Applying Identity to DevSecOps Processes
Thu, 08/11/2022 – 12:11
Identity means secrets
You prove your identity by validating credentials; secrets are the digital credentials used for this purpose. With the proper validation, you can authenticate a user (human or machine) and authorize them to access privileged services, accounts, and applications. Therefore, securing secrets is a priority because access to the internal network relies on secrets.
As machines and humans both have identities that require authentication, the list of credentials to track and protect might include:
- API credentials
- GitHub Tokens
- Hard-coded credentials in containerized applications
- Private encryption keys (PGP protocols)
- SSH keys
- TLS/SSL certificates
- One-time password devices
To ensure the security of these credentials, developers must first know where they are in the continuous integration, continuous delivery (CI/CD) pipeline, and then how to properly configure, manage, and deploy the credentials. As you can imagine, the number of identities requiring validation in a rapidly changing DevOps environment can be endless.
Why Securing Secrets in the CI/CD Pipeline is Difficult
DevOps was born out of speed, and to that end, technologies like Ansible, Puppet, Chef, and Jenkins are used to bring process and product together. However, to be able to do so, these tools must be the hub of thousands of services, machines and applications that make up the Development and Operations lines.
It is therefore not surprising that “CI/CD tools are the biggest consumers of secrets and have access to many sensitive resources such as other applications and services and information such as code bases and databases. data,” as Identity Defined Security Alliance points out in a recent blog post.. And “as the number of secrets increases, it becomes more difficult to store, transmit and audit secrets securely”.
The problem is also exacerbated by the complexity of the development process. While once it was enough to authenticate Between tools, it is no longer uncommon for virtual machines, services or other resources to be able to authenticate each other during the building process, just to get the job done. As the Identity Defined Security Alliance points out, “this is especially important in hybrid cloud and microservices deployments, and with the automated scaling capabilities of tools like Kubernetes.”
Processes need to remain nimble, and if build-time authentication is tedious or friction-laden, it’s likely that these security processes (as important as they are) could be overlooked, carelessly executed, or omitted entirely.
What can be done to ensure that we keep “Dry” in DevSecOps, without compromising speed, efficiency and agility?
Protect identity within the CI/CD
To secure your CI/CD pipeline and all the secrets within it, you need complete visibility and monitoring along the entire length of the toolchain. This includes locking down configuration managers, systems where repositories are hosted, and build servers. Here are several best practices:
- Leave no traces. Erase hard-coded secrets from CI/CD configuration files and source code.
- Identify access permissions. In other words, know who can access what and what rules access is based on – whether it’s based on role, time or task. Or you can segment your secrets based on broad access management permissions.
- Apply the principle of least privilege. If they don’t need access to the resource for an essential job function, they shouldn’t have it. No one should be granted excessive permissions by default – it increases risk and offers no reward.
- Manage machine identities inside the containers. A requesting client runtime container will have to validate the native characteristics of a valid container, so it is essential to ensure secure authentication in this exchange. It is also recommended to destroy containers and virtual machines after use.
- Use one-time passwords or other modern authentication methods (biometrics, MFA, location-based validation) when possible when dealing with highly sensitive tools, systems and information.
- No double dipping. Make sure your secrets aren’t accidentally passed for pull requests during builds.
- Use a password manager, to create brute-force resistant passwords and separate passwords for each service when it comes to human identities.
- Use a machine identity management platform when it comes to managing machine secrets in your CI/CD pipeline. It acts as a password manager for machines, while automating the renewal, revocation and configuration of TLS-based authenticators. It can also search, catalog and control all the identities of your company’s machines (on-premises, in the cloud and in virtual environments) so that you can manage machine secrets from a single screen.
How Jetstack Secure Enables DevSecOps
Managing identities – both human and machine – within a DevOps environment is an inescapable reality of the digital revolution.
Jetstack Secure is the Kubernetes machine identity management solution that provides automated PKI protection at the speed of DevSecOps. It gives you control and visibility over your X.509 certificates, allowing you to automatically monitor their configuration status on Kubernetes and OpenShift clusters. Jetstack Secure provides developers with a consistent deployment process with built-in workload security, rooting out misconfigured certificates and alerting you so you can take action to defend your secrets.
Use Jetstack Secure to proactively monitor ingress from within the cluster and gain ground-level visibility that lets you use your existing PKI to control workload security in the service mesh.
Tracking secrets – be they human identities or machines – in today’s complex architecture is only possible with the right solutions. As organizations rush to cloud, hybrid environments, containerization, virtualization, and everything else included in the DevOps sweep, it’s important that security retains a primary role.
Jetstack Secure gives you the automated security solution designed to keep up with change and keep you moving quickly, viably, and securely into the digital age.
Find out how Jetstack Secure protects your CI/CD pipeline by contacting one of our experts today.
DevSecOps and the 4th Industrial Revolution
CALMS for DevSecOps: Part 1: Why Culture Matters
DevOps and the Proliferation of Secrets