DevOps and CI/CD make for faster code releases, but they also create new challenges for security practices. Think about TLS and code-signing certificates. Almost every component in CI/CD – binaries, builds, web servers and containers – needs certificates to authenticate and verify trust, but traditional PKI processes just can't scale in DevOps environments. Join Keyfactor and Infinite Ranges to learn how PKI and certificate management fits within the CI/CD pipeline and why an integrated and automated approach is key to success. In this webinar, we'll discuss: How applications in the DevOps toolchain use PKI (i.e. Jenkins, Kubernetes, Istio, etc.) The risks of unmanaged or untracked certificates in DevOps environments Best practices to support visibility, compliance and automation of certificates in CI/CD

1. PKI in DevOps:
HOW TO DEPLOY CERTIFICATE AUTOMATION IN CI/CD
CYBERSECURITY SME
INFINITE RANGES
CHRIS PAUL
VP, SOLUTIONS ENGINEERING
KEYFACTOR
ANTHONY RICCI
PRODUCT MANAGER
KEYFACTOR
RYAN SANDERS

2. 2
A Bit About Chris
► Cyber Network Warfare Specialist
► Military Intelligence Systems Maintainer/Integrator
► NOC/SOC
► Tech Lead/Engineer
► Cyber Course Developer
► Cyber Operations Instructor (Contractor)
CYBERSECURITY SME
CHRIS PAUL

3. 3
DevOps Mantra vs Security
Deliver Fast
Nearly 60% deploy multiple times a day, once a
day, or once every few days.
Run Anywhere
Almost 70% of Ops pros report that developers
can provision their own environments.
Automate Everything
A majority of Ops teams (38%) described the
development lifecycle as “mostly automated.”
But…Security is Left Out
Most sec teams don’t have security processes in
place for microservices/containers/APIs/cloud
native or serverless.
And Who Really Owns it?
33% of security respondents say they own
security, but almost as many (29%) said everyone
is responsible for security. Clarity is needed.
*GitLab – Mapping the DevSecOps Landscape | 2020 Survey Results
CYBERSECURITY SME
CHRIS PAUL

4. 4
Cybersecurity Concerns
⊲ Do you know where all your critical assets are?
⊲ Are you confident these assets are deployed
and configured to meet business objectives?
⊲ Are you confident in your ability to measure
drift in these configurations?
CYBERSECURITY SME
CHRIS PAUL
⊲ Lack of oversight and control
⊲ Poor configuration or accidental
misconfiguration
⊲ Environmental drift
Top Cybersecurity Concerns: Questions to ask yourself:

5. 5
Poll Question #1
What are the biggest challenges your organization faces from an
information security perspective?
Increasing complexity of IT / infrastructure1
Lack of cybersecurity skills / resources2
Compliance with privacy laws / regulations3
Keeping up with internal / external threats4
Day-to-day hotspots take too much time5

6. 6
Traditional PKI vs Modern PKI
PRODUCT MARKETING MGR
RYAN SANDERS
Web Servers
Wi-Fi / VPN
Email / Documents
THEN
Traditional PKI
CI/CD Tools
Containers
Orchestration
ADC / CDN
Service Mesh
IoT Devices
Code Signing Mobile / MDM
NOW
Modern PKI
Cloud
DevOps
Mobile
IoT
DISRUPTION
88,750 Keys & Certificates
8 Internal/External CAs
Shorter Lifespans
Few Certificates
Spreadsheets / Scripts
Static Approach

7. PKI in DevOps
HOW X.509 CERTIFICATES FIT INTO DEVOPS & CI/CD
7

8. 8
The CI/CD Pipeline
CODE COMMIT BUILD TEST RELEASE DELIVER PRODUCTION
CONTINUOUS
DELIVERY
CONTINUOUS
DEPLOYMENT
AUTOMATION
Developer pushes new
code and automatically
triggers server build
CI server starts the build
process and automated tests
against the build
Build artifacts are stored and
binaries are delivered to a
runtime environment
Build is deployed to
production (on-premise,
cloud, multi-cloud)
CONTINUOUS
INTEGRATION
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI

9. 9
So Many Tools…
SCM/VCS
CI
BUILD TESTING DEPLOYMENT
IAAS/PAAS
ORCHESTRATION
BI/MONITORING
PROVISIONING
ARTIFACT MGT.
DATABASE MGT.
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI

