GlobalSign Blog

Why PKI Should be a Part of Your DevSecOps Policy

Why PKI Should be a Part of Your DevSecOps Policy

Before we begin, let's take a few steps back. Public Key Infrastructure (PKI) should really be at the base of all transactions, documents, and software. Why? Because it is important to prove the authenticity, integrity, and non-repudiation of all things digital. To those unfamiliar with these concepts: 

  • authenticity proves the signer is who they say they are
  • integrity proves that the document has been unchanged
  • and non-repudiation ensures that the signer cannot later deny that he/she was the person who signed it 

These are the three main pillars that make digital signing so secure and trustworthy, and therefore something that is being more and more sought out as enterprise security requirements become increasingly intricate and necessary.  PKI is really achieved through trust, which means if one CA (certificate authority) emits errant certificates, the trust chain breaks. It's that reliant. 
 
When it comes to DevOps, it's important to create a safe environment for your development, testing, staging, deployment, and production – all while maintaining efficiency. In order for DevOps to be successful, a higher level of scalable security is required. When you think of DevOps security (DevSecOps), you may think of controlling access to secrets, penetration testing, code reviews, firewall management, audits, among many other ways to ensure your product is safe. Most of these protect the product from outside threats, internal mistakes, inefficient development cycles, etc. Now, you can achieve all of that without providing an identity to those endpoints by way of certificates (PKI) – but why would you want to? Trust me, you don’t. And here’s why. 
 
If you're reading this there’s a good chance you know how to drive and therefore have a driver's license. To obtain your license you had to fill out and submit an application, complete a written exam and perform a driving test, and submit appropriate documentation – including another form of identification – and fees. A very similar process happens when obtaining a digital certificate. The one who wishes to obtain said certificate has to submit a request (similar to an application), provide proof of the entity that they wish to receive the certificate for (similar to the tests), submit information or other forms of identification to be vetted or verified (similar to submitting appropriate documentation), and then paying for the certificate (which is similar to paying the fees for the license). 
 
This driver's license then acts as a piece of legal identification. We are supposed to have it on us at all times, especially while driving. We make sure it's valid, not expired, suspended, revoked, or fake. Driving without a license entirely? Well that's against the law. Certificates act as an identification for almost anything digital. You could try driving with a fake license, but the second you need to put the identification to use, it does not hold up. Trying to drive with a suspended license? Same idea. You can physically drive the car, but the second an issue arises and you need to provide proof of your identity with a suspended license, it is no longer valid and therefore illegal. If you or someone else creates a problem on the road and you need proof of ID, you're out of luck. 
 
The same idea applies to DevOps. You can build the most beautiful code, successfully deploy and test, but unless you provide security across the full software lifecycle – and that security includes a certificate/PKI for all of your endpoints, proving that your company is who you say it is – then you're paving the way for unwanted harm to your product, company, and/or customers. 
 
Now there are no set regulations for DevOps security yet, but why not be ahead of the curve while providing your company and customers with the trusted security that they expect and deserve? Create your own internal security policies now to set yourself up for the policies that are guaranteed to be set in place in the future. Be a part of building the trust, today.

Learn more about the importance of baking security policies directly into your DevOps processes in our free eBook, Accelerete DevOps with Streamlined PKI, and check out the three-minute video below. 


 

Share this Post