securityboulevard.com

DevOps and Agile are all about making software cycles short and dynamic, empowering development teams to rapidly iterate, leveraging tools with fewer burdens and reliance on outside organizations. It’s the dev + ops combination that is so powerful. But what about security, specifically the identity of physical and virtual devices, containers and microservices? Digital certificates are a key asset in managing device identity, but traditional tools and processes may not fit the speed and dynamic nature of today’s cloud native software.

Our guest on this DevOps Chat is Sandra Chrust, Senior Product Marketing Manager at Venafi. Sandra shares with us lessons learned to more easily manage device identities in DevOps and Agile environments, leveraging tools that provide self-service portals, APIs and SDKs for automation. No more support tickets!

As usual, the streaming audio is immediately below, followed by the transcript of our conversation.

Transcript

Mitch Ashley: Hi, everyone, this is Mitch Ashley with DevOps.com, and you’re listening to another DevOps Chat podcast. Today, I’m pleased to be joined by Sandra Chrust, Senior Product Marketing Manager at Venafi. Our topic today is protecting machine identities. We’re talking about DevOps and security. So, Sandra, welcome to the DevOps Chat.

Sandra Chrust: Hey, thanks, Mitchell. Happy to be here.

Ashley: Glad to have you with us. Well, let’s start by having you introduce yourself, letting us know a little bit about what you do at Venafi, and what Venafi does.

Chrust: Sure. Well, as you said, my name is Sandra Chrust, and I actually started my career as a developer, long before DevOps and agile, actually. So, I am dating myself just a little bit, there. But I come from a tech background, and here at Venafi, as the Product Marketing Manager, I basically head up our go to market strategies for cloud and DevOps.

For those of you unfamiliar with Venafi, Venafi has actually been around for well over a decade, and we’re considered the leader in what we call machine identity protection. Our customers actually include the top banks and retailers, airlines, as well as the federal government. So, the customers that we work with are the most security conscious organizations in the world.

Ashley: Mm-hmm. Well, I think that’s a good place to go next. Those of us familiar with PKI probably know a lot about SSL certificates for servers and things like that, browsers, et cetera. But let’s jump into machine identities. What do you mean by that, why do they need to be protected, why is it different than maybe a web server or browser?

Chrust: For sure, yeah. Good question. So, what I’m gonna do is just give a quick intro to that and then I’ll dive into more details on how that relates to DevOps, since we’re DevOps focused, here.

So, you know, before I go into that, though, I did want to mention a quick thing—we did do a webinar last week on May 30th on DevOps.com called, “You Use the Same Certificate Process Across Your DevOps Tool Chain.” So, just wanted to mention that if anyone is listening and they wanna jump into looking at something a little bit more visual.

You know, when you think about machine identities, you really have to think about the fact that there really are actually two actors on any network. There are people and machines, of course. And we know that people rely on the usernames and passwords that we all know and love to access machines and applications and devices. Machines, they don’t use usernames and passwords, they’re using keys and certificates. So, that’s what we really mean here by machine identities, right, and to use that to authenticate and secure communications between machines. So, you know, when we think about machine identities, that’s really what we’re talking about.

Ashley: So, we’re thinking machine to machine communications, encryption, identifying, making sure you’re talking to, on an authenticated device that really is what it says it is—if it’s part of an application or part of an IT or service infrastructure like an airline may be providing as part of their service?

Chrust: When you think about machine identities, they’re really the backbone of the cyber world. You know, if you think back and go back to first principles, I think we can all agree on four things. One is that digital transformation is really creating our cyber world, and the cyber world runs on machines, right? And then the last two things are that machines have to have identities in order to communicate. So, therefore, those identities have to be protected.

And today, companies spend upwards of $8,000,000,000.00 in total on protecting human identity, but they’re spending very little actually protecting the machine identities that run the cyber world. And some really bad things can happen if you don’t protect machine identities, you know? If you think about it, machines are actually flying our airplanes, they’re controlling the self-driving cars that are being tested out on the roads. They’re trading our stocks.

So, there’s really a lot at stake when it comes to machine identities like TLS certificates and code signing certificates, things like SSH keys. So, you know, they’re really critical to ensuring applications are secure and there’s end to end encryption, basically, and security.