10. 1 0
Where X.509 Certificates Fit Into CI/CD
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI
CODE COMMIT BUILD TEST RELEASE DELIVER PRODUCTION
Sign Build
Sign Containers
Sign Binaries
Sign Images
Web Servers
Load Balancers
Containers
Orchestration
Service Mesh
Secret Vaults
CI Tools
Build Automation
Repositories
Databases

11. 1 1
The Modern PKI & Application Stack
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI
Cloud CA / Vault Services
Embedded / Built-In Tools
Free CertsOpenSSL Vault
“DIY” PKIRequest Public CAs
Physical Infrastructure
Secrets
VMs VMsVMs
Cluster 1 Cluster 2
CDN / ADC
Clusters
Orchestration
Ingress/Service Mesh
ICA
ICA
ICA
ICA
ICA

12. What’s Working / What’s Not
MANAGING KEYS & CERTS IN DEVOPS ENVIRONMENTS
1 2

13. 1 3
Developers can use any CA – for example, Let’s
Encrypt – or even generate certificates
themselves using popular utilities such as
OpenSSL…but there is little else in terms of
policy enforcement and PKI governance.
GARTNER
“The Resurgence of PKI in Certificate Management, the IoT and DevOps”
Erik Wahlstrom, Paul Rabinovich, October 2018
PRODUCT MARKETING MGR
RYAN SANDERS

14. 1 4
Security & DevOps Challenges
InfoSec TeamsDev + Ops Teams
 Avoid time-consuming, manual request processes
 Use unauthorized or “DIY” CAs
 Use certificates from built-in DevOps / Cloud tools
 Issue non-compliant or self-signed certificates
 Fail to properly track certificates and expirations
 Limited visibility of certificates issued
 Unable to enforce consistent enterprise policy
 Lack control over CA/PKI infrastructure
 No accountability when something goes wrong
 Constantly chasing down non-compliant certificates
DevOps needs fast, easy access to certs.
InfoSec needs visibility and policy.
PRODUCT MARKETING MGR
RYAN SANDERS

15. 1 5
Risk #1 • Outages & Breaches
2017
EQUIFAX
One expired certificate on network
monitoring device left Equifax
blind to the attack for 76 days.
MICROSOFT TEAMS
An expired authentication cert
stopped users from logging into
Teams for nearly three hours.
02/ERICSSON
Ericsson faces a £100 million bill
after millions of mobile users in
Japan / U.K. were impacted.
OCULUS RIFT
Users found out their VR headsets
were not working due to an
expired certificate.
LINKEDIN (AGAIN)
For the second time, LinkedIn
users experienced interruptions
caused by an expired cert.
LINKEDIN
For roughly two hours, LinkedIn
was down across most regions
due to an expired certificate.
FIREFOX
U.S. GOVERNMENT
2018 2019 2020
DOWNTIME
A certificate expires – Gartner
estimates network downtime
costs $300,000 per hour.
DISRUPTION
Services are disrupted – the
IT helpdesk/customer service
are inundated with calls.
RESPONSE
PKI/infosec take hours or
days to identify an expired
certificate as the root cause.
What happens
when an outage
strikes?
REMEDIATION
Teams must locate and
replace every instance of
the expired certificate.
CYBERSECURITY SME
CHRIS PAUL

16. 1 6
Risk #2 • Crypto-Incidents
CYBERSECURITY SME
CHRIS PAUL

17. 1 7
Risk #3 • Code Signing Attacks
CYBERSECURITY SME
CHRIS PAUL
2010
STUXNET
2015 2019
DUQU
2011 2012 2013 2014 2016 2017 2018
BIT9
MALAYSIAN GOV’T
ADOBE
OPERA
SONY
DUQU 2.0
D-LINK
SYNful KNOCK
SUCKFLY APT
D-LINK (AGAIN)
ASUS
APT41
Key Theft
Attackers find and steal
private keys to sell on the
dark web or sign malware.
Signing Breach
They infiltrate the code
signing process itself, despite
secure key storage.
Internal Misuse
Developers accidentally
publish private keys into
publicly accessible locations..
How is code signing
compromised?

