DigiCert Blog

Advancing the Goal of Automated PKI for More Secure DevOps

This new partnership will accelerate development, increase the speed of innovation, and ensure continuous delivery of certificates for DevOps environments.

Today, DigiCert joins Venafi to announce a partnership that will significantly advance security for DevOps by providing convenient and seamless access to limited-use private PKI certificates designed specifically for internal testing and build environments. This initiative is a positive step toward enabling TLS security within DevOps environments in a way that allows accelerated development, faster innovation and continuous delivery of certificates.

The Venafi Cloud for DevOps platform provides an orchestration layer with network configuration and management systems that includes automated certificate issuance available through DigiCert APIs. Some users may wish to turn their Venafi Cloud instance into a dedicated trust environment, and we encourage them to contact us about how we can get them set up with their own scalable, customized, and fast private PKI.

Venafi Cloud users can now benefit from automated enterprise certificate management and the industry’s fastest, most reliable certificate issuance via DigiCert. Scalability is important in today’s era of interconnectivity and ‘zero trust environments’ that require persistent authentication and encryption as made available via digital certificates. Our continuing focus at DigiCert in automating PKI and providing APIs that easily integrate with a variety of platforms and systems is helping achieve widespread PKI adoption. Along with this, we recognize that each certificate use case requires slightly different levels of trust, validation and performance. We continue to innovate to help PKI meet a variety of security requirements.

‘Zero Trust Environments’: Cracking the shell 

Historically, product building and testing environments have treated security like an egg with an impenetrable outer shell to protect items inside. The predominant thought was that companies should focus on protecting the perimeter from intrusion using tools like firewalls, to keep the data inside the perimeter safe. Today’s security recognizes that there is no unbreakable perimeter; sophisticated and persistent adversaries will penetrate protected networks.

Because of this, security must be deployed at all network layers, within all networked devices and throughout all infrastructures to protect against data leakage and collection. A primary means of protecting TCP traffic is to use TLS certificates to authenticate and encrypt data even on internal networks that we once thought were safe from most attacks.

Within DevOps, virtual machines (VMs) often become the hosting environment of choice. However, in order to achieve a truly flexible and moving operation, these VMs need to communicate with each other and other systems across the network, possibly exposing unencrypted data to eavesdropping attackers that could be costly to the success of a company’s development initiatives. In an environment of continuous deployment and integration, DevOps teams need built-in security orchestration that puts TLS protection in place automatically without slowing down their work. When DevOps spins up a VM meant to handle testing for a period of just a couple hours, a traditional digital certificate lifetime is not needed, and for testing environments, they often do not require or benefit from public trust. Thus, the certificate type, vetting and delivery processes must change to meet the requirements of automation and uninterrupted operations without compromising security.

Bridging the Security Gap Between DevOps and IT Security and Engineering Teams

 IT security and engineering teams face challenges when seeking DevOps compliance with security policies they put in place to protect the network. Because of the speed of DevOps, traditional certificate management is difficult to enforce and track.

For example, a DevOps team member plans to spin up a VM to complete a job that will take just a few minutes and, during those few minutes, the VM will be communicating with the systems in your network. It’s important that communication be secured, but procuring a certificate for that job might have, historically, taken just as long as the work itself. Too often in these situations, it’s too easy to think, “What could go wrong in 30 seconds?” Under the right (or wrong) conditions, a lot could go wrong absent encrypted connections.

For that reason, many are turning to network configuration and management tools, especially those that operationalize security deployments at the network orchestration level. This is where the Venafi Cloud can be used in conjunction with DigiCert APIs to automate policy-driven deployment of certificates across DevOps ‘zero-trust’ environments, regardless of the technologies used. Because of Venafi’s efforts to integrate with all of the best and most popular DevOps and CloudOps tools, such as SaltStack and Docker, you can spend more time developing and less time configuring and maintaining.

Building for a Smarter, Automated PKI in the Future 

Today’s announcement marks another important milestone in DigiCert’s efforts to make PKI more usable and simpler to manage for IT teams. Our continued work to create the CA industry’s most scalable, agile and fast certificate delivery and management systems, built on APIs that easily integrate into a multitude of platforms and systems, is paving the way for the use of PKI by default. This is important for continuous application delivery, securing the IoT and making enterprise-wide TLS more feasible. We look forward to continuing our work on similar projects in the future.

A Final Note: Consider Adding Another Layer of Trust and Security to Your DevOps Deployments 

For closed environments that do not require public trust, DigiCert’s Private PKI solutions help companies simplify their deployments by outsourcing the creation, management, and maintenance of their Private CAs to us. This allows companies to focus on what they do best while being able to rely on DigiCert to comply with industry regulations and best practices.

For those interested in the Venafi Cloud platform, we recommend creating your own Private PKI with an API key from DigiCert. You can use the API key to issue certificates through your own trusted root, while still benefiting from the security orchestration capabilities of the Venafi Cloud. By replacing the Venafi private PKI intermediate with one of your own, you add an additional layer of security with dedicated trust within your own dev environment.

Using the DigiCert Private PKI API with Venafi cloud is easy to do. Just follow these instructions: https://digicert.com/private-pki-for-venafi-cloud.htm.

Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn15

About Dan Timpson

As CTO, Dan Timpson is responsible for DigiCert’s technology strategy and plays a key role in leading the security industry by driving new initiatives. Dan has over two decades of experience leading teams in software engineering, penetration testing, and security auditing.