The 2016 animated comedy “The secret life of pets” presented a make-believe world where dogs and cats at an apartment building hung out together after their unknowing owners left for work. Today, when software developers go to work in the real world, passwords, PINs, tokens, keys, and other authentication credentials assume a secret life of their own. In this blog, I’ll explain why managing these critical credentials is particularly challenging in DevOps environments, and describe one-way enterprise IT addresses this challenge using secrets management technology with a strong root of trust.
DevOps and the life of secrets
Development operations, or DevOps for short, is an innovative, automated, and fast-paced approach to software development. According to Gartner, DevOps has quickly become mainstream with over 85 percent of organizations favoring its application development and delivery model over other approaches. The DevOps model enables groups of geographically dispersed developers to work collaboratively in a continuous integration and continuous deployment (CI/CD) manner. The process focuses on building small code blocks for assembly into finished software. As a product-centric model, DevOps has revolutionized the way enterprises build software, enabling accelerated application development and ensuring continuous improvement.
The distributed and collaborative nature of DevOps makes security critically important, demanding a trusted foundation to protect the software development process from attacks. Security can never be an after-thought; unfortunately, the common perception is that the more protection you add to a process, the slower it gets, stifling innovation. Today, the ever-mounting incidence of attacks, swelling number of threat vectors resulting from increasing interconnectivity, and a growing regulatory environment, are making security more important than ever. How does security become an enabler for DevOps and for the success of so many digital transformation initiatives? That is where the life of DevOps’ passwords, PINs, tokens, and keys come into play. Secrets management is critical to empower developers and enable the fast-paced innovation.
DevOps workflows can typically employ over 10 different tools and applications, each with their own access control mechanisms. This means that a developer working remotely will use, in addition to her/his corporate credentials which can be numerous, another 10 other secrets including application passwords, container credentials, SSH keys, database PINs, TLS and other privileged access authorizations. An environment so rich in secrets represents a honeypot for hackers looking for exploits, particularly given that these workflows are typically highly innovative, likely exchanging state-of-the-art technology and intellectual property.
As corporate IT teams support increasing amounts of DevOps initiatives and remote workers, IT managers are quickly finding that the number of access credentials used by developers and other employees is exploding. The growing use of tools and applications used across organizations across on-premises and cloud-based platforms is creating what is now commonly referred to as “secrets sprawl,” or the proliferation of access credentials. Typically stored in independent repositories offered by each of the tools, applications, and platforms, the storage of these credentials can often lack the degree of protection needed to ensure they are not vulnerable to sophisticated attacks. Increasing numbers of access credentials, applications that offer their own repositories, security policy silos, and inconsistent security policies all create risks. Without a uniform level of control, enterprises find it hard to apply enforceable security policies and determine who has access to what.
DevOps is all about flow, feedback, and continuous improvement. Repeatedly using these tools and applications to sustain the workflow, developers require repeated access to applications and systems. One way to facilitate this process is to establish and issue privileged access across the diverse set of development tools used by organizations. Privileged access removes inconvenient steps and accelerates the process, but can also further increases the number of passwords, PINs, tokens, and keys needed by developers’ tools and applications to talk to each other securely in a collaborative environment.
Deploying a centralized secrets management solution solves the secrets sprawl problem. The approach brings password, PINs, tokens, keys and other credentials into one protected and controlled location where organizations can monitor and audit operations transparent to developers. Bringing secrets into one centralized location simplifies their management, but can also aggregate risks. Ensuring that the centralized repository has the strongest security possible is therefore imperative in order to ensure trust across the system. Establishing a root of trust using certified hardware security modules (HSMs) is a best practice to segregate master keys from the rest of the IT environment.
HSMs are hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data, and creating digital signatures and certificates. Employing dual controls, HSMs ensure that no single individual or entity can singlehandedly change key use policies to circumvent security policies. These powerful features protect from sophisticated attacks including insider threats. HSMs are tested, validated, and certified to the highest security standards including FIPS 140-2 and Common Criteria.
Centralized secrets management solutions deployed in replicated clustered configurations with a robust HSM root of trust provide scalable performance, disaster recovery, and the strongest security needed to support DevOps process. Deployed in these configuration, secrets management solutions integrated with an HSM root of trust enforce consistent security policies that reduce risks and simplify auditing and compliance.
Today, developers perform a critical role in organizations. Not only are they in the front line of innovation, but enterprises depend on their work to stay competitive. The DevOps process ensures developers can meet the demand for CI/CD. To ensure trust and innovation, secrets management is particularly important to sustain this process. Integration of a certified HSM ensures that the master keys used by the secrets management solution have the highest level of protection possible. An integrated solution enables organizations to securely access and use applications, and protect critical data in an increasingly distributed and connected workplace. Moreover, developers are not the only ones that needing sound security policies for access credentials today. As so many of us presently work remotely, secrets management is now more important than ever.
While pets are lucky to have their humans around all day, so are the increasing numbers of passwords, PINs, tokens, keys, and other secrets we use to get our work done. To learn more about how to solve the secrets sprawl problem with trust, integrity and control, download this secrets management plus HSM solution brief.
Juan C. Asenjo, Director of Marketing, Entrust