How Trusted Delivery Can Protect You From Becoming The Next Tech Horror Story
Trusted delivery through policy-as-code is the best way to secure your GitOps pipeline against cyber attacks such as cloud misconfigurations. Take steps to avoid being the next news headline.
Cloud-native technologies have introduced ground-breaking advancements in accelerating software launches. On the flip side, they have widened the surface area for cyber attacks. Cloud misconfigurations are estimated to account for over 99% of breaches by 2025, according to Gartner. We have already witnessed some of the biggest attacks that have affected untold numbers of organizations over the last couple of years. Solarwinds is likely the most notable example. Hackers could access the systems of thousands of its customers after malicious code was injected into the supply chain of SolarWinds. This incident perfectly illustrates the importance of implementing policy-as-code within the delivery pipeline. It is important to include security guardrails to improve security and compliance, and one effective way to do that is through Trusted Delivery.
In this article, we learn what Trusted Delivery and policy as code is and how it helps organizations protect their development lifecycle against security threats.
What Exactly is Trusted Delivery?
Trusted Delivery is the practice of codifying security policies within your software delivery pipeline through a policy-as-code methodology for security and compliance. It is a process of introducing guardrails at your software delivery stage by embedding the code-form of company policies and industry-mandated security best practices and standards.
With the Shift Left approach, you can detect and fix vulnerabilities and other bugs early in the lifecycle through automated security and compliance checks achieved with policy-as-code. There are three types of policies that can be codified within the system design:
These are used to ensure that industry best practices (MITRE ATT&CK) are implemented along with compliance standards (PCI DSS, CIS standards) dictated by the industry. These policies ensure that your software is protected from data breaches that occur due to misconfigurations.
By enforcing these policies, you make your system highly available, fault-tolerant and maintain business application continuity. The policies are implemented in Kubernetes clusters.
Coding Standards Policies:
You can use these policies company-wide to enforce consistency in coding procedures based on a set of guidelines. These policies will ensure that any code that violates the predetermined criteria gets rejected automatically by the system.
Create and Codify Security & Compliance Policies
Define your organizational policies, security best practices and frameworks, and industry-led compliance standards to build a list of policies that need to be codified. Once you have them prepared, write them in a high-level language like YAML or Rego (used by Weave GitOps).
All stakeholders involved in the software development lifecycle should vet and give a go-ahead to these policies.
Build the Right Workflows with Integrated Policies
You can enforce these codified policies into your SDLC pipeline using the Weave GitOps policy engine built on top of the open source Open Policy Agent (OPA). Our policy engine comes integrated with over 100 policies across resilience, security, and coding standards. These policies are hosted in Git.
The engine monitors the pipeline with guardrails implemented at different stages to detect policy violations. The checkpoints are implemented at commit time, build time, deploy time, and run time. This way you get automated checkpoints at every step, and the peace of mind that comes from it.
Get Actionable Insights on Cloud Security & Compliance
The policy engine proactively generates reports after regularly scanning your assets and configurations. Weave GitOps generates two types of reports:
1- Tactical: These reports alert you of any identified security challenges that need immediate resolution.
2- Compliance: These reports tell you the progress you are making in terms of compliance status.
LIVE WEBINAR: Building a Security First Approach Across Hybrid Cloud with GitOps and Policy as Code
Sign up today to learn How to shift from manual to automated cluster provisioning with policy and security checks in place and more.Register Now
Trusted Delivery with GitOps
With GitOps, the software delivery pipeline is centered around Git as the single source of truth, and is an automation-driven practice. Policy-as-code is a perfect security and compliance strategy for GitOps since it ensures that misconfigurations and errors are automatically detected, alerted, and deployments stopped.
Let’s look at a common GitOps workflow to understand how multiple checkpoints can be implemented for trusted delivery.
The developer commits the code to a Git repository, which is used by the CI tool to test and build container images. These container images are then pushed to the image repository before being deployed to a Kubernetes cluster. Within the cluster, a GitOps agent continuously monitors the actual state to ensure it matches the desired state as declared in the Git.
So, there are ideally four points where you need to implement security guardrails:
1- Git Repository for Infrastructure as Code (IaC) Scanning
The IaC templates are scanned before they are committed to the repository against the codified policies. In the commit time feedback, any misconfigurations or errors are caught early on and mitigated.
2- CI Stage to Detect Misconfigurations
This check ensures that code is moved to the build stage and is in line with the policies defined and stored in Git. The build-time feedback highlights any violation.
3- Kubernetes Cluster to Get Deploy-time Feedback
In this stage, the object creation is blocked when controllers in Kubernetes detect any deviation from the codified policies. This ensures that no vulnerabilities slip into runtime infrastructure.
4- Configuration Repository to Audit Run-time Security & Compliance
This check conducts continuous scanning of IaC templates reviewing the changes that happened through the pipeline along with Kubernetes runtime to detect any policy violations.
You can use Rego (supported by Weave GitOps) to create, enforce and manage the policies that you want to implement in your pipeline. You can write your own policies or pick them from the Weave GitOps Policy Library - a curation of security and compliance policies. Using a centralized policy management platform eases the process of codifying policies by eliminating the need for different languages, APIs, and tools.
Advantages of Trusted Delivery
Protection Against Misconfiguration:
Trusted Delivery: The policy-as-code approach ensures that you detect cloud misconfigurations in IaC templates even before they are committed to Git. It also proposes steps to resolve the policy violations.
Speed up Code Delivery:
With multiple guardrails and an automated process ensuring that no security issue slips through the cracks, you can accelerate the release cycle with greater confidence.
Avoid Compliance Violations:
Since policy-as-code is a continuous and recurring process and also includes codification of compliance policies, you can be confident of getting alerts in case of any compliance violation.