As a certification authority (CA), what we do at Entrust Datacard sits right in the crosshairs of Dev and Ops. Things like encryption, cryptography, verification, authentication — are all considered to put a drag on the DevOps principle to move fast. As part of my research into DevOps, I interviewed DevOps engineers from various companies to understand DevOps in two ways: as a buyer persona and as a user group. In my conversations, I learned quickly that I needed to expand the scope of my research to include the unique use cases required by DevOps in order to secure communications within an efficient development process. Let’s take a look at how TLS/SSL security was enabled for some of those use cases.
Adjusting to a Paradigm Shift
One of the patterns that emerged for the DevOps persona was that they represent a culture. This culture breaks down the silos that traditionally separate the operations team from the developers and strives to smooth over those friction points. DevOps engineers have pioneered a paradigm shift for shipping code. Their commission is to go fast using new methodologies and tools that stress software elegance in a collaborative environment. That’s to say that the goal is to deliver better quality with less complexity.
Getting back to the aforementioned friction point, we first need to understand a common misconception around DevOps, and that is that DevOps prefer to sidestep security in favor of moving fast — even at the risk of introducing vulnerabilities into the IT ecosystem. According to the conversations I’ve had with DevOps engineers, that’s not the case. What they would like to do is build security into their methodologies, not bypass them.
By looking at the common objective of security, there is a way to smooth out this seam. DevOps is all about quality and InfoSec is all about security. How can we blend together DevOps methodologies with the security features that InfoSec requires without taxing InfoSec’s resources or undermining DevOps’s sensibilities? Organizationally, the sweet spot happens when InfoSec sets the policies and requires DevOps to script those policies into their code-as-infrastructure methodologies. The work for us as a CA was to overcome that friction point and enable seamless TLS/SSL security for a true DevSecOps experience.
Making the CI/CD Pipelines More Seamless and Secure
As a DevOps enabler, the best way forward is to apply some of the tools that DevOps is already using. Let’s take a look at some of the tools we’ve built to enable secure communications using TLS/SSL for DevSecOps use cases:
- One way to do this is by Leveraging Deployment Automation Tools. For example, we are the first CA to create an Ansible module to automate certificate deployment at scale onto an unlimited amount of end-points, effectively automating security into the process for standing up servers.
- Another good approach is to provide integration inside an app for a popular workflow process tool. This enables quick ramp up for users to more easily expand their capabilities within a familiar technology. An example of this is creating a seamless integration with the popular ticketing platform, ServiceNow. We worked closely with ServiceNow and have earned ServiceNow certification, placing our app in their Store. Now, ServiceNow users can manage the certificate request to renewal process inside the same application they’re already using to manage many of their other IT-related requests.
- The RESTful API enables users to make certificate requests in a programmatic fashion. It provides flexibility, greater ease of use, and supports a wide range of use cases for integrations. It can be used to integrate into any of the other DevOps tools such as HashiCorp Vault, Chef, Puppet, Kubernetes, etc.
Technologies like these give DevOps that true plug-and-play experience they’re looking for and the peace of mind that InfoSec requires.