Trusted Application Delivery - Shift DevOps Security Left with GitOps and Policy as Code

Policy driven deployment and management is one of the top DevOps and security pain points in 2022. The addition of Policy as Code (Open Policy Agent “OPA” and Rego language) guarantees that security checks are completed before deployment, in addition to runtime drift detection and automatic remediation through GitOps. These DevOps security tools come together to create trusted application delivery. Trusted Delivery enables a completely policy-driven deployment and operations automation that prevents inconsistent app performance and downtime.

Weave GitOps Enterprise already adds the ability to specify role-based access control using Git-based rules managed through pull request enabling teams to manage access to their Kubernetes environments. Security checks are completed before deployment in addition to runtime drift detection and automatic remediation through GitOps. Hundreds of built-in policies for security, resilience and coding standards, help developers and operators to understand the associated compliance and governance checks/routine with which the service needs to comply.

The main features of Weave GitOps Enterprise: 

• Continuous security and compliance: through the integration of policy-as-code into the GitOps pipelines. Configuration and security policies are held in Git’s version control, where changes can be made, reviewed and fed through an automated pipeline that verifies, deploys and monitors every update and change.
• Deployment guardrails: guarantee the highest level of governance and compliance while maintaining the highest deployment frequency. Deployments can automatically go through pre-flight checks reducing the steps development teams need to remember.
• Custom policy application: allows users to decide where and how policies are applied based on environment, workload, geography or other criteria.
• Multi-layered protection: The GitOps policy as code engine protects the system throughout the software lifecycle — during code commit, deployment and at runtime. Weave GitOps allows each leaf cluster to run its own engine, ensuring continuous policy evaluation should network disruptions occur.
• Continuous compliance monitoring: any policy violation, across applications and clusters in any environment, will cause an alert on the central management console.

Weave GitOps’ trusted application delivery is a single, scalable way to manage policy throughout the application lifecycle and distribute it across every pipeline, cluster, and cloud in the organization.

In highly regulated industries, customers rely on you to protect their livelihood and personal identity, security standards such as  PCI-DSS HITRUST, ISO-27001, and HIPAA are the most common ones. Torsten Volk , an analyst for Enterprise Management Associates (EMA) recently mentioned in the New Stack that

Ad-hoc configuration changes are still common and they are the number one root cause for inconsistent app performance and for app downtime. Only completely policy-driven deployment and operations automation can prevent these issues, but typically does not leave enough flexibility for DevOps teams.

Often security testing is left until the end of the development cycle and can bring a deployment to a halt or even worse break through to production. Automated security checks, guardrails, can prevent delays and guarantee the highest level of governance and compliance while maintaining the highest deployment frequency. If security policy as code is added to GitOps pipelines, DevOps teams can implement a radically declarative approach; ensuring continuous compliance and reliability across environments and minimizing the potential for configuration inconsistencies and human error.

The Gartner®, Hype Cycle™ for Application Security, 2021 Report explains that “In the most mature automation pipelines, Infrastructure & Operations (I&O) engineers mostly spend time on optimization, governance and compliance. They no longer build infrastructure; that work has been automated and turned over to end users. Now, I&O builds the guardrails around the infrastructure services that their end-users consume. I&O must align with security and compliance teams. Policy as Code brings policy enforcement into their automation pipelines, while preserving a separation of duties that mirrors a typical IT org chart.”

The business impacts are:

• Security, compliance and automation: PaC combined with infrastructure automation provides direct enforcement of policies with implicit compliance guarantees.
• Alignment of security and Ops teams: PaC allows security and compliance teams to interface directly with automation pipelines to ensure conformance.
• Visibility and auditability: PaC provides both unambiguous documentation of policies and evidence they are being enforced.
• Less toil: PaC reduces the overhead of creating and enforcing policies.”

Weaveworks customers often leave security testing until the end of the development cycle and can bring a deployment to a halt or even worse break through to production. Automated security checks, guardrails, can prevent delays and guarantee the highest level of governance and compliance while maintaining the highest deployment frequency. If policy as code is added to GitOps pipelines, DevOps teams can implement a radically declarative approach; ensuring continuous compliance and reliability across environments and minimizing the potential for configuration inconsistencies and human error.

*GARTNER and HYPE CYCLE are registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Find out More

Weave GitOps Enterpriseis the only full-stack GitOps platform that can address secure automation, (enforcing security and compliance, application resilience and coding standards) from source to production. Ask us for a demo and see how we enable trusted application delivery for DevOps teams.