Securing DevOps Environments Is Key, Public Key Infrastructure, to Be Precise
DevOps teams are by their nature dispersed
Beginning as something of a countercultural trend adopted by a few forward-thinking enterprises, DevOps has since moved into the mainstream as speed and automation have begun to play more prominent roles, writes Tim Callan, Senior Fellow at Sectigo.
According to Gartner, around 50% of enterprises today with a development function have applied DevOps in some capacity to their portfolio and now, with an ever-growing need for rapid software releases, organisations are showing an increased interest in DevOps practices and the widespread adoption of microservice architecture patterns. DevOps has changed the landscape of enterprise computing.
An architecture that is nearly synonymous with DevOps is microservices, or containers. Containerization offers significant agility advantages but adds a new set of security requirements. Each container in the DevOps cloud is its own entity, meaning all containers must require strong identity through Public Key Infrastructure (PKI) or the enterprise faces significant threats of data theft or business disruption. Mutual authentication of DevOps containers through TLS certificates ensures that all tasks in the DevOps cloud are legitimate approved portions of the enterprise’s workstreams, forestalling a number of potential attacks.
Code signing provides another critical security component to these environments. Code signing certificates allow digital signature of applications and software programs, verifying file sources and ensuring that signed code has not been tampered with. In this way, DevOps teams can rely on the promise that deployed code comes from a trusted source and remains genuine.
DevOps Teams are by their Nature Dispersed
However, DevOps teams don’t have the bandwidth to devote chunks of their time to certificate management, so they find themselves tasked with PKI management projects for their containers and deployed code. DevOps teams are by their nature dispersed, embedded in lines of business, and coming from a software development (rather than IT security) background. Therefore, this trend has suddenly forced a great many non-PKI experts to take the lead on mission-critical PKI projects.
Private PKI solutions can provide greater automation and discovery of certificates at enterprise scale, but without full understanding of PKI best practices, these “DIY PKI” implementations can add risk and eat up company resources. IT generalists are being put in a position where they have to select, configure and implement public key schemes without the opportunity to fully understand considerations like key size, encryption algorithms, certificate term length, and code deployment process.
How Can We Manage DevOps More Securely?
IT generalists in charge of implementing DevOps should look to automating the deployment and management of certificates for microservice environments. Partner with a PKI expert to help set up these automated systems using principles that are secure and compliant with major regulatory and industry requirements. An expert partner will also keep an eye on the evolution of digital encryption and PKI standards so that your systems can continue to stay current with best practices in security.