Today, speed and security rule the world of enterprise technology. Unfortunately, the two are often at odds. But in a world where no organization can afford to sacrifice either one, we must find a solution to satisfy both.
The Need for Speed in Highly Competitive, Innovative Markets
From finance and healthcare to retail and manufacturing, the level of competition is higher than ever. And this competition is fueled in large part by innovations in technology that create better business processes and customer experiences.
Those who cannot keep up with the pace of innovation are likely not to succeed. As a result, most enterprise engineering teams have embraced new technologies, such as cloud and containers, and new development methodologies, such as DevOps, Agile and Continuous Integration/Continuous Delivery (CI/CD), to help them deliver more, faster.
Heightening Security to Maintain Trust In a Connected Digital-First World
The high levels of innovation — and the speed at which those advancements now come to market — have created a highly connected, digital-first world. While these advancements have allowed us to do more, faster and created better experiences, they also increase security vulnerabilities.
Each digital connection poses a security risk that enterprises must protect. Failure to do so can result in a loss of trust, which leads to lost customers and can prove nearly impossible for businesses to recover from. This situation puts enormous pressure on enterprise security teams to exercise tight controls.
Delivering on Speed and Security Simultaneously
As engineering and development teams continue to move faster to deliver innovative new products to market and stay ahead of the competition, it becomes extremely difficult for security teams to keep up. And in many cases, security teams have already fallen behind — whether or not they know it yet.
This situation is not sustainable though, and the time to find a solution is now. This eBook will explore exactly how we got here, the gaps between DevOps and security that exist today, how to bridge those gaps and the benefits that come from doing so.
How We Got Here
Speed and Security in the Digital Enterprise
Over the past decade, we’ve heard a lot about digital transformation in the enterprise. Now, we’re seeing the results of those transformations, with the realization of a digital-first world.
As with any change, the move to digital has brought with it a new set of challenges, and one of the biggest challenges that enterprises face today is maintaining the necessary level of security alongside the ever-increasing speed and diversity of development processes.
Today’s Development Teams Deliver Fast
In terms of speed, many enterprises now have highly experienced development teams that are responsible for delivering new (and updated) applications to market. These teams face pressure to build, package and deliver applications quickly. For example, whereas enterprises once delivered the latest version of their software with big changes in each version every 1-2 years, organizations now release updates with smaller changes every several weeks.
Modern Development Teams have Embraced:
Cloud and Containers
Ensure technology can run anywhere: Solutions like AWS, Microsoft Azure, Kubernetes and service mesh tools provide the access, flexibility and redundancy to ensure applications can run anywhere and reduce downtime.
DevOps and Agile
Stay nimble and deliver fast: Development methodologies like DevOps and Agile change the way engineering teams work by creating a continuous feedback loop that allows them to respond to changing requirements faster and deliver new features more quickly, rather than all at once.
Automate everything: Continuous Integration (CI) calls for a consistent and automated approach to building, packaging and testing applications while Continuous Delivery (CD) automates the delivery of applications to infrastructure environments, both of which help bring new technology to market faster.
Today’s Security Teams Must Keep Up
Security has always been and will continue to be of utmost importance. Afterall, no one will use a technology that compromises important information or is prone to hacking. But how do you embed security into highly connected and dispersed platforms that are built and deployed in a fast-moving environment?
That’s exactly the challenge facing modern security teams. New points of connection across infrastructure mean more vulnerabilities that require security controls, as does the use of more open-source and cloud-native toolsets within the development process. This growth alone would be challenging, but when you pair it with the fast pace at which development teams move, securing every single point becomes nearly impossible with the tools security teams have at their disposal.
Secrets management tools like HashiCorp Vault allow developers to securely store and access passwords, tokens, API keys and other credentials required for their day-to-day operations. In some cases, they can also act like a certificate authority (CA) to give developers quick access to digital certificates used in provisioning and signing processes. However, the problem is that security teams often lack visibility and control over these built-in CAs used outside of their owned and operated enterprise public key infrastructure (PKI). An increasing gap exists between the tools and policies used by developers and security teams.
PKI Enables Trust, But Volume and Velocity Explode in the Cloud
Public key infrastructure governs the issuance of digital certificates to protect sensitive data, authenticate users, devices and applications and secure end-to-end communications. It started out with a few limited use cases, such as issuing digital certificates to secure websites and allow devices to connect to VPN or Wifi networks. These limited use cases made it easy for security teams to manage PKI against set policies, including issuing, tracking and monitoring certificates. Today’s highly connected, digital world has changed this.
In the past decade, we’ve moved from a static, perimeter-centric view of security to a dynamic, identity-based approach, and this shift has disrupted the way we use PKI. Cloud-native applications built around microservices have replaced static, monolithic applications and increased the volume and velocity of digital certificates required by enterprise PKI. Specifically, we not only have more devices and applications now, but the makeup of each one is more complex, which has increased the need for secure machine-to-machine communications. Meanwhile, the fast pace at which DevOps teams build new solutions and update applications has also increased the velocity at which these certificates need to be issued.
Along the way, many security teams have lost control over all of the certificates in play. This has happened as DevOps teams gain the ability to issue their own certificates through open-source tools or built-in CAs like Let’s Encrypt, AWS, Microsoft Azure, Kubernetes and HashiCorp Vault. And when DevOps teams issue their own certificates, many of which security teams don’t even know about, it becomes nearly impossible for security leaders to manage those certificates throughout their lifecycle and enforce policies consistently.
Where We Stand Now
Understanding the Gaps Between DevOps and Security Teams
The speed of today’s DevOps teams and the complexity of the solutions they build has led to rapid growth in the velocity and volume of digital certificates required. And as the use of digital certificates has exploded in most organizations, it’s added a lot of complexity to how we think about enterprise PKI. But for the most part, security teams are still operating under older models of PKI where manual ticketing and request processes stand in the way of developer productivity.
DevOps teams need to move fast, and many aren’t all that concerned about where certificates are issued from and what policies they comply with, so long as developers have what they need to keep moving forward at speed. Faced with this primary concern, many DevOps teams have started to issue their own digital certificates, creating numerous blind spots for their security counterparts and leaving their solutions open to risk. Consider the following:
- Want to avoid time-consuming, manual certificate request processes
- So they issue their own certificates through unauthorized or “DIY” Certificate Authorities that are often built into DevOps and cloud tools
- Which leads to many non-compliant (and sometimes self-signed) certificates as well as a failure to properly track certificates and their expirations
This leads to security teams…
- Having limited visibility into the certificates that get issued
- Losing control over the PKI and struggling to enforce consistent enterprise policies
- Constantly chasing down non-compliant certificates
- Not having accountability when something goes wrong, such as an expired certificate that breaks functionality within an application
As a result of situations like this, serious gaps exist between DevOps and security teams.
Download Full eBook
Download the full eBook below to uncover:
- The four major areas for concern caused by DevOps and security team gaps
- How to bridge the divide between DevOps and security
- Case Study: how DevOps and security teams collaborate successfully