PKI in DevOps: How to Deploy Certificate Automation within CI/CD
0 likes566 views
The document discusses the integration of Public Key Infrastructure (PKI) into DevOps practices, emphasizing the importance of certificate automation within CI/CD pipelines. It highlights key challenges such as security oversight, misconfigurations, and the need for efficient management of certificates to prevent outages and security incidents. The document also outlines best practices for addressing these challenges, including visibility, control, and the automation of certificate lifecycle management in development environments.
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
- 1. PKI in DevOps: HOW TO DEPLOY CERTIFICATE AUTOMATION IN CI/CD CYBERSECURITY SME INFINITE RANGES CHRIS PAUL VP, SOLUTIONS ENGINEERING KEYFACTOR ANTHONY RICCI PRODUCT MANAGER KEYFACTOR RYAN SANDERS
- 2. 2 A Bit About Chris ► Cyber Network Warfare Specialist ► Military Intelligence Systems Maintainer/Integrator ► NOC/SOC ► Tech Lead/Engineer ► Cyber Course Developer ► Cyber Operations Instructor (Contractor) CYBERSECURITY SME CHRIS PAUL
- 3. 3 DevOps Mantra vs Security Deliver Fast Nearly 60% deploy multiple times a day, once a day, or once every few days. Run Anywhere Almost 70% of Ops pros report that developers can provision their own environments. Automate Everything A majority of Ops teams (38%) described the development lifecycle as “mostly automated.” But…Security is Left Out Most sec teams don’t have security processes in place for microservices/containers/APIs/cloud native or serverless. And Who Really Owns it? 33% of security respondents say they own security, but almost as many (29%) said everyone is responsible for security. Clarity is needed. *GitLab – Mapping the DevSecOps Landscape | 2020 Survey Results CYBERSECURITY SME CHRIS PAUL
- 4. 4 Cybersecurity Concerns ⊲ Do you know where all your critical assets are? ⊲ Are you confident these assets are deployed and configured to meet business objectives? ⊲ Are you confident in your ability to measure drift in these configurations? CYBERSECURITY SME CHRIS PAUL ⊲ Lack of oversight and control ⊲ Poor configuration or accidental misconfiguration ⊲ Environmental drift Top Cybersecurity Concerns: Questions to ask yourself:
- 5. 5 Poll Question #1 What are the biggest challenges your organization faces from an information security perspective? Increasing complexity of IT / infrastructure1 Lack of cybersecurity skills / resources2 Compliance with privacy laws / regulations3 Keeping up with internal / external threats4 Day-to-day hotspots take too much time5
- 6. 6 Traditional PKI vs Modern PKI PRODUCT MARKETING MGR RYAN SANDERS Web Servers Wi-Fi / VPN Email / Documents THEN Traditional PKI CI/CD Tools Containers Orchestration ADC / CDN Service Mesh IoT Devices Code Signing Mobile / MDM NOW Modern PKI Cloud DevOps Mobile IoT DISRUPTION 88,750 Keys & Certificates 8 Internal/External CAs Shorter Lifespans Few Certificates Spreadsheets / Scripts Static Approach
- 7. PKI in DevOps HOW X.509 CERTIFICATES FIT INTO DEVOPS & CI/CD 7
- 8. 8 The CI/CD Pipeline CODE COMMIT BUILD TEST RELEASE DELIVER PRODUCTION CONTINUOUS DELIVERY CONTINUOUS DEPLOYMENT AUTOMATION Developer pushes new code and automatically triggers server build CI server starts the build process and automated tests against the build Build artifacts are stored and binaries are delivered to a runtime environment Build is deployed to production (on-premise, cloud, multi-cloud) CONTINUOUS INTEGRATION VP, SOLUTIONS ENGINEERING ANTHONY RICCI
