webAI and MacStadium(link is external) announced a strategic partnership that will revolutionize the deployment of large-scale artificial intelligence models using Apple's cutting-edge silicon technology.
Can Financial Service DevOps Teams Improve Their Cryptographic Security?
July 20, 2017
It's imperative for organizations to embrace new and groundbreaking technology. This is especially true in the financial service sector, which has always been at the forefront of innovation. Think about how much your preferred payment methods have shifted over the last decade, or even over the previous year. From mobile banking to high speed trading, the financial industry leads the way on technological advancement.
So, it's not especially shocking that the financial service industry has been early, and prominent, adopter of DevOps technologies and methodologies. Organizations in the sector use DevOps to accelerate application development and faster releases to improve the customer experience in order to remain relevant in today's hyper competitive market. However, as my previous blog discussed, this innovation cannot come at the cost of organizational security.
As we've seen with the SWIFT attacks, financial services organizations are high value targets for cyber criminals all over the world. Because of this, it is imperative that the keys and certificates used by financial service DevOps teams are properly protected. If not, bad actors can easily exploit cryptographic assets and wreak havoc on sensitive corporate data, all while remaining undetected.
Venafi was curious to see if financial services DevOps teams were properly protecting their keys and certificates. To that end, Venafi recently conducted a study that polled over 100 IT professionals in the financial service industry who said they were responsible for cryptographic assets of their DevOps programs. Unfortunately, the financial sector could stand to see some improvements.
According to the study, many financial services organizations have fairly strong cryptographic security policies in their production systems; however, they often fail to enforce the same vital security measures in their DevOps environments.
In addition, financial services organizations continue to use DevOps certificates once software, applications and updates have gone live. This oversight leaves easily preventable vulnerabilities in their DevOps development and test environments and systems.
Interesting highlights from our study included:
■ Almost a third (30 percent) of financial services organizations do not consistently enforce the same cryptographic security policies for DevOps projects as they do with production environments.
■ Only half (51 percent) of financial services organizations replace all DevOps certificates with production certificates once live. If certificates are not changed, there is no way to differentiate between the identities of untested machines that should remain in development and trusted machines that are safe to place in production.
■ The majority (80 percent) of financial services DevOps teams are aware of the volume and severity of cyber attacks as a result of compromised keys and certificates. However, only two thirds (67 percent) of these teams are aware of the controls needed to prevent this type of cyber attack.
On a positive note, financial services organizations generally implement robust cryptographic security practices throughout their operations, with 75 percent requiring strong keys (2048-bit or stronger) and 60 percent of organizations requiring different certificate authorities for development and production environments. Encouragingly, only 2 percent of respondents said their organization does not require key and certificate policies.
So what steps can financial service DevOps teams take to guard their cryptographic assets and yet remain innovative? Ultimately, we in the information security sector must reiterate that protection does not come at the cost of agility or speed. As this study demonstrates, DevOps teams understand the importance cryptographic security, but implementation or poor implementation can be an major security issue.
DevOps teams and their security solution providers must be able to work together in order to provide fast, but safe, development, innovation and releases. And the financial service industry is in a unique position to embrace this mindset and drive these security best practices throughout the market.
Just as finance has led in technology innovation; they are also strong advocates for effective cyber security. As long as we all work together, we can create a trailblazing, and protected future.
Industry News
March 27, 2025
March 27, 2025
Development work on the Linux kernel — the core software that underpins the open source Linux operating system — has a new infrastructure partner in Akamai. The company's cloud computing service and content delivery network (CDN) will support kernel.org, the main distribution system for Linux kernel source code and the primary coordination vehicle for its global developer network.
March 27, 2025
Komodor announced a new approach to full-cycle drift management for Kubernetes, with new capabilities to automate the detection, investigation, and remediation of configuration drift—the gradual divergence of Kubernetes clusters from their intended state—helping organizations enforce consistency across large-scale, multi-cluster environments.
March 26, 2025
Red Hat announced the latest updates to Red Hat AI, its portfolio of products and services designed to help accelerate the development and deployment of AI solutions across the hybrid cloud.
March 26, 2025
CloudCasa by Catalogic announced the availability of the latest version of its CloudCasa software.
March 26, 2025
BrowserStack announced the launch of Private Devices, expanding its enterprise portfolio to address the specialized testing needs of organizations with stringent security requirements.
March 25, 2025
Chainguard announced Chainguard Libraries, a catalog of guarded language libraries for Java built securely from source on SLSA L2 infrastructure.
March 25, 2025
Cloudelligent attained Amazon Web Services (AWS) DevOps Competency status.
March 25, 2025
Platform9 formally launched the Platform9 Partner Program.
March 24, 2025
Cosmonic announced the launch of Cosmonic Control, a control plane for managing distributed applications across any cloud, any Kubernetes, any edge, or on premise and self-hosted deployment.
March 20, 2025
Oracle announced the general availability of Oracle Exadata Database Service on Exascale Infrastructure on Oracle Database@Azure(link sends e-mail).
March 20, 2025
Perforce Software announced its acquisition of Snowtrack.
March 19, 2025
Mirantis and Gcore announced an agreement to facilitate the deployment of artificial intelligence (AI) workloads.
March 19, 2025
Amplitude announced the rollout of Session Replay Everywhere.
March 18, 2025
Oracle announced the availability of Java 24, the latest version of the programming language and development platform. Java 24 (Oracle JDK 24) delivers thousands of improvements to help developers maximize productivity and drive innovation. In addition, enhancements to the platform's performance, stability, and security help organizations accelerate their business growth ...
