Trusted Application Delivery: Security shifts left with GitOps and Policy as Code
Weaveworks CEO Alexis Richardson and Magalix CEO Mohamed Ahmed talk trusted delivery and GitOps in the latest instalment of our podcast.
Further reading
Weaveworks' CEO Alexis explains Trusted Application Delivery
GitOps for absolute beginners - a new ebook
The Art of Modern Ops podcast: Episode 21
In episode 21 of The Art of Modern Ops, we heard from two innovators in the Kubernetes and cloud native world. Nothing especially new there – but what made this episode different was who these two interviewees were. Alexis Richardson is the founder and CEO of Weaveworks, while Mohamed Ahmed is founder and CEO of Magalix. Weaveworks has recently of Magalix, bringing a wealth of policy and trusted application delivery expertise into the Weaveworks fold.
This episode of the podcast represents a great opportunity to learn more about trusted application delivery in the context of CI/CD pipelines, the role it has to play in the evolution of GitOps and the specific products and features that will be available in Weave GitOps as a result.
Magalix: the who, the what and the why
Before we get into the subjects that were discussed on the podcast, it’s worth taking a step back and introducing Magalix. Founded four years ago, the company built a container-as-a-service platform, before realising that the key opportunity for them was in security and container best practice. The Magalix team first began working with Weaveworks in early 2020 and now, two years on, the two are one company.
The rationale for working together was simple. Trust, policy and security are all clearly interconnected concepts – and there is no doubt that in the enterprise today, these factors are critical in any decision to adopt new platforms or processes. So the more successfully they can be baked into GitOps, the more successful GitOps will be as a model for delivering and managing enterprise cloud applications.
“With Magalix we see a really good fit, because they can embed deeply into the Flux implementation with what they've been calling policy as code, which is basically declarative compliance.” - Alexis Richardson, Founder & CEO, Weaveworks
Automated management needs trusted application delivery
At its heart, GitOps is about automating systems administration, whether those systems are on premise, in the cloud or at the edge. But organizations of all sizes need to know they can automate safely. Magalix was the perfect fit for Weaveworks because of what they came to call ‘policy as code’ – something you could view as declarative compliance. And because it’s declarative, it can become part of the GitOps pipeline. As Alexis explains on the podcast, the opportunity to integrate it into the pipeline is vital, because it means that errors or vulnerabilities can be caught while they’re still just errors in the configuration or the code. In other words, before they make it into production.
“67% of cloud breaches or operational issues are due to misconfigurations, either at the infrastructure level or at the application level.” Mohamed Ahmed, Founder & CEO, Magalix
A case in point: Solar Winds
To illustrate the urgent need to bake policies into the pipeline, Alexis cited the case of Solar Winds and the high-profile attack the company experienced. If policy as code was integrated into their delivery pipeline, they may have stood a better chance of eliminating the vulnerabilities that allowed hackers to introduce back doors in the code that was ultimately deployed. As it stands, the entire industry has grown used to an approach whereby configuration is verified after deployment and problems are fixed after the fact. There is a growing acceptance that this has to change – and that is what makes trusted delivery such a hot topic right now.
Who is responsible when things go wrong?
It’s not just about when you introduce policy checks. It’s about the nature of the checks themselves – and who they allow to do what. This is vital in large DevOps teams where, in an example Mohamed gave, more than one person may have access to problematic containers. Situations can arise where application developers, security engineers and infrastructure administrators can all miss something, all believing it was the job of somebody else. With policy integrated into the pipeline, those roles are clearly defined; problem config or code cannot proceed unless it has been attended to by the people who need to review it. As technology evolves and these roles overlap more and more, policies become vital to ensure that teams work together productively to prevent bad deployments.
The faster you move, the better your security checks need to be
The conversation went on to encompass how the success of GitOps to date has made controls for trusted delivery even more important to cloud native application delivery. That’s because GitOps is so good at automation – especially at scale – that it makes policies like this necessary. As Alexis explained, it makes people so productive that they will naturally make more changes and updates than they otherwise would. All of which is good for business, because the faster you can innovate, the more effectively you will compete. But it does mean the guardrails need to be stronger and clearer than they have been – until now.
To hear the conversation in full, listen to the podcast now.
The Art of Modern Ops · Policy management for trusted delivery