Venafi Adds Kubernetes Support to Certificate Management Platform
Venafi this week added an ability to manage Kubernetes cluster identities to the control plane it currently provides, extending zero-trust down to individual machines using the transport layer security (TLS) protocol.
Shivajee Samdarshi, chief product officer at Venafi, said TLS Protect for Kubernetes makes it simpler to secure highly distributed fleets of clusters running a wide range of cloud-native applications. Attempting to manage all the certificates required for each Kubernetes cluster requires a more automated approach, he explains.
TLS Protect for Kubernetes is an extension of an existing Venafi control plane created to manage the certificates used to encrypt machine data. While most organizations are focused today on securing the identities of application end users, Samdarshi notes that cybercriminals are becoming more adept at tampering with certificates that are often difficult to manually configure correctly.
This latest offering from Venafi is compatible with the open source cert-manager project created by Jetstack, an arm of Venafi. The certificate manager is now being advanced under the auspices of the Cloud Native Computing Foundation (CNCF). It also includes a management interface that provides full visibility of public trusted certificates for ingress TLS, as well as private certificates for inter-service mTLS for pod-to-pod and service mesh use cases. The status of all workload certificates, including their association with Kubernetes resources and X.509 certificate configurations, is surfaced via a web interface.
Collectively, these capabilities make it simpler to identify and remediate security risks that result when certificates are misconfigured, notes Samdarshi. It also helps prevent outages by alerting IT teams when certificates are about to expire and automatically renewing them.
The lack of a certificate can also have a significant impact on web applications that continue to run. Web applications that don’t have certificates are penalized in search rankings because the underlying site is assumed to be insecure. In some cases, IT teams that rely on manual processes to issue certificates may not even be aware of the issue until traffic to that application steadily declines over weeks and months.
The speed at which certificates can be issued is also a critical factor as the rate of application deployment increases. DevOps teams, for example, often require requested certificates to be available in seconds. As the number of microservices-based applications expands, so does the number of certificates required. Making it simpler for IT teams to automatically request certificates ultimately reduces friction across a DevOps workflow.
Certificate management, of course, is not always top of mind in IT operations. However, just about every IT professional has encountered at least one instance where an expired certificate has led to a disruption in service. While it doesn’t usually take long to restore service, certificates that are allowed to expire tend to erode end user confidence in an IT team. The issue now is that as the number of certificates that need to be issued and updated increases, the opportunity for mistakes exponentially increases.
