Just when you have figured out DevSecOps

GitOps is an approach to performing cloud operations in a DevOps way by centralizing the desired state of system into code and enforcing change through automation via a version control system, such as Git. Through this article, we will help you understand GitOps, its growing adoption by operations teams, and the benefits and challenges it presents to experts in the field of cyber security.

GitOps has been around since 2017, when the term was first coined by Alexis Richardson. It has been gaining popularity alongside the advance of DevOps and most recently, DevSecOps. Put simply, GitOps is about doing all cloud operations in a cloud native way, which in my opinion is the right way.

The concept is built around ensuring that there is a single source of truth (Git) for the entire system and using pull-requests to validate any change delivered through automation. By using Git version control systems such as GitHub, operation teams are now able to realize the same benefits as those seen through DevOps communities.

Git acts as a common place where workflows, automation, checks and balances can be applied before entering a production environment, enabling organizations with a crucial foothold to secure by design further than ever before.

A fundamental tenet of GitOps is the need to declare a desired intent (the “what”) versus a typical script, which is a series of instructions to perform (the “how”). A simple analogy that I recently came across described how critical configuration has become. As opposed to a remote control, where you press the buttons until your TV shows you what you want, a declarative configuration is more like a thermostat. You express your intent by setting the desired temperature and the thermostat decides how to get there. Declarative configuration is driven by code for most cloud native infrastructures and is commonly known as Infrastructure-as-code (IaC).

The imperative of moving to declarative

The move from imperative to declarative configuration is what makes GitOps a mixed blessing for security professionals. By adopting GitOps, you are committing to interacting only with Git and leaving the integration and deployment jobs to be automated. But remember, hackers consider Integrated Developer Environments (IDEs) as high-value targets – the goose that lays the golden eggs.

We have seen this recently in the well-publicized software supply-chain hack at SolarWinds, where hackers were able to compromise the code of the popular Orion software used by thousands of companies worldwide to manage IT resources. Therefore, as Git becomes your single source of truth, it is extremely critical to ensure the confidentiality, integrity and availability of your code, secrets, audit trails and workflows.

Codifying security and compliance

Of course, there is an upside too. By ensuring that everything is code driven and declared, the risk from non-automated agents (a.k.a. humans) can be drastically minimized. Using the automation workflows, you can embed compliance scans to enforce best-practices and regulatory mandates to prevent misconfigurations. These checks provide a vital continuous feedback loop to help teams improve the quality of the code and learn best practices along the way. Moreover, detecting the possibility of configuration drift becomes much easier when you can easily compare the desired state in Git with the current operational state in production. You can then quickly isolate vulnerable/potentially compromised resources for investigation.

Everything-as-code

Many DevSecOps tools already available to the DevOps pipeline can be leveraged to secure GitOps, such as IaC scanning, security testing, IAM and secrets management. This can be complimented by building your own compliance requirements and security policies into coded artifacts to bring greater efficacy to your governance framework, an approach now commonly referred to as compliance-as-code and policy-as-code, respectively. Bringing a security-as-code approach has transformed DevOps into DevSecOps, and the same can be said for GitOps. By integrating security and compliance through code, workflows and automation, organizations can embrace GitSecOps to effectively shift security left.

Seven steps to a successful GitSecOps approach:

There are several important aspects for ensuring the security and integrity of your approach to GitSecOps, such as:

1. Applying identity and access controls
Strong identity and access management remains true for GitSecOps. Principles like least privilege, strong authentication and auditability must be enforced. With no direct access to resources required, the need to ensure appropriate infrastructure entitlements and service accounts is of paramount importance.

2. Enforcing change control and peer review workflows
Ensure that changes follow a change control process, are submitted by pull-requests and the pipelines enforce a peer review. This will not allow a single engineer to introduce insecure changes. Further support this by embedding security controls into your change workflow so if a test fails, so too does the pipeline — and the corresponding changes are rejected with supporting reasons.

3. Observing end-to-end
Scanning IaC code ensures that templates such as terraform are checked for misconfigurations, policy compliance, best practice and drift in various stages of the workflow. Most solutions integrate directly into pipelines to maintain continuous workflow processes, making them developer friendly. Ensuring a “defense-in-depth” approach like this provides observability across the complete lifecycle.

4. Keeping your secrets safe
GitSecOps relies upon declarative configurations that require secrets to be considered at the onset in order to manage them securely. Sealed secrets are popular in GitSecOps, where the secret is encrypted and can be openly shared. This approach may be an acceptable risk for some, but if you aren’t amongst them, you should consider alternative methods for integrating vaults and external key managers — even if it introduces an external source of truth.

5. Protecting your audit logs
Logging every action, change and event is crucial to maintain a trusted environment. Delegating every action to automation workflow means that every change can be scrutinized for audit and compliance reasons. Furthermore, the criticality of audit data for recovery and response brings a greater emphasis on ensuring that the integrity and availability of log data is treated with heightened importance.

6. Catching the drift
Because all configurations are determined in code, establishing a baseline and any subsequent deviations from it becomes effortless. By comparing the secure baseline against the current state, any potential changes as a result of external change and/or nefarious intent can be quickly identified and addressed by the security incident responder.

7. Monitoring anomalous behavior
No system is perfect, so preparation for failure must be built into any approach. Monitoring real-time behavior of cloud resources will help you detect unknown or zero-day exploits that may gain a foothold in cloud systems. Being able to identify these and remediate the change in code quickly can vastly improve the time to recover from such attacks.

Culture eats strategy for breakfast!

Credit: Peter Drucker

Finally, just like DevSecOps, GitSecOps also requires the adoption of a new mindset and culture to getting things done in a cloud native way. While most technical challenges can be overcome with technical solutions, cloud operators, security engineers and other experts will require the support of their organization to provide the correct processes, training and environment to thrive, collaboratively.

Sharing common tools, processes and goals — focused on a successful shared outcome rather than an isolated deliverable — ensures that the DevSecOps and GitSecOps goals are aligned to support each other and the organization’s digital transformation vision.

About the author

Amo Matharu

Head of Cloud Security & Strategic Programs, Atos

Amo is a Senior Expert at Atos and leads Global Cloud Security working with customers, partners and industry to overcome security challenges in adopting Digital. Amo has been in the IT industry for over two decades holding senior leadership and technical positions that have led to him become a leading business technologist in Digital and Security. Amo graduated with a bachelors honours degree in Mathematical Business Analysis and throughout his career Amo has continued to advance. He has successfully completed an executive leadership program at HEC Business School Paris, and continues to be a certified information security and risk practitioner with CISM and CRISC accreditations from ISACA. Through his career Amo has pioneered the development of new capabilities and growth, including the development of the first purpose-built Atos Security Operations Center in the United Kingdom, and the patent filing for Atos Cloud Security Engine, developed in collaboration with Google Cloud. In his personal time Amo is an assistant coach for a local junior Football team.

Interested in next publications?

 

Register to our newsletter and receive a notification when there are new articles.