AppViewX Unfurls Certificate Life Cycle Management Platform for Kubernetes
AppViewX today launched an automated certificate life cycle management platform for Kubernetes environments.
Christian Simko, vice president of product marketing for AppViewX, said AppViewX KUBE+ will prevent outages that occur when certificates are inadvertently allowed to expire. That issue is especially problematic in cloud-native application environments where certificates must be managed across multiple microservices.
Certificates also play a role in securing ingress traffic using the transport layer security (TLS) protocol and service mesh and pod-to-pod communications using the mutual TLS (mTLS) protocol.
AppViewX KUBE+ simplifies the management of those certificates by keeping a dynamic inventory of certificates that are segmented into groups and mapped to multiple Kubernetes teams to enable automatic renewals. That approach also makes it possible to enforce public key infrastructure (PKI) policies using approved certificate authorities (CA).
Too many IT teams are end-running those requirements today by creating their own platform to generate certificates as part of an effort to ensure the availability of application services, noted Simko. AppViewX KUBE+ is designed to automate renewals in a way that eliminates the need to worry about an expired certificate suddenly making a service unavailable, he added. In effect, IT teams can now set certificate policies and then forget about them after they are set, said Simko.
Google is making a case to require organizations to renew TLS certificates every 90 days. Most organizations, however, don’t have the processes in place that would enable them to automate those renewals.
A recent AppViewX study found 79% of certificates on the internet are vulnerable to man-in-the-middle (MitM) attacks, with as many as 10% expired or self-signed (15%) in a way that is considered insecure. Only 21% of servers on the internet are using version 1.3 of the TLS protocol that enables encryption. In total, 45% of the IP addresses analyzed that are exposed to unpatched vulnerabilities also had expired certificates (22%) or self-signed certificates (23%).
If Google has its way, certificate management will become an ongoing process rather than a sporadic event that results in more outages than anyone cares to admit. That should help improve cybersecurity as more organizations embrace the latest versions of TLS whenever certificates need to be updated. In the meantime, however, organizations may want to assume cybercriminals will become more adept at exploiting the weaknesses of existing certificates.
Despite the fact that outages continue to occur because certificates have not been renewed, far too many organizations have yet to incorporate certificate management into the DevOps workflows they already use to deploy cloud-native applications. As a result, certificate management is still a manual process that many organizations largely overlook, even as application environments become more dynamic as more cloud-native applications are deployed in production environments.
In effect, each digital certificate, if not renewed, represents a potential timebomb capable of disrupting any number of business processes if certificates are not renewed. In an ideal world, organizations would have visibility into which digital certificates could potentially disrupt specific workflows. That’s especially critical as more organizations embrace digital business transformation initiatives based on cloud-native applications that are dependent on valid certificates being continuously updated.