Venafi (www.venafi.com), a provider of machine identity protection, has announced the results of a study on the cryptographic security practices of DevOps teams. Cryptographic security risks are amplified in DevOps settings, where compromises in development or test environments can spread to production systems and applications.
According to the study, many organizations fail to enforce vital cryptographic security measures in their DevOps environments. These problems are especially acute among organizations that are in the midst of adopting DevOps practices, but even organizations that say their DevOps practices are mature do not follow security practices designed to protect cryptographic keys and digital certificates.
“It’s clear that most organizations are still struggling with securing the cryptographic keys and digital certificates used to uniquely identify machines,” said Kevin Bocek, chief security strategist for Venafi. “Although DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates, they clearly aren’t translating that awareness into meaningful protection. This inaction can leave organizations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.”
Key study findings:
° The vast majority (82%) of respondents from organizations with mature DevOps practices say corporate key and certificate policies are enforced consistently. In organizations in the midst of adopting DevOps practices, just over half (53%) enforce these policies consistently.
° In mature DevOps organizations, almost two-thirds (62%) of DevOps teams consistently replace development and test certificates with production certificates when code rolls into production. In organizations that are just adopting DevOps practices, only a bit over one-third (36 percent) follow this critical best practice. Without changing certificates, there is no way to distinguish between the identities of trusted machines that are safe to place in production and untested machines that should remain in development.
° Eighty-nine percent of respondents with mature DevOps practices say their DevOps teams are aware of the security controls necessary to protect their organizations from attacks that leverage compromised keys and certificates; in organizations adopting DevOps only 56% believe their teams are aware of these controls.
° Eighty percent of mature DevOps respondents and 84% of adopting respondents allow self-signed certificates. Self-signed certificates can be issued quickly, however they can make it difficult to uniquely identify that machines belong and can be trusted.
Key reuse is a problem: 68% of mature DevOps respondents and 79% of adopting respondents said they allow key re-use. While key re-use saves time if a cyber criminal is able to gain access to one key they will automatically gain access to any other environment or application where the key is used.
As the speed and scale of DevOps development intensifies, the use of secure encrypted communications explodes. Without robust security measures and practices, successful attacks that target DevOps keys and certificates can allow attackers to remain hidden in encrypted traffic and evade detection. According to a recent report from A10 Networks, 41% of cyber attacks used encryption to evade detection.
“If the keys and certificates used by DevOps teams are not properly protected, cyber criminals will be able to exploit SSL/TLS keys and certificates to create their own encrypted tunnels,” said Tim Bedard, director of threat intelligence and analytics for Venafi. “Or attackers can use misappropriated SSH keys to pivot inside the network, elevate their own privileged access, install malware or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected.”
The study was conducted by Dimensional Research in November 2016. Study respondents included 431 IT professionals responsible for cryptographic assets in companies with DevOps programs in the U.S. and Europe.