The digital world is changing the way businesses work with their customers, partners, and employees. This digital transformation leverages DevOps speed, agility, and innovation to capitalize on market opportunities and create competitive differentiation in the application economy. However, information security has been notably absent from the DevOps movement because security is viewed as hindering speed of delivery. But speed doesn’t have to compromise security.
Business benefits of DevOps
There are clear benefits to leveraging DevOps for the enterprise:
- Faster response times address market changes or customer requirements more quickly. Companies that have embraced a DevOps methodology increased their speed to market by 20%.
- Increased customer satisfaction is achieved through frequent product updates based on continuous feedback from users.
- Better operational efficiency due to automation has resulted in more than 60% of organizations adopting DevOps approaches.
Why security is often lacking in DevOps
So why is it so hard to implement good security practices like encryption for DevOps? The primary reason is acquisition of keys and certificates in a DevOps environment takes too long and results in bottlenecks—so DevOps teams often avoid using encryption unless it’s critical. And, when they have to include encryption, the DevOps teams do it themselves without giving IT security team’s visibility or control.
How to eliminate the security risks introduced by DevOps
Nearly 80% of CIOs are concerned that DevOps makes it more difficult to know what’s trusted and what’s not. Let’s review how the lack of visibility or control of keys and certificates can negate the benefits of DevOps and how to address these issues to get the most out of your DevOps efforts:
- Automate security to support Fast IT
Faster response time to market changes may help increase the bottom-line, but 25% of app costs are wasted, including resources spent on manually acquiring keys and certificates. This is valuable time wasted that directly impacts project delivery schedules.
Recommendation: Implement procedures to automate the creation and distribution of encryption keys and certificates throughout the build process so that DevOps teams don’t have to do it themselves. By doing so, IT security will be able to align with Fast IT practices while decreasing the number of vulnerabilities potentially introduced via manual processes.
- Get visibility into keys and certificates to ensure service availability and customer confidence
Customer satisfaction is an ongoing endeavor; one service outage and your customer satisfaction rating can plummet. Failure to track expiration dates for certificates used for HTTPS services can result in an average downtime cost of up to $1 million per hour.
DevOps teams are not PKI experts, nor should they be. However, in most cases, DevOps teams acquire and install certificates themselves and IT security teams don’t know about the certificates to track them.
Recommendation: Make sure you are able to discover where all application certificates are being used and bring them under IT security control. Then you can apply policies to certificates and track expiration dates to avoid service outages and maintain customer confidence.
- Integrate key and certificate provisioning with DevOps builds
The improvement of operational efficiency is a primary driver for DevOps. For legacy IT practices, it’s acceptable to spend 4.5 hours to provision each certificate manually. However, for New IT and DevOps teams, relying on a UI to acquire and install keys and certificates simply takes too long. They need to be able to integrate provisioning of keys and certificates as part of the automated build process to deliver thousands of certificates in a matter of seconds—nothing less will suffice.
Recommendation: DevOps teams are accustomed to using APIs. Make use of recipes that utilize APIs to fully automate the process of provisioning keys and certificates.
By implementing these recommendations, you gain the advantage of faster project completion time without compromising security. By implementing controls and automation for keys and certificates you can remain secure while keeping DevOps moving at the speed of business.
How does your DevOps team provision keys and certificates? Is this process slowing down your DevOps delivery or leaving services insecure? Please share your challenges and solutions.