Challenges of Managing Digital Certificates in DevOps

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

how you doing folks my name is anthony ricci i'm the vp of engineering at key factor and today we're going to talk about the challenges of digital certificates within a devops environment we see here back here as kind of a sample stack a technology stack that we're going to kind of go through and kind of explain maybe possibly what your organization may do for to develop or to deploy your applications so we'll kind of start at the bottom so here's your infrastructure right so essentially it could be bare metal could be a data center or multiple data centers for that matter maybe a cloud-based environment it could be you know aws google cloud azure doesn't really matter so that kind of where it starts and then we'll focus on uh deployment of you know your virtual machines within those environments so put that over here and then once you got your essentially your infrastructure configured now let's talk about your clusters right so maybe you might have a couple of clusters let's just say for example we'll have two clusters here just for conversation purposes once you configure cluster you need an orchestrator to manage it so you know most people are deploying kubernetes doesn't have to be kubernetes but we'll just assume that for the time being and then also there are you know depending on the complexity of your environment or multi environment whether it's you know maybe you have a mix of on-premise and cloud you may need something called a service mesh right service mess gives you that capability for service based discovery dns management of your different services and pods within those environments so everything can communicate appropriately and be managed in an ephemeral environment where you got things spinning up and spinning down all the time so we'll talk about our service mesh here and i'm going to break this out and i'll explain momentarily what i mean by that so this can be service match something like like istio and also you may have like a logical ingress here right so this will be an edge where you have some kind of web server that's going to be deployed kind of serve us up you know whether it's an api or website or application that you have certain people using and of course your application or number of apps that you're deploying right it's very simple you know you're starting from the bottom up where we kind of talk about the infrastructure all the way to applications so this is a functional stack now let's start talking about security right let's talk about secrets management you know kubernetes comes on with onboard scd where you can you know deploy things like credentials and and different information or secret information that you're going to use or have your applications or infrastructure leverage but uh let's just assume that you're going to use like something like hash corp vault in this case right vault is another product that competes and you know has a very good interface and a lot of good features in there from an enterprise-wise perspective so now we have the constructs to kind of build out our environment so next thing is let's start talking about digital certificates i mean a lot of people just kind of leverage or think about ssl certificates as being the only digital certificate used of course there's other ones you know we have client also in in an environment like this you may have you know an ingress which is going to be supporting ssl certificates and then maybe you have your orchestrators or pods or services that need to deploy mtls or what we call mutual authenticated certificates now where are you going to get those shirts well that's a great question so we'll go here and kubernetes has what we call an onboard ca right and also istio as an onboard ca also the ingress you know when we talk about uh ssl we can certainly and i've been in plenty of uh conferences and conversations around let's encrypt and a lot of times you know ssl certificates in management of of digital certificates in general is very discounted and in this case you know everyone kind of goes and says i'll just implement lessoncrept and i have encryption right so the ingress can kind of be supported that way by the way vault also has an onboard ca so we'll stick that here too so now you know from an application perspective you're you know or devops perspective you're you perceive that you do have security which you do right but the problem is the management of that security what we're trying to do with these devops environments or the flow of your applications and deployment is to kind of eliminate or minimize tco right total cost of ownership in this case you're kind of increasing it right you actually have four different implementations in this case of different cas that you're deploying within that environment so challenges are the way you'd implement the ca here where you input the cas even though you know pki in nature they kind of follow certain constructs but the implementation of this the the digital certificates policy enforcement and how you handle that can be significantly different from one technology to another this is a big problem in the digital space it's always been a big problem but what if we had a solution for you to be able to kind of solve that well we do and it's called key factor right so we're gonna put key factor over here and key factor you can use in a variety of different ways we have a pki as a service or publicly infrastructure as a service which allows you to capability kind of alleviate the management of those digital certificates from your environment and allows us to do it on your behalf also you can do it in on-premise or in your cloud if you choose to do so depending on how big your organization is it really just we have we're not necessarily i'm going to say one-size-fits-all but we do have different products and services that you can take advantage of that can fit you the needs of your organization so in this case what we try to do is eliminate the issuance of these cas from these onboard or these technology stacks and then create what i call the last mile integration points into key factor which gives you a unified approach to management of certificates within the environment so when you look here it gives you an interoperability between the different technology stacks and the capabilities for key factor to kind of manage those cas behind the scenes and maybe even consolidate some of the ca technology behind the scenes under one umbrella what does that really give you from a devops perspective what that gives you is control and visibility and autonomy between all your different cas so you have one group that kind of manages preferably your information security group at the sec they can do policy enforcement audibility of those cas and ensure that you're staying consistent or compliant within your industry as well as your organization and then allow you as you know a devops expert or application developer to kind of focus on features and functions of your application and deployment of that in the stack

Info

Channel: Keyfactor

Views: 282

Rating: 5 out of 5

Keywords: Keyfactor, whiteboard, public key infrastructure, the keyfactor difference, devops, DevSecOps, DevOps, PKI, Certificate automation, anthony ricci

Id: 7LX3lH76Iss

Channel Id: undefined

Length: 8min 5sec (485 seconds)

Published: Tue Aug 04 2020