18. 1 8
Code Signing Use Case
MULTINATIONAL TECH COMPANY
⊲ Development teams in US East, West, and Israel
⊲ Multiple build server solutions – TFS, Jenkins, etc.
⊲ Multiple dev languages – .NET, C++, Java, iOS
⊲ More than 100+ different products to be signed
⊲ Certs deployed to build servers, managed manually
⊲ Signing process manual and “effort greedy”
PRODUCT MARKETING MGR
RYAN SANDERS

19. 1 9
Poll Question #2
What would you say is your primary concern regarding the use of
keys and X.509 certificates in DevOps?
Manual, time-consuming processes1
Lack of visibility / unknown certificates2
No of control over issuance and usage3
Lack of accountability and ownership4
Insecure code signing / private keys5

20. How to Support DevSecOps
DEPLOY X.509 CERTIFICATE AUTOMATION IN CI/CD
2 0

21. 2 1
The API economy forces organizations to
monitor not only their own certificates, but also
certificates issued and used by partners and
services that the organizations rely on.
GARTNER
“The Resurgence of PKI in Certificate Management, the IoT and DevOps”
Erik Wahlstrom, Paul Rabinovich, October 2018
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI

22. 2 2
Getting it Right • Ideal State
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI
Visibility Control Automation
 Know where certificates are issued from
and all the locations they are installed
 Be able to respond to audit requests
 Understand how certificates are being
used and for which applications
 Continuously monitor issuance and
usage for abnormalities
 Ensure that certificates are issued from
a trusted, enterprise-sanctioned PKI
 Enforce consistent role-based access
and issuance policies
 Assign certificates to application groups
or owners for clear accountability
 Keep private keys and code signing
certificates locked down
 Support multiple CA tools and vendors
 Integrate with built-in issuers such as
Kubernetes, Istio, HashiCorp Vault
 Provide self-service access to
certificates for developers
 Automate certificate renewals and
provisioning
InfoSec controls the backend PKI.
Integrated with native tools and workflows.

23. 2 3
Certificate Lifecycle Management (CLM)
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI
PUBLIC CAs
PRIVATE CAs
SERVERS
ADC
CLOUD
EXISTING CERTIFICATE
PROCESSES
Direct CA
Integration
Inventory &
Automation
KEYFACTOR
COMMAND
Certificate
Stores
CAs
Direct Integration
No Middleware. Inventory, monitor
and renew certificates in place.
Crypto-Agility
Certificates can quickly be re-issued or
renewed from a different CA/template.
No Re-Engineering
No need to re-engineer workflows or
re-issue certs through our platform.
Scalability
The platform is tested and proven to in
environments of 500M+ certificates.
Private Key Storage
No need to store private keys in our
platform – per-template basis.
Extensibility
Modular design enables maximum
extensibility across infrastructure.
No Middleware

24. 2 4
Secure Code Signing Operations
VP, SOLUTIONS ENGINEERING
ANTHONY RICCI
STEP 1
Developer submits code to be signed
via user interface, API, or CSP / KSP.
STEP 3
Keyfactor Code Assure signs code
without keys ever leaving the HSM..
STEP 4
InfoSec and PKI teams can audit
code signing activity throughout..
STEP 2
Signing request is allowed or denied
based on policies set by the admins.
WORKSTATION
SIGNING SERVER
BUILD SERVER
SIGNING TOOL
SIGNING TOOL
SIGNING TOOL
CODE
CODE
CODE
DEVELOPERS
USER INTERFACE
API
CSP / KSP
DEVELOPERS
DEVELOPERS
ADMIN PORTAL
POLICY ENGINE
ADMINS
PHYSICAL OR CLOUD HSM
1 2
Audit Logs
3
4

25. It’s Q&A Time
DON’T BE SHY, WE WANT TO HEAR FROM YOU
2 5

26. Thank You
2 6
CYBERSECURITY SME, INFINITE RANGES
CHRIS PAUL
VP, SOLUTIONS ENGINEERING, KEYFACTOR
ANTHONY RICCI
PRODUCT MANAGER, KEYFACTOR
RYAN SANDERS
cpaul@infiniteranges.com
anthony.ricci@keyfactor.com
ryan.sanders@keyfactor.com