How to Take the Burden of Machine Identity Management Off the Backs of DevOps

When I moved into an apartment, I didn’t build scaffolding around the building to support a rope and pulley system to lift boxes of my furniture and belongings to the 19th floor. My stuff was put into an elevator with a dedicated shaft, supported by specifically designed mechanical infrastructure and a simple computer system. The latter way is much safer, more effective, and automated.

In my last post, I wrote about how many DevOps practitioners are still manually generating and managing their machine identities, especially TLS certificates. Think about all of the load balancers, servers, containers, virtual machines, and other network entities that are constantly launched and killed within a DevOps environment. They all need machine identities, yet some of those entities have lifespans of only a few hours.

The benefit of a DevOps system in maintaining a networked application for a business client is its ability to be quick, responsive, and dynamic to a client’s constant functionality requirements. That wonderful agility grinds to a halt each time a human has to carefully configure, implement, and deploy a new certificate for a network entity. Every manually generated certificate has a cumulative effect, slowing the whole DevOps workflow down and increasing the risk of human error.

As I noted in my previous blog, manual certificate management not only slows DevOps down, it also makes it harder to implement best practices for encryption in applications. As mentioned in Learning From Data Breaches: Integrating Security in DevOps, some of the largest companies are still grappling with this challenge.

“On September 6, 2018, airline giant, British Airways, disclosed that the company had suffered a data breach that affected the personal and financial data of approximately 382,000 customers. A similar breach was reported by Ticketmaster in June of 2018, and this month marks one year anniversary of Equifax data breach, wherein half of US population was impacted. A common denominator of all these data breaches is the speed at which code was published.”

“Companies jump into the DevOps bandwagon with an assumption that automation is the sole driver for adoption. However, these data breaches are strong evidence that it takes a blend of automation, cultural change, and the integration of security processes throughout the development lifecycle to achieve effective layered security in such agile environments.”

And let’s not forget Equifax, where an attacker was able to hide in encrypted traffic for months due to an expired certificate. Standardization coupled with automation is important to enable TLS inspection for the purposes of preventing bad actors from hiding in encrypted traffic for long periods of time. Properly automated machine identity management with centralized control makes full visibility possible.

As a member of the security team, you are likely looking to embed security into DevOps in an automated way. Your DevOps teams will love you for taking the burden of manual machine identity management off of their backs. By abstracting away the details, the job of DevOps gets easier since they no longer have to maintain cryptographic processes for their applications across all their environments. Cyber attackers will hate you because your network-driven application’s encryption will be much more difficult to bypass.

The benefits of automated machine identity protection for DevOps reach farther than you may have thought. Does your organization use DevOps tools like Kubernetes, HashiCorp Vault, and Terraform? If so, automated machine identity management can be completely compatible! Are you concerned about PCI-DSS compliance? An automated solution can make it easy to demonstrate compliance to auditors! Does your client insist on constant application uptime? Certificate outages are a major cause of outages in DevOps-driven applications, and proper automation can prevent them. If you need a lightweight certificate management solution for DevOps, you can have it.

Automated machine identity protection in DevOps makes life easier for IT security teams and developers. Clients benefit from having more secure and agile application development and maintenance. Auditors can more easily see how your certificates and associated processes are standardized and compliant. Certificates for expired entities can be easily found and removed. DevOps application outages are prevented with automated certificate renewals. And the only people who aren’t happy are cyber attackers. Well, too bad for them!