How flawed are your DevOps cryptography practices?Thursday, April 20, 2017
Majority of organisations fail to enforce vital cryptographic security measures in their DevOps environments.
A new study has uncovered fairly serious disconnects between security best practice and reality in DevOps practices, especially developing ones.
According to the study by Venafi, many organisations fail to enforce vital cryptographic security measures, and although the issues are particularly acute for those adopting DevOps practices, even organisations that say their DevOps practices are mature do not follow best practices designed to protect cryptographic certificates and keys.
The majority (82 per cent) of respondents from organisations with mature DevOps practices said corporate key and certificate policies are enforced consistently, but this majority became slim indeed among organisations in the midst of adopting DevOps practices, with 53 per cent enforcing policies consistently.
Perhaps most concerningly, while 62 per cent of mature DevOps organisations consistently replace development and test certificates with production certificates when code rolls into production, a mere 36 per cent of organisations that are just adopting DevOps practices do so, potentially creating a serious security risk.
In addition, 80 per cent of mature DevOps respondents and 84 per cent of adopting respondents allow self-signed certificates, which are hard to control and manage consistently. In fact, 68 per cent of mature DevOps respondents and 79 per cent of adopting respondents said they allow key re-use, further muddying the waters. If attackers gain access to one key, they will automatically gain access to any other environment or application where that key is used - a kind of encrypted chain attack.
Loosely implemented DevOps principles here can be devastating, as development or test certificates and self-signed certificates can both pass cursory checks (and even more detailed ones such as High-Tech Bridge’s SSL checker), because they are technically valid. However, once in the public domain they can leave organisations, their customers and partners extremely vulnerable to cryptographic threats that can be extremely difficult to detect and remediate.
Kevin Bocek, chief security strategist for Venafi, said: “It’s clear that most organizations are still struggling with securing the cryptographic keys and digital certificates used to uniquely identify machines. Although DevOps teams indicate that they understand the risks associated with TLS/ SSL keys and certificates, they clearly aren’t translating that awareness into meaningful protection.”
On a brighter note, new research from the Ponemon Institute shows that the current state of encryption deployment in-enterprise is strong, with a considerable uptick in organisations with enterprise-wide encryption strategies - up from under 20 per cent in 2006 to more than 40 per cent this year.
With data at-rest Ponemon found that around 61 per cent of organisations believe that they routinely encrypt employee and HR data, a surprisingly low 56 per cent encrypt payment data, 49 per cent encrypt financial records and 40 per cent encrypt customer data.
Approximately 67 per cent of organizations report that they either perform encryption on premises prior to sending data to the cloud or encrypt data in the cloud using keys they generate and manage on premises. An additional 37 per cent also report that they encrypt some cloud data using methods that turn complete control of keys and encryption processes to the cloud provider.
The rise in enterprise encryption both internally and externally is only set to continue, driven by concerns over cloud security, regulation and generally better awareness. While this is broadly a ‘good thing’ for businesses and consumers alike, it can also be a boon for hackers, with a recent Ponemon survey finding that of businesses that had recently been attacked, 41 per cent of the attacks have used encryption to evade detection. Clearly food for thought there...