Historically, DevOps and security have been diametrically opposed practices. DevOps wants to move fast and break things, or so they say, but security policies tend to slow things down. However, it has become clear that this school of thought has evolved, as both practices have something to learn from the other. Organizations have embraced a “shift left” approach to integrate security earlier into application development, while security teams are learning to embrace the automation, flexibility and scalability of DevSecOps.
For example, consider public key infrastructure (PKI), a security technology that is commonly used to authenticate identities, devices and software. There are many valuable use cases for PKI in DevOps such as authenticating services and infrastructure (instead of hard-coded secrets) and validating software and third-party applications. Likewise, there is a worthwhile use case for DevOps to automate manual and ticket-based certificate management; especially since this can create unacceptable bottlenecks for DevOps.
In this example, PKI and DevOps are like two sides of the same coin:
- PKI for DevOps – Leverages DevOps to efficiently deploy PKI-based credentials for business applications and services
- DevOps for PKI – Automates the deployment and configuration of PKI with DevOps
In either case, these processes use a lot of similar techniques and tools. Best of all, many of them are available through open source communities.
EJBCA – Open source PKI
EJBCA is an open source certificate authority that provides a full life cycle certificate management solution, from registration and enrollment to certificate validation and revocation. The project’s source code is available under the terms of the GNU Lesser General Public License (LGPL). EJBCA is used to install a private certificate authority which is highly scalable. In comparison, public certificate authorities are monolithic and expensive, which makes them poorly suited for agile DevOps.
Ansible – Open source IT automation
Ansible is an IT automation tool that can install and configure software (in this example, EJBCA). The process is easily repeatable through the creation of playbooks, roles and tasks. Ansible is simple to use because it is YAML-based, a language that is designed to be easily understood, which makes it ideal for DevSecOps environments that have implemented infrastructure-as-code (IaC). Ansible is also highly scalable because it is modular and agentless, which makes it lightweight and fast. Additionally, Ansible playbooks can secure the deployment of other software with keys and certificates from EJBCA, making it possible to leverage Ansible as a universal automation tool, PKI for DevOps and DevOps for PKI.
HashiCorp Vault – Open source secrets management
HashiCorp Vault is a secrets management solution, which can be used to secure, store and control access to tokens, passwords, certificates and encryption keys. Its use cases include secrets management, data encryption and identity-based access. As organizations have shifted to more dynamic cloud and hybrid infrastructure, secrets management has become integral to ensure that keys are not exposed in applications and APIs and that certificates are securely issued to the right machines.
Jenkins – Open source continuous integration
Jenkins is an automation server for building, testing, delivering and deploying software. Jenkins may be used to automate the deployment of certificates and keys as part of a continuous integration and continuous delivery pipeline (CI/CD). Essentially, a playbook defined in Ansible may be streamlined by Jenkins in the CI/CD pipeline that is a hallmark of DevOps.
PKI for DevOps and DevOps for PKI
The ultimate goal of PKI for DevOps is to provision PKI credentials for business applications without hard-coded secrets, which is one less risk to concern the security team. The goal of DevOps for PKI is to automatically deploy a completely configured PKI solution, which is one less roadblock for DevOps teams. Organizations can leverage a collection of open source Ansible playbooks to automate the installation of EJBCA, which makes this process easily replicable.
The nature of DevOps is to embrace automation and flexibility at scale. That means that PKI certificate provisioning needs to be integrated and automated into DevOps. When this is done correctly, security and DevOps don’t need to be diametrically opposed—organizations can achieve the best of both worlds: Security and efficiency.
FAQs
PKI Automation ensures that all the machines which requires new certificate deployment or replacement are immediately addressed with accuracy. This will eliminate the any risk of non-compliance due to outdated certificates in critical systems.
What is PKI DevOps? ›
Speed and automation is the key for DevOps, and with the increasing adoption of shifting security left, delivering secured software applications has become the responsibility of DevSecOps teams. However, they are rarely experts, especially when it comes to PKI (Public Key Infrastructure).
