Venafi, GlobalSign Partner To Address Machine Identities, Certificate Issues for DevOps
Machine identity protection firm Venafi and GlobalSign, an identity solutions provider, are teaming up to solve certificate issues in DevOps. The Venafi/GlobalSign work lets DevOps teams automate the procurement and installation of trusted digital certificates.
Image by Dirk Wouters from Pixabay
As organizations embrace DevOps, the number of machine identities required is exploding. However, because developers maintain their methods for obtaining and using machine identities, the situation quickly becomes chaotic, expensive and risky.
To respond to this growing issue, machine identity protection firm Venafi and GlobalSign, a PKI management and IoT identity solutions provider, are deepening their partnership to address multiple certificate issues in DevOps.
Under the partnership, the companies have integrated the Venafi Cloud with GlobalSign's high-performance PKI solutions for enterprises.
Thanks to the teamwork of Venafi/GlobalSign, DevOps teams will be able to automate the procurement and installation of trusted digital certificates. It also provides DevOps teams with quick, high-speed access to trusted machine identities throughout the enterprise -- across multiple clouds, hybrid infrastructure, and even containerized environments, officials said.
Further, cryptographic keys serve as machine identities – becoming the foundation of security for apps on enterprise networks, cloud and the internet. Enterprises of all sizes can now have one service for machine identities across their hybrid infrastructure and multiple clouds, helping to increase the speed of DevOps.
Key benefits of the Venafi Cloud and GlobalSign integration include:
Support for more DevOps use cases, especially those that require ultra-high-speed certificate issuance.
Embeds certificate issuance into tools developers already use. This includes configuration management, container orchestration, release automation, and secrets management tools.
Incorporates policy-enforced certificate issuance directly into CI/CD pipelines. This approach allows DevOps and governance teams to enforce the appropriate policies for each environment.
Prevents outages by automating the certificate lifecycle, eliminating errors, and enforcing security policy within DevOps workflows with out-of-the-box integrations, multiple APIs and SDKs that can be used everywhere, including the Automated Certificate Management Environment (ACME) protocol.
Improves security posture by securing infrastructure as it is spun up. This enables end-to-end HTTPS with consistent and available integrations, interfaces, APIs and SDKs.
Eliminates the need to manage PKIs in-house – or to rely on self-signed certificates.
Complies with multiple standards and security requirements. These include PCI DSS (Payment Card Industry Data Security Standard) NIST (National Institute of Standards and Technology) HIPAA (Health Insurance Portability and Accountability Act) and other audit frameworks.
Operationally, the Venafi Cloud and GlobalSign partnership enables DevOps teams to:
- Get ultra-high speed certificate issuance
- Enforce usage of GlobalSign certificates
- Save DevOps resource time
- Improve security posture
- Monitor certificates for expirations
Under the partnership, security teams can also be sure DevOps teams are using standardized, automated SSL/TLS certificates that fit enterprise policy and eliminate errors.
Ignoring certificate security in DevOps can have unexpected consequences. Therefore, DevOps teams need to automate the procurement and installation of policy-compliant SSL/TLS certificates within DevOps workflows to minimize the risk of application downtime, audit finding and enable DevOps to go faster, GlobalSign officials added.
Filling the DevOps Security, Certificate Gap – Simplicity Reduce Vulnerabilities
Prior to this latest Venafi/GlobalSign approach, developers might look for shortcuts – including the use of machine identities from unauthorized CAs and weak self-signed and wildcard certificates. Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, said this approach could create risks, because vulnerabilities an organization's overall attack surface might be compromised or errors were able to enter production environments.
"With support for GlobalSign's highest performing and scalable PKI service, Venafi Cloud eliminates the machine identity risks that have plagued DevOps, hybrid and multi-cloud environments,” Bocek said in a statement. “Now, DevOps teams get the fastest, easiest way to automate TLS certificates whether they're using ready-to-use integrations or powerful APIs.
The partnership will provide DevOps organizations “with more dynamic, flexible machine identity protection solutions,” Bocek added, “and security teams are happy knowing trusted certificates are being used correctly because they have complete visibility.”
GlobalSign’s Nisarg Desai, director of product management, IoT and DevOps added, The integration of the two companies’ technologies “enables DevOps teams to automate the procurement and installation of trusted digital certificates.”
This is achieved by combining GlobalSign's high-scale PKI for DevOps with Venafi Cloud certificate policy management and enforcement, he added. Organizations can improve security, boost productivity and comply with regulatory frameworks (such as PCI DSS, NIST, and HIPAA) “with just a few lines of code,” Desai added.
Venafi Cloud provides DevOps teams with out-of-the-box integrations, including HashiCorp Terraform, HashiCorp Vault, SaltStack, Ansible, Docker and Jetstack cert-manager. The Venafi Cloud and GlobalSign's PKI for DevOps solution also features well-documented standard interfaces that can be used across teams, including a REST API, an open source VCert SDK (available in Go and Python) and ACME.
With GlobalSign's cloud-based PKI services, developers and information security teams can eliminate the need to build and manage CAs and supporting services, including Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRL).