As a certification authority (CA), what we do at Entrust Datacard sits right in the crosshairs of Dev and Ops. Things like encryption, cryptography, verification, authentication — are all considered to put a drag on the DevOps principle to move fast. As part of my research into DevOps, I interviewed DevOps engineers from various companies to understand DevOps in two ways: as a buyer persona and as a user group. In my conversations, I learned quickly that I needed to expand the scope of my research to include the unique use cases required by DevOps in order to secure communications within an efficient development process. Let's take a look at how TLS/SSL security was enabled for some of those use cases.
Adjusting to a Paradigm Shift
One of the patterns that emerged for the DevOps persona was that they represent a culture. This culture breaks down the silos that traditionally separate the operations team from the developers and strives to smooth over those friction points. DevOps engineers have pioneered a paradigm shift for shipping code. Their commission is to go fast using new methodologies and tools that stress software elegance in a collaborative environment. That's to say that the goal is to deliver better quality with less complexity.
Getting back to the aforementioned friction point, we first need to understand a common misconception around DevOps, and that is that DevOps prefer to sidestep security in favor of moving fast — even at the risk of introducing vulnerabilities into the IT ecosystem. According to the conversations I've had with DevOps engineers, that's not the case. What they would like to do is build security into their methodologies, not bypass them.
By looking at the common objective of security, there is a way to smooth out this seam. DevOps is all about quality and InfoSec is all about security. How can we blend together DevOps methodologies with the security features that InfoSec requires without taxing InfoSec's resources or undermining DevOps's sensibilities? Organizationally, the sweet spot happens when InfoSec sets the policies and requires DevOps to script those policies into their code-as-infrastructure methodologies. The work for us as a CA was to overcome that friction point and enable seamless TLS/SSL security for a true DevSecOps experience.
Making the CI/CD Pipelines More Seamless and Secure
As a DevOps enabler, the best way forward is to apply some of the tools that DevOps is already using. Let's take a look at some of the tools we've built to enable secure communications using TLS/SSL for DevSecOps use cases:
Technologies like these give DevOps that true plug-and-play experience they're looking for and the peace of mind that InfoSec requires.