Which tool is used for automation in DevOps? ›
Chef: Configuration Management and Application Deployment
Chef is a robust DevOps automation tool used for configuration management, deployment, and server/application management across different environments. It simplifies configuration processes, allowing DevOps teams to define reusable and consistent policies.
Can DevOps be automated? ›
DevOps automation is the addition of technology that performs tasks with reduced human assistance to processes that facilitate feedback loops between operations and development teams so that iterative updates can be deployed faster to applications in production.
What is PKI API? ›
Overview. The high-level PKI services API defines five functions for operating on buffers: signBuffer, verifyBuffer, encryptBuffer, decryptBuffer, and CMSBufferParser. The signBuffer function signs the contents of a buffer and returns the signature, which may or may not include a copy of the buffer that was signed.
What are PKI tools? ›
PKI, or public key infrastructure, encompasses everything used to establish and manage public key encryption. This includes software, hardware, policies, and procedures that are used to create, distribute, manage, store, and revoke digital certificates.
How does PKI work step by step? ›
First, a private key is created, which is used to calculate the public key. Then, the CA requires the private key owner's attributes presented for verification. After that, the public key and the owner's attributes are encoded into a digital signature known as a certificate signing request (CSR).
What are the five main components of PKI? ›
A comprehensive PKI system comprises five essential elements: Public and Private Keys, Digital Certificates, Certificate Authority (CA), Registration Authority (RA), and Certificate Policy (CP).
What is an example of a PKI? ›
A prime example of PKI in communication is secure email. S/MIME (Secure/Multipurpose Internet Mail Extensions) uses digital certificates to encrypt emails. Both sender and recipient need a trusted CA-signed certificate.
Which tool is used to automate? ›
1. Selenium. Selenium is still a number one choice among automation testing tools for web applications. It's a powerful drive for cross-browser testing and can be used for many test types, including compatibility, integration, smoke, sanity, end-to-end, and regression testing.
Two of the most popular DevOps tools for this phase of development are Jira and Git [1]: Jira: Although no specific DevOps tools are required for planning, many DevOps organisations use Agile project management software like Jira.
How should I automate DevOps support project? ›
There are dozens of ways to automate and improve DevOps metrics. Three of the most common are: Workflow (for example: moving support tickets through the service desk faster) Knowledge (when an incident comes in, your service management tool should automatically surface relevant knowledge and documentation)
What is an example of automation in DevOps? ›
CI/CD deployment automation
CI/CD automates these tasks. Developers use version control software to manage source code and track changes. When the code is ready for testing, the pipeline automatically builds the application, runs tests, and deploys it to the appropriate environment.
Why should you not automate every process in DevOps? ›
Over-Automation in Deployment leads to acute risks
The inflated Deployment Automation can slow-down the release, put operations on firefighting mode after every release, and make roll-back processes time-taking and tedious. Deployment Automation is for teams with daily or weekly release cadence.
What does the PKI do? ›
A Public Key Infrastructure Definitive Guide. Public key infrastructure (PKI) governs the issuance of digital certificates to protect sensitive data, provide unique digital identities for users, devices and applications and secure end-to-end communications.
What is PKI explained simply? ›
Public key infrastructure (PKI) refers to tools used to create and manage public keys for encryption, which is a common method of securing data transfers on the internet. PKI is built into all web browsers used today, and it helps secure public internet traffic.
What does PKI stand for in technology? ›
PKI is an acronym for public key infrastructure, which is the technology behind digital certificates. A digital certificate fulfills a similar purpose to a driver's license or a passport – it is a piece of identification that proves your identity and provides certain allowances.
What is the primary purpose of PKI? ›
Public Key Infrastructure (PKI) is important because it significantly increases the security of a network and provides the foundation for securing all internet-connected things. PKI is a core component of data confidentiality, information integrity, authentication, and data access control.