Ashley: So, if we peel apart this a little bit, because you have a really good point about digital transformation and DevOps, so many things happening in parallel. If you peel apart machine identity a little bit further, are you talking about virtualized machines, also? Are you getting into sort of containerized components or microservices and applications that need identity? How far do we go into this when we think about machine identity?

Chrust: Yeah, I think you’re spot on there. When I think about digital transformation, I really see this as being driven by three things, and what you’re mentioning is definitely a large component of that. Obviously, many companies are moving to the cloud, and using things like containers and virtual machines and serverless and things like that. And, you know, roughly three quarters of enterprises have a strategy that’s either hybrid or multi-cloud. So, cloud computing and all of that is one big piece of that.

And then the second one is, using that modern architecture that we just talked about, you know, when—so, basically, our organizations are trying to move applications from being monolithic applications to services, right, that are stateless, where developers are coding things to be API-centric using modern languages.

This really transforms—you know, when we focus on TLS certificates in this world, it really transforms the way that certificates have to be managed, from a push model where you’re pushing stuff to a server to a pull model where infrastructure that’s being instantiated as ephemeral is basically requesting a certificate so that it’s available that first minute the infrastructure is up and running. And then the third thing is DevOps, right, for high-performance IPs.

Ashley: Sounds like you’re talking about a much different world than we think of sort of a static infrastructure where TLS certificates, things that might be assigned to a visualized machine or a container or something that’s much more dynamic may not live for five years like a device normally would. It may be something that’s around for minutes, hours, or a few days.

Chrust: That’s absolutely correct. I mean, with digital transformation, we basically have machines being created by other ones, right? Infrastructure as code, if you think of that, the code itself being a machine, it’s creating all of these other machines, right? And so, what’s happening is, machine identity proliferation is really going at an alarming rate.

Ashley: Mm-hmm.

Chrust: And so, you know, it is, in this new world, the other thing to think about is, you know, you no longer have this static infrastructure that you’re referring to where you can just wall it off, right? You can just create that firewall and then put everything inside there and know that it’s protected.

Ashley: Right.

Chrust: In this new world, perimeter is gone, it’s—you know, you have to assume you have a zero-trust environment. So, certificates become even more important to be available and to protect everything across the entire application stack.

Ashley: I’m curious, as you work with customers, prospective customers—how many of them see this as the problem that they’re either dealing with today or is it something they’re working to and you’re having to help them understand what they’re moving towards and what the impact of that is?

Chrust: You know, that’s a really great question. I think that security teams are obviously outnumbered and today, they’re focusing on, even—they’re still trying to actually solve the old problems around certificates and present them with living infrastructure. And DevOps is sort of going off and—you know, they’re going off the reservation, so to speak, and doing whatever they need to to get certificates.

So, we’re actually trying to educate our customers about the risk of having these DevOps individuals, developers and operations teams kind of creating their own security infrastructure. So, I would say more progressive customers are realizing that it’s an issue, but we’re also having to educate to kind of wave that flag that says, “Hey, figure it out today so that in the future, the problem is under control,” and then you’re not trying to solve for a zillion variables versus just a single variable today. So yes, it depends, actually, on the customer.

Ashley: Do you think most security teams or security parts of the organization know this is happening within the DevOps world, or are they just coming to realize that and trying to grapple with what do they do about it?

Chrust: I think security—we have to give them credit, right? I think they understand it. But many security teams just don’t have a good solution in place. Apps at Venafi, for example, there isn’t anything really available out there that gives them the centralized level of control and the ability to offer a solution for a DevOps environment in an easy way. So, it’s really a lack of solutions that they don’t have that in their toolbox today. It’s just not available.

Ashley: Mm-hmm. Well, let’s go right there, then. What kind of guidance do you give security and DevOps teams when it comes to certificates?

Chrust: You know, I think that—well, first of all, I mean, let me talk just briefly about what we’re seeing people doing today.

Ashley: Okay.

Chrust: When we think about what’s happening today—and I kinda, I made the analogy of the DevOps folks are going off the reservation—really, what security and developers are doing today is, they’re really doing the best they can. What we’re seeing is that application development teams that leverage DevOps practices and tools, they’re creating their own security infrastructure. They’re essentially reinventing the wheel, right?

Ashley: Mm-hmm.

