Cryptographic security risks end up intensified in DevOps settings, where compromises can spread to production systems and applications, new research found.
What ends up being a problem is organizations fail to enforce vital cryptographic security measures in their DevOps environments, according to a study conducted by Dimensional Research for Venafi, a provider of machine identity protection.
These problems end up magnified in organizations adopting DevOps practices, but even organizations with mature DevOps practices do not follow security practices designed to protect cryptographic keys and digital certificates.
“It’s clear that most organizations are still struggling with securing the cryptographic keys and digital certificates used to uniquely identify machines,” said Kevin Bocek, chief security strategist for Venafi. “Although DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates, they clearly aren’t translating that awareness into meaningful protection. This inaction can leave organizations, their customers and partners extremely vulnerable to cryptographic threats that are difficult to detect and remediate.”
Eighty-two percent of respondents from organizations with mature DevOps practices said corporate key and certificate policies are enforced consistently. In organizations in the midst of adopting DevOps practices, just over half (53 percent) enforce these policies consistently.
In mature DevOps organizations, 62 percent of DevOps teams consistently replace development and test certificates with production certificates when code rolls into production. In organizations just adopting DevOps practices, 36 percent follow this critical best practice. Without changing certificates, there is no way to distinguish between the identities of trusted machines that are safe to place in production and untested machines that should remain in development.
Eighty-nine percent of respondents with mature DevOps practices said their DevOps teams are aware of the security controls necessary to protect their organizations from attacks that leverage compromised keys and certificates. In organizations adopting DevOps only 56 percent believe their teams are aware of these controls.
Eighty percent of mature DevOps respondents and 84 percent of adopting respondents allow self-signed certificates. Self-signed certificates can end up issued quickly, however they can make it difficult to uniquely identify machines belong and can be trusted.
Key reuse is a problem: 68 percent of mature DevOps respondents and 79 percent of adopting respondents said they allow key re-use. While key re-use saves time, if a cyber criminal is able to gain access to one key they will automatically gain access to any other environment or application where the key ended up used.
As the speed and scale of DevOps development intensifies, the use of secure encrypted communications explodes.
Without robust security measures and practices, successful attacks that target DevOps keys and certificates can allow attackers to remain hidden in encrypted traffic and evade detection.
According to a recent report from A10 Networks, 41 percent of cyber attacks used encryption to evade detection.
“If the keys and certificates used by DevOps teams are not properly protected, cyber criminals will be able to exploit SSL/TLS keys and certificates to create their own encrypted tunnels,” said Tim Bedard, director of threat intelligence and analytics for Venafi. “Or attackers can use misappropriated SSH keys to pivot inside the network, elevate their own privileged access, install malware or exfiltrate large quantities of sensitive corporate data and IP, all while remaining undetected.”