DevOps Teams Struggle with Cryptographic Security
May 09, 2017

Tim Bedard
Venafi

DevOps teams bring significant benefits to their organizations. From product efficiency to innovation, a mature DevOps program can be a competitive asset for enterprises. Unfortunately, DevOps teams, like many business programs, tend to believe innovation must come with a detriment to security. Security measures are often seen as obstacles that impact the agility that DevOps teams rely on.

Cryptographic assets, such as keys and certificates, are especially important to DevOps teams; however, their security is often lax. Cyber attackers can target DevOps teams' certificates and misuse them to create a tunnel to hide in an organization's encrypted traffic. These kinds of attacks are on the rise; for example, a recent report from A10 Networks revealed that 41% of cyber attacks used encryption to evade detection

So, how are DevOps teams handling cryptographic security risks? Venafi recently conducted a study that analyzed the cryptographic security controls used by DevOps teams. The study polled over 430 IT professionals who are responsible of the cryptographic assets of their company's DevOps programs. Unfortunately, the study revealed that most DevOps teams do not consistently implement basic certificate security.

On a positive note, most DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates. However, they clearly are not translating this awareness into meaningful protection. This kind of inaction may leave organizations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.

These issues were especially acute among organizations that were just beginning to adopt DevOps practices. However, even organizations that said their DevOps program were mature often enforced only the most basic security procedures designed to protect cryptographic keys and digital certificates.

Interesting highlights from our survey included:

■ The vast majority (82%) of respondents from organizations with mature DevOps practices say corporate key and certificate policies are enforced consistently. In organizations in the midst of adopting DevOps practices, just over half (53%) enforce these policies consistently.

■ In mature DevOps organizations, almost two-thirds (62%) of DevOps teams consistently replace development and test certificates with production certificates when code rolled into production. In organizations that are adopting DevOps practices, only a bit over one-third (36%) followed this critical best practice. If certificates are not changed, there is no automated way to distinguish between the identities of trusted machines that are safe to place in production and untested machines that should remain in development.

■ 89% of respondents with mature DevOps practices say their DevOps teams are aware of the security controls necessary to protect their organizations from attacks that leverage compromised keys and certificates; in organizations adopting DevOps only 56% believe their teams are aware of these controls.

■ 80% of mature DevOps respondents and 84% of adopting respondents allow self-signed certificates. Self-signed certificates can be issued quickly, however they can make it difficult to uniquely identify the machines that can be trusted.

■ Key reuse is a widespread problem: 68% of mature DevOps respondents and 79% of adopting respondents say they allow key re-use. While key re-use saves development time, if a cyber criminal is able to gain access to a key they will automatically gain access to any other environment or application where the key is used.

Overall, DevOps teams are driven by accelerated application development, fast innovation and continuous releases. Hitting the production SLA is the primary thing on a developer's mind; security is the second, third, fourth, tenth thought or concern. While security is important and they are aware of it, it is all about fast development, innovation and releases.

DevOps teams must make sure their machine identities are properly protected. Cyber criminals can not only exploit SSL/TLS keys and certificates, but can also misappropriate SSH keys to pivot inside the network, elevate their own privileged access, install malware or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected.

Ultimately, our study reveals that security and DevOps can no longer exist separately. Both teams want their organization to succeed and they can use machine identity protection to remain innovative, and safe, in the future.

Tim Bedard, Director of Threat Intelligence and Analytics for Venafi .

The Latest

May 25, 2017

DevOps brings Development and Operations together with the sheer objective of ensuring quality and enabling faster time to market. However, what happens to QA in this scenario? How does the Testing team fit in? Let's ponder on this further and understand the role of QA and Testing in the DevOps world ...

May 23, 2017

When organizations adopt containers and microservice style architectures in production, systems become incredibly complex. For operations it's a shock because it means coming to grips with many new container tech nuances - plus letting go of the old monitoring rule book ...

May 22, 2017

Managing application performance today requires analytics. IT Operations Analytics (ITOA) is often used to augment or built into Application Performance Management solutions to process the massive amounts of metrics coming out of today's IT environment. But today ITOA stands at a crossroads as revolutionary technologies and capabilities are emerging to push it into new realms. So where is ITOA going next? With this question in mind, DEVOPSdigest partner site APMdigest asked experts across the industry for their opinions on the next steps for ITOA ...

May 18, 2017

In Part 3 of my Q&A with industry analysts, I ask: What trends will have the biggest impact on the software industry and DevOps in particular this year and beyond? How can enterprises set themselves up to succeed with so many rapid changes occurring in development and delivery? ...

May 16, 2017

See how to turbo-charge the impact of APIs, according to a global study conducted by CA Technologies ...

May 15, 2017

APIs are vital components for business success and thriving in the application economy, according to a global study conducted by CA Technologies ...

May 11, 2017

In Part 2, I'll dive into some findings from CollabNet's outreach to industry analysts. I asked them about the greatest challenges facing enterprises venturing into the world of DevOps and to touch on what lies ahead for the future of the DevOps movement ...

May 09, 2017

DevOps teams bring significant benefits to their organizations. Unfortunately, DevOps teams, like many business programs, tend to believe innovation must come with a detriment to security. Security measures are often seen as obstacles that impact the agility that DevOps teams rely on ...

May 08, 2017

With increased competition, enterprises now require greater agility than ever before, and traditional approaches simply can’t provide the speed enterprises demand. To remain competitive with these new players, companies need to improve their operational agility both in the data center and the WAN ...

May 04, 2017

There is no "right" culture for DevOps, but characteristics such as open communication, high cooperation, collaboration, respect, and trust are essential. If your organization does not have these characteristics, they must be developed. Culture is learned, not inherited. It must be genuinely nurtured by everyone from executive management on down the line. Here are some hacks to help develop a positive DevOps culture ...

Share this