Chrust: Because security teams just don’t have a good solution. And then security teams, meanwhile, are kinda crossing their fingers that the auditors aren’t gonna peel that onion just yet. [Laughter] But that’s coming, right? That’s coming. Because the auditors are coming very soon.

So, when you think about what’s happening, there’s actually a lot of pain within the developers themselves and the operations team members themselves. They may not be verbalizing it, though. They may not be doing that, because they’re thinking, “Oh, we’ve got it under control, and we’re using solutions that are just at our disposal and we don’t have to ask security for any kind of support.”

Ashley: Mm-hmm.

Chrust: So, they think, “I’m gonna move faster if I just do it myself.” And so, yeah, so, one of the things that we’re seeing is that there are a lot of different methods that DevOps teams are employing today for getting certificates into these dynamic environments. And we might be using everything from OpenSSL on our local work stations to using something called HashiCorp Vault, which is a very popular tool out there. I don’t know if you’ve heard of it, but you can issue a subordinate CA or a self-line certificate and really suck in using HashiCorp Vault.

You know, there are issues with that, because there’s many instances of Vault oftentimes being used and there’s no unified policy and no visibility, right, across these things.

Ashley: Mm-hmm.

Chrust: So, then, you know, the other thing that we’re still hearing—which, you know, it makes sense—we’re still hearing that security teams are telling DevOps teams you need to submit a ticket to get a certificate. So, you know, these different ways—ticketing tools and using HashiCorp Vault, using LetsEncrypt—all of this is basically either slow or it’s automated but it doesn’t provide the visibility and there’s no policy enforcement.

Ashley: Mm-hmm.

Chrust: One thing I want to elaborate on there is that oftentimes organizations move their applications to the cloud—you know, like an AWS or an Azure, and let’s take, for example, AWS. They’re like, “Oh, this is great! It provides Amazon Certificate Manager. That’s gonna help me a ton, right?”

Ashley: [Laughter] Mm-hmm.

Chrust: [Laughter] But the thing is, the Amazon Certificate Manager is kind of like a shiny object, right? It’s meant to keep you there, and Amazon is a very smart company and—you know, I mean, I know how much I spend on Amazon Prime, so, I’m just gonna say, they’re pretty sticky.

Ashley: [Laughter] I’m there with you.

Chrust: Yeah. [Laughter] So, Amazon Certificate Manager actually provides us easy access to free certificates, right? But the challenge is that it only does a great job around native infrastructure, like an AWS Load Balancer, for example. And then everything else, right, that’s hosted in AWS, it doesn’t do anything for you in terms of automating certificate renewal.

And so, what we’re hearing is that companies are lifting their infrastructure and putting it in the cloud, they’re not getting these automated renewals happening, and so outages are still happening. So, that’s one issue.

Ashley: Mm-hmm.

Chrust: And then the other thing, too, is—you know, I spoke to this earlier. Many companies use more than one cloud provider.

Ashley: Absolutely.

Chrust: And so, what are we supposed to do at that point once you’re locked into the Amazon Certificate Manager? You’ve gotta re-code your application, right, to use an Azure or Google Compute platform.

So, anyway, so there’s a whole bunch of challenges there in addition to, you know, I heard one of our customers the other day say they had 2,500 AWS accounts and 1,500 Azure accounts.

Ashley: Wow. Wow.

Chrust: So, think about that for a moment, right?

Ashley: That’s a few. That’s a few.

Chrust: Yeah, just a few, and the thing is, there’s no centralized visibility, there’s no centralized policy control. And so, imagine if quantum computing comes along and the algorithms need to change or if there’s a policy change or who knows, what have you, right? You’re gonna have to change up a lot of different settings in many different AWS accounts.

So, there is just a complexity. [Laughter] There’s just kind of a mélange of issues that happen once you start doing something like that and then over time, you want to change your cloud strategy. So, you know, just to kind of paint a picture. And then the last thing is, developers love their toolchain tool, so they’re using things like Kubernetes secrets and Ansible vaults and, you know, CredHub, for example, from Pivotal.

So, you can see there’s a kind of complexity that’s being introduced into very complex environments. So, it’s really hard to manage today.

