1©2019 Venafi, Inc. All rights reserved.

Until now, the process of incorporating trusted SSL/TLS digital certificates into DevOps environments has been slow and complicated—or completely overlooked. As a result, organizations adopting cloud services and containers have increasingly become vulnerable to attack.

Digital certificates serve as machine identities for authentication and encryption. As DevOps dramatically increases the number of machines in a network, the need for machine identity protection for machine-to-machine connections and communications becomes essential. When DevOps environments use poor certificate issuance and management practices, unprotected machine identities increase an organization’s attack surface.

With Venafi Cloud and GlobalSign, organizations can now automate the procurement and installation of trusted digital certificates within continuous integration/continuous delivery (CI/CD) pipelines to secure DevOps practices and support digital transformation. Venafi Cloud certificate policy management and enforcement combined with GlobalSign’s highly scalable PKI services enable organizations to improve security, boost productivity and comply with regulatory frameworks—such as PCI-DSS, NIST and HIPAA—with just a few lines of code.

Machine Identity Protection Challenges in DevOps Environments

DevOps Prioritizes Speed Over Security

Even as DevOps practices are increasingly adopted, security often remains a siloed function that is applied outside of the continuous, collaborative work being accomplished by DevOps teams.

// Highly Scalable Certificate Issuance for DevOps

GlobalSign PKI for DevOps and Venafi Cloud deliver high-speed, policy-enforced certificate procurement

PARTNER BRIEF

Solution Benefits

• Rapid certificate provisioning that complies with policy.

• Automated provisioning within popular DevOps tools.

• Enforced usage of trusted certificates from leading certificate authorities (CAs).

• Gained crypto- and cloud-agility with standardized certificate processes.

• Outsourced PKI to GlobalSign’s WebTrust-audited operations to remove burden on internal teams.

2©2019 Venafi, Inc. All rights reserved.

To increase delivery speed, developers may avoid proper usage of certificates:

• Not using SSL/TLS to secure connections

• Creating their own CAs or using self-signed certificates

• Using certificates from unapproved CAs

• Creating certificates with weak signature algorithms

• Importing untrusted root CA certificates into certificate stores

• Not adequately protecting private keys of root CAs and intermediate CAs

While these shortcuts can help developers deliver software faster, they can also increase business risks. Ultimately, ignoring security in DevOps increases costs by exposing the entire IT infrastructure to expensive failed audits, application downtime and even data breaches.

The Proliferation of Machines Complicates Security

The definition of machines has evolved from traditional servers in data centers to virtual machines, microservices running in containers and cloud infrastructure-as-a-service. Because machines are created and destroyed every microsecond, organizations must have an automated, accurate and efficient way to identify, quantify and document which digital certificates are in use for security and audit purposes. Manual processes cannot keep pace with the velocity of changes in machine identities.

PKI Policies Can Be Difficult to Apply in DevOps

Without a standardized API and CA infrastructure that works across development, test, staging and production environments, developers must create and maintain scripts for each environment and use case. This is time consuming and often results in certificates from unapproved CAs being used in production. Without easy access to an approved single-source CA, organizations open themselves up to a “Wild West” scenario, allowing administrators to choose certificate types, keys, encryption algorithms, etc., on an ad hoc basis. In addition, internal CAs may be created outside of corporate policies, putting both compliance and security at risk.

The Solution: Venafi Cloud with GlobalSign Delivers Highly Scalable PKI for DevOps

Venafi offers a seamless solution that overcomes DevOps certificate challenges. When integrated with GlobalSign’s highly scalable PKI for DevOps, Venafi Cloud delivers certificates to secure everything from traditional to modern infrastructure, whether running in the cloud or on-premises.

This integration provides DevOps teams with easy access to GlobalSign’s hosted PKI services, eliminating the most common PKI challenges, including the need to build and manage CAs and supporting services—such as OCSP and CRL—in-house, and ensuring everything is in line with current PKI best practices.

3©2019 Venafi, Inc. All rights reserved.

Feature Description

Containerization • Use Kubernetes and Jetstack Cert-Manager to automate the management of certificate life cycles for Kubernetes secrets and ingress controllers.

• Leverage Docker and the Venafi Key Management Container to generate key material and request certificates. Certificates are securely exposed to other containers running in the same Docker host as the Venafi container.

Orchestration • Employ Terraform to perform key generation that can be referenced via its plans for seamless acquisition and deployment of certificates.

Configuration Management

• Use SaltStack to simplify the process of getting and deploying certificates by leveraging the Venafi integration to push certificates to minions via Salt’s pillar system.

Secrets Management

• Enforce policy with HashiCorp Vault for certificates issued using the HashiCorp Vault API.

