Tim Callan at Sectigo: Don’t DIY Your PKI

This article was contributed by Tim Callan, Senior Fellow at Sectigo

DevOps is a unique approach to IT that comes with its own characteristic architectures and tools. No DevOps practitioner would consider trying to operate without the aid of popular platforms such as Docker, Kubernetes, Jenkins, Ansible, and Terraform, and such environments must by necessity employ some kind of PKI to ensure identity for containers.

Unfortunately, here is where expert DevOps developers can go wrong. After all, PKI is its own specialized form of information technology, just like DevOps. That means these expert operators of complex microservices platforms routinely find themselves tasked with putting in place or operating PKI systems without the benefit of understanding the ins and outs of such operations.

And that means risk. Risk that these PKI choices will leave the organization exposed to breaches. Risk that practices fail compliance with industry, regulatory, and SLA requirements. Risk that auditability of DevOps security is not possible. Risk that even implementations that at present are strong and secure will fall behind on the patches and cryptographic updates necessary for them to stay that way.

DIY vs. Bespoke

Organizations implementing containerized environments most often follow one of two PKI paths. Some orchestration engines come with default PKI functionality built-in, in which case it may be tempting to follow the path of least resistance and simply use that functionality as is. For those platforms that do not include their own PKI, a DIY project is needed, most often by obtaining an open source PKI application that can be dropped into the environment with minimal effort and budget.

Either of these decisions comes with a downside. The PKI choices made by the developer of that solution may not match your individual security and compliance requirements. Furthermore, there is the distinct possibility that whoever is in charge of this implementation lacks the direct knowledge to even know if the PKI in place is secure and compliant—or not.

However, there is a third alternative with great advantages over these other two, which is use of a purpose-built PKI platform. Purpose-built PKI has the advantage of being reliably in line with accepted, current practices. Considerations like key length, certificate duration, and hashing algorithm are sure to be implemented using best practices. And as cryptographic attacks and available computing power continue to advance, these platforms enable the crypto agility necessary to stay ahead of them.

Managing complicated certificate lifecycles

Today’s enterprise requires certificates of many different types, including TLS, client, code signing, document signing, and S/MIME email certificates, on both public-trust and private roots. These are not interchangeable, with each requiring its own installation procedure, authentication rules, term length, governance policy, and compliance needs. Each certificate has a built-in time of expiration, which can range literally from hours to years.

Plus, the number of certificates can be vast. Especially with new environments like DevOps and IoT, the volume of certificates in use can be orders of magnitude higher than would be required for traditional architectures. In these new environments, manual deployment, management, and renewal of certificates is no longer possible.

The consequences of certificate expiration can be catastrophic. For example, in December 2018 approximately 40 million mobile users from O2, Softbank, TalkTalk, and others lost data service for nearly a day. This failure across many users and services owed itself to an unexpected certificate expiration in back-end services provider Ericsson and has been estimated to have cost Ericsson as much as 100 million Euros in SLA fines.

Even the day-to-day administration of certificates can be easier and less time intensive when automation is in play. Consider the following scenario: you are a certificate administrator for your organisation and you have a new hire starting on Monday. She needs user certificates to log into the Wi-Fi network or the VPN service, encrypt and sign emails, and electronically sign documents. Do you sit with her on Monday morning to set her up? You don’t have to if you can leverage certificate auto-enrollment. When she comes in, she logs into her corporate laptop and the system automatically obtains a certificate for her. She is all set. Now, imagine there are ten new hires… the efficiency saving is clear and the business stays secure.

Enterprises have a variety of options for automating the provisioning and management of certificates. Be sure to confirm that the certificate automation tools you choose provide the security and flexibility necessary to safeguard your mission critical data and digital operations. Make sure they meet your regulatory and industry compliance needs and allow ultra-rapid provisioning of certificates in any volume you may need, including your potential future growth.

The potential impact of not using professional PKI, sufficient security or automation in certificate management cannot be underestimated. Certificate failures can directly cause outages, breaches, and compliance failure—and these can then lead to lost revenue, reputational damage, poor customer satisfaction, and even fines for non-compliance. Avoid these pitfalls. Don’t DIY your PKI.

Why is data virtualisation an asset to your API ecosystem? Find out in this article.