GitOps Cloud Security Model - An Infographic
In this GitOps cloud security model infographic, we showcase how you can fortify your CI/CD pipelines against misconfigurations and potential data breaches.
DevOps revolves around the continuous integration and continuous deployment (CI/CD) pipeline to automate the generation and release of product artifacts as part of the overall development process pipeline. This increases production efficiency and minimizes time to market, critical factors in an agile development environment.
The quality and dependability of these artifacts directly depend on the pipeline's integrity. Therefore, the pipeline must be secure if the product is to be secure.
Why CI/CD Security Matters
An attacker able to compromise a CI/CD pipeline can easily create processes that insert malware into the deployed applications. As a result, consumers of the applications see a product provided by a trusted source. It's common for organizations to focus security controls on downloaded applications from unknown or untrusted sources such as the internet. The ability of an attacker to bypass these controls by piggybacking malware into trusted code makes this an attractive target.
Attackers have used this strategy quite a few times in recent years, most notably the SolarWinds attack, where a software update from a trusted supplier containing malware could infect many of their customers, including US Government departments and prominent commercial organizations.
The CI/CD pipeline can also function as a data leak, a point in the code processing lifecycle where an attacker can gain unauthorized access to proprietary or confidential source code outside its secured repositories.
That’s why it's imperative organizations invest in securing their CI/CD pipelines.
GitOps Cloud Security Model
Given the complexity surrounding cloud-native applications and their security challenges, a proactive approach to security is needed. In this infographic, Weaveworks introduces the GitOps Cloud Security Model. This model aims to shed some light on the security flaws in regular CI/CD pipelines and to introduce multiple tiers for security using GitOps and Trusted Delivery.
This GitOps Cloud Security model describes the four phases of developing security-conscious teams and development pipelines:
- Phase 0: This is a regular CI/CD pipeline with little or no automation, with best-effort security practices. We describe some of the security flaws in this phase and how they can make your organization vulnerable to attack.
- Phase 1: The GitOps framework is implemented, deployments are automated, and approved code is delivered into production.
- Phase 2: We add an additional layer of security in this phase, integrating policy as code into GitOps pipelines. Here, security and compliance policies are codified into the development pipelines, preventing any code violations from making it into production.
- Phase 3: We adopt a more proactive approach toward security using a self-service platform model. A dedicated team will be responsible for integrating security policies using the latest threat modeling techniques into the automated GitOps pipelines.
To learn more about each stage, what it entails, and what organizations can do to secure their infrastructure better, download the infographic now.
Weave GitOps - a state-of-the-art GitOps platform powered by Flux and Flagger - offers secure automation from source to production via Trusted Application Delivery. DevOps teams can enforce security and compliance, build application resilience, and implement company-wide coding standards. Ask us for a demo to learn more.