Ashley: Well, I think if you look at it as issuing certificates on a one by one basis, that’s where you fall into this trap of this PKI security certificates, all of that need to be managed as an architecture, as a design with its own processes and management of it just like you would source code or continuous improvement or whatever it might be. So, I gotta imagine Venafi does something to help with this. What can you do?

Chrust: That’s a great point. I mean, when you think about best practices around using open source, right? They say you should use open source and have an inventory of everything, like a bill of materials of what’s in your code. When you think about certificates today, it’s really an ad hoc solution, right? It’s almost like they’re piecing together a bunch of open source stuff and [Cross talk] centralized control. Yeah, exactly.

So, you know, when it comes to Venafi, what we’re really excited about is that the world is finally waking up to and realizing that there’s an issue relative to certificates in DevOps environments and beyond. And one thing I wanted just to highlight before I go into what Venafi does is that there is no guidance from the National Institute of Standards and Technology, NIST. And the guidance is NIST 1800-16, volume B, and there’s like four volumes, anyway. But it’s talking about several different things, and one of them is, because it’s a new guidance that’s come out—it came out the end of last year—it’s still in draft form because of the government shutdown, as we recall earlier this year. But this guidance actually provides 50 pages of really good information for organizations that are looking to resolve these issues right around certifications.

And it addresses DevOps directly. Like, the word DevOps actually shows up in this guidance, which is really nice to see, and it talks about how certificate owners are changing, right, so now, it’s not like Charlie who’s managing the .DNL server, it’s infrastructure as code creating a whole bunch of different stuff every single minute.

Ashley: Mm-hmm.

Chrust: And then there’s actually an “ah ha” moment when you read about what’s in the NIST guidance where it talks about setting up a certificate service. And what it does it, it really discusses that the PKI team or the security team should establish a certificate service because it’s the most effective and efficient approach to solving this problem, and that includes providing a technology based solution that provides automation and also supports effectively managing certificates over time.

Ashley: So, we’re coming up on close to the end of our podcast time. I wanna make sure you get a chance. I kinda feel like you’re leading us up to what Venafi can do to help you establish that certificate service.

Chrust: For sure, yeah. So, what Venafi has is a machine identity protection platform that really helps to centralize control and also provides a single pane of glass to all certificates.

Ashley: Mm-hmm.

Chrust: And, you know, if you think about the core platform, it allows security teams to get centralized access to inventory so they know every certificate that’s being used, it allows them to set up policy, they get reports for audit and compliance checks and then we have self-service capabilities that can be offered to DevOps teams.

So, specifically around that, we—obviously, our platform is API enabled. So, we have a well-documented REST API and what we call a VCert, like Venafi Cert, utility that’s available for a command line and also, there’s an SDK, so that you can incorporate it into applications and tools that are in Go and Python and Java and other modern languages—well, Java not so much.

So, Venafi really is just a management layer and we’re not actually serving as a CA. So, I just wanna make sure that’s clear, that we’re not a certificate authority.

Ashley: Okay, that’s a good clarification.

Chrust: Yeah. We’re linked to every major certificate authority and we have adapters that you can basically hook into any CI that you wanna use.

Ashley: Mm-hmm.

Chrust: So, for DevOps, we have integrations, obviously, for the native toolchain as well so that you can hook Venafi into, for example, Kubernetes. We, JetStack is a Cert Manager that is an open source utility that we are integrated with. So, with that, you can incorporate any certificate from any CA, and also automatically renew those certificates within your Kubernetes clusters. So, that’s really valuable.

Ashley: Well, I think you’ve said a lot of important things and I think a couple of things that will definitely stand out to our DevOps listeners is self-service, APIs, SDK, et cetera, so they don’t feel like they have to go open a ticket for every time they need something, that this can fit into the DevOps and the agile workflows, so that’s awesome.

Chrust: It’s really awesome, because once our solution is in place, DevOps team can just run and continue to move at high speed. And then if there’s a PKI event or something that needs to be changed, it doesn’t impact them any more.

Ashley: So, I appreciate, Sandra, you joining us today. You’ve been a part of another DevOps Chat podcast, and it seems like time’s flown by again. I’d like to thank Sandra Chrust, Senior Product Marketing Manager at Venafi, for joining us, and to thank you—you, our listeners—for joining us, also. This is Mitch Ashley with DevOps.com. You’ve listened to another DevOps Chat.