Supporting Services • Use the REST API to request certificates, review certificate issuance policies, view issued certificates, push certificates directly to Microsoft Azure Web Apps and more.

• Generate keys to simplify certificate acquisition by using VCert, and eliminate the need to write code that interacts with the Venafi REST API.

• Allow application developers to integrate key generation and certificate management tasks into custom applications with the VCert SDK, a cross-platform software development kit written in Go.

• Automate certificate management for external-facing infrastructure, such as load balancers, by using the Venafi ACME server with certificates from GlobalSign.

How It Works

The process begins when an administrator obtains a GlobalSign account and enters the associated credentials into the Venafi Cloud web interface. Once the GlobalSign account is linked, the administrator can set up policies, defining certificate types and attributes—key length, validity periods, etc.—for certificate issuance.

After policies have been set, user accounts are created for members of DevOps and other teams that consume certificates for securing infrastructure. Teams are able to immediately request and deploy certificates using the following:

• Venafi REST API

• DevOps tool integrations

• VCert SDK

• Automated Certificate Management Environment (ACME) Protocol

• Venafi Cloud web interface

Venafi Solution Details

Venafi’s rich ecosystem supports DevOps with a well-documented REST API, a command line utility, an ACME server and vendor-led integrations with containerization, orchestration, configuration management and secrets management tools used within DevOps CI/CD pipelines and workflows.

4©2019 Venafi, Inc. All rights reserved.

Feature Description

PKI Designed for DevOps

• Increase certificate issuance volume and velocity with certificates delivered within two seconds.

• Simplify onboarding by using GlobalSign with the existing Venafi REST API integration to make certificates easy to consume across roles and teams.

• Get certificate flexibility with access to a variety of certificate types that support all DevOps use cases, including certificates for containers, web servers and other endpoints.

Outsourced PKI • Reduce costs by eliminating the need for internal PKI expertise, ongoing maintenance and associated costs.

• Enjoy a fault-tolerant, scalable SaaS CA that has high availability and is managed at GlobalSign’s globally distributed datacenters. This CA uses reliable, WebTrust-audited infrastructure that provides high-performance and uptime SLAs while also securing key storage.

• Get standards-compliant revocation services—CRL, OCSP—so globally scalable and reliable revocation services are not expensive and time consuming.

• Easily deploy publicly trusted certificates when needed (e.g., for web servers and external API integrations).

• Ensure certificates and PKI components are up to date with best practices and meet regulatory frameworks, such as PCI-DSS, HIPAA and NIST.

Over Half Use Venafi to Speed Security for DevOps IT Services

53% of surveyed Venafi customers accelerated the delivery of keys and certificates for DevOps IT services after using Venafi automation.

Source: TechValidate. TVID: F15-499-884

GlobalSign Solution Details

Outsourcing the operations of CA management while still retaining control of policy allows DevOps teams to focus on their core competencies. This minimizes risks due to poor PKI implementation and administration.

5©2019 Venafi, Inc. All rights reserved.

Why Use Venafi Cloud and GlobalSign Together for DevOps?

By using both Venafi and GlobalSign, you can safely scale cryptographic resources by standardizing and automating the entire certificate process:

• Easily incorporate policy-enforced certificate issuance directly into your CI/CD pipelines.

• Standardize CA infrastructure and enforce policies and standards by environment.

• Leverage DevOps integrations to prevent outages with automatic certificate renewals.

• Secure modern infrastructure, including containers, to enable end-to-end HTTPS.

• Improve security posture by securing infrastructure as it is spun up.

• Comply with PCI-DSS, HIPAA and other audit frameworks.

• Eliminate the need to manage PKI in-house or rely on self-signed certificates.

Next Steps

If you have a Venafi Cloud and a GlobalSign account, or if you’re considering investing in these solutions, contact us to learn how to best leverage your investment. Support digital transformation with automated certificate management that keeps DevOps moving at the speed of business.

Sign up for Venafi Cloud for free: www.venafi.com/cloud

Contact GlobalSign: www.globalsign.com/en/lp/venafi/

About Venafi

Venafi is the cybersecurity market leader in machine identity protection, securing the cryptographic keys and digital certificates on which every business and government depends to deliver safe machine-to-machine communication. Organizations use Venafi key and certificate security to protect communications, commerce, critical systems and data, and mobile and user access.

To learn more, visit www.venafi.com

About GlobalSign

GlobalSign is the leading provider of trusted identity and security solutions enabling businesses, large enterprises, cloud-based service providers and IoT innovators around the world to conduct secure online communications, manage millions of verified digital identities and automate authentication and encryption. Its high-scale PKI and identity solutions support the billions of services, devices, people and things comprising the Internet of Everything (IoE). The company has offices in the Americas, Europe and Asia.

To learn more visit www.globalsign.com