- 9. 9 So Many Tools… SCM/VCS CI BUILD TESTING DEPLOYMENT IAAS/PAAS ORCHESTRATION BI/MONITORING PROVISIONING ARTIFACT MGT. DATABASE MGT. VP, SOLUTIONS ENGINEERING ANTHONY RICCI
- 10. 1 0 Where X.509 Certificates Fit Into CI/CD VP, SOLUTIONS ENGINEERING ANTHONY RICCI CODE COMMIT BUILD TEST RELEASE DELIVER PRODUCTION Sign Build Sign Containers Sign Binaries Sign Images Web Servers Load Balancers Containers Orchestration Service Mesh Secret Vaults CI Tools Build Automation Repositories Databases
- 11. 1 1 The Modern PKI & Application Stack VP, SOLUTIONS ENGINEERING ANTHONY RICCI Cloud CA / Vault Services Embedded / Built-In Tools Free CertsOpenSSL Vault “DIY” PKIRequest Public CAs Physical Infrastructure Secrets VMs VMsVMs Cluster 1 Cluster 2 CDN / ADC Clusters Orchestration Ingress/Service Mesh ICA ICA ICA ICA ICA
- 12. What’s Working / What’s Not MANAGING KEYS & CERTS IN DEVOPS ENVIRONMENTS 1 2
- 13. 1 3 Developers can use any CA – for example, Let’s Encrypt – or even generate certificates themselves using popular utilities such as OpenSSL…but there is little else in terms of policy enforcement and PKI governance. GARTNER “The Resurgence of PKI in Certificate Management, the IoT and DevOps” Erik Wahlstrom, Paul Rabinovich, October 2018 PRODUCT MARKETING MGR RYAN SANDERS
- 14. 1 4 Security & DevOps Challenges InfoSec TeamsDev + Ops Teams Avoid time-consuming, manual request processes Use unauthorized or “DIY” CAs Use certificates from built-in DevOps / Cloud tools Issue non-compliant or self-signed certificates Fail to properly track certificates and expirations Limited visibility of certificates issued Unable to enforce consistent enterprise policy Lack control over CA/PKI infrastructure No accountability when something goes wrong Constantly chasing down non-compliant certificates DevOps needs fast, easy access to certs. InfoSec needs visibility and policy. PRODUCT MARKETING MGR RYAN SANDERS
- 15. 1 5 Risk #1 • Outages & Breaches 2017 EQUIFAX One expired certificate on network monitoring device left Equifax blind to the attack for 76 days. MICROSOFT TEAMS An expired authentication cert stopped users from logging into Teams for nearly three hours. 02/ERICSSON Ericsson faces a £100 million bill after millions of mobile users in Japan / U.K. were impacted. OCULUS RIFT Users found out their VR headsets were not working due to an expired certificate. LINKEDIN (AGAIN) For the second time, LinkedIn users experienced interruptions caused by an expired cert. LINKEDIN For roughly two hours, LinkedIn was down across most regions due to an expired certificate. FIREFOX U.S. GOVERNMENT 2018 2019 2020 DOWNTIME A certificate expires – Gartner estimates network downtime costs $300,000 per hour. DISRUPTION Services are disrupted – the IT helpdesk/customer service are inundated with calls. RESPONSE PKI/infosec take hours or days to identify an expired certificate as the root cause. What happens when an outage strikes? REMEDIATION Teams must locate and replace every instance of the expired certificate. CYBERSECURITY SME CHRIS PAUL
- 16. 1 6 Risk #2 • Crypto-Incidents CYBERSECURITY SME CHRIS PAUL
- 17. 1 7 Risk #3 • Code Signing Attacks CYBERSECURITY SME CHRIS PAUL 2010 STUXNET 2015 2019 DUQU 2011 2012 2013 2014 2016 2017 2018 BIT9 MALAYSIAN GOV’T ADOBE OPERA SONY DUQU 2.0 D-LINK SYNful KNOCK SUCKFLY APT D-LINK (AGAIN) ASUS APT41 Key Theft Attackers find and steal private keys to sell on the dark web or sign malware. Signing Breach They infiltrate the code signing process itself, despite secure key storage. Internal Misuse Developers accidentally publish private keys into publicly accessible locations.. How is code signing compromised?
- 18. 1 8 Code Signing Use Case MULTINATIONAL TECH COMPANY ⊲ Development teams in US East, West, and Israel ⊲ Multiple build server solutions – TFS, Jenkins, etc. ⊲ Multiple dev languages – .NET, C++, Java, iOS ⊲ More than 100+ different products to be signed ⊲ Certs deployed to build servers, managed manually ⊲ Signing process manual and “effort greedy” PRODUCT MARKETING MGR RYAN SANDERS
- 19. 1 9 Poll Question #2 What would you say is your primary concern regarding the use of keys and X.509 certificates in DevOps? Manual, time-consuming processes1 Lack of visibility / unknown certificates2 No of control over issuance and usage3 Lack of accountability and ownership4 Insecure code signing / private keys5
- 20. How to Support DevSecOps DEPLOY X.509 CERTIFICATE AUTOMATION IN CI/CD 2 0
- 21. 2 1 The API economy forces organizations to monitor not only their own certificates, but also certificates issued and used by partners and services that the organizations rely on. GARTNER “The Resurgence of PKI in Certificate Management, the IoT and DevOps” Erik Wahlstrom, Paul Rabinovich, October 2018 VP, SOLUTIONS ENGINEERING ANTHONY RICCI
- 22. 2 2 Getting it Right • Ideal State VP, SOLUTIONS ENGINEERING ANTHONY RICCI Visibility Control Automation Know where certificates are issued from and all the locations they are installed Be able to respond to audit requests Understand how certificates are being used and for which applications Continuously monitor issuance and usage for abnormalities Ensure that certificates are issued from a trusted, enterprise-sanctioned PKI Enforce consistent role-based access and issuance policies Assign certificates to application groups or owners for clear accountability Keep private keys and code signing certificates locked down Support multiple CA tools and vendors Integrate with built-in issuers such as Kubernetes, Istio, HashiCorp Vault Provide self-service access to certificates for developers Automate certificate renewals and provisioning InfoSec controls the backend PKI. Integrated with native tools and workflows.
- 23. 2 3 Certificate Lifecycle Management (CLM) VP, SOLUTIONS ENGINEERING ANTHONY RICCI PUBLIC CAs PRIVATE CAs SERVERS ADC CLOUD EXISTING CERTIFICATE PROCESSES Direct CA Integration Inventory & Automation KEYFACTOR COMMAND Certificate Stores CAs Direct Integration No Middleware. Inventory, monitor and renew certificates in place. Crypto-Agility Certificates can quickly be re-issued or renewed from a different CA/template. No Re-Engineering No need to re-engineer workflows or re-issue certs through our platform. Scalability The platform is tested and proven to in environments of 500M+ certificates. Private Key Storage No need to store private keys in our platform – per-template basis. Extensibility Modular design enables maximum extensibility across infrastructure. No Middleware
- 24. 2 4 Secure Code Signing Operations VP, SOLUTIONS ENGINEERING ANTHONY RICCI STEP 1 Developer submits code to be signed via user interface, API, or CSP / KSP. STEP 3 Keyfactor Code Assure signs code without keys ever leaving the HSM.. STEP 4 InfoSec and PKI teams can audit code signing activity throughout.. STEP 2 Signing request is allowed or denied based on policies set by the admins. WORKSTATION SIGNING SERVER BUILD SERVER SIGNING TOOL SIGNING TOOL SIGNING TOOL CODE CODE CODE DEVELOPERS USER INTERFACE API CSP / KSP DEVELOPERS DEVELOPERS ADMIN PORTAL POLICY ENGINE ADMINS PHYSICAL OR CLOUD HSM 1 2 Audit Logs 3 4
- 25. It’s Q&A Time DON’T BE SHY, WE WANT TO HEAR FROM YOU 2 5
- 26. Thank You 2 6 CYBERSECURITY SME, INFINITE RANGES CHRIS PAUL VP, SOLUTIONS ENGINEERING, KEYFACTOR ANTHONY RICCI PRODUCT MANAGER, KEYFACTOR RYAN SANDERS cpaul@infiniteranges.com anthony.ricci@keyfactor.com ryan.sanders@keyfactor.com