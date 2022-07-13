Published on: July 13, 2022
11 min read
Highlighting features we use daily, our security team outlines 5 ways to configure your GitLab instance for increased security and compliance.
GitLab's compliance management capabilities are designed to integrate compliance into development and deployment processes from the start. As a tenured compliance professional and member of our Security Compliance team here at GitLab, I can tell you from experience it is always easiest to design your processes to be secure and compliant from the start than it is to re-engineer existing processes to be compliant.
Why should you care about your GitLab instance being secure and compliant?
In additon to reducing the risk of a breach and lowering costs, there are regulatory and compliance requirements to consider.
Typically regulatory and compliance audits are unavoidable and can be time-consuming and stressful. However, GitLab has many easy-to-use, built-in features that may help fulfill your organization's compliance requirements and make your environment more secure. Here at GitLab, these are features we use everyday. The best part is, most of the features I'll outline below are included as free features.
Note: I'll add an asterisk (*) next to any feature which is not available on our free tier.
Here's the tl;dr list:
Enabling MFA is simple and reduces the risk of attacks by making it more difficult to gain access to accounts.
MFA can be enforced for all users in your GitLab instance in the admin center. Alternatively, MFA can be configured for accounts individually.
You can learn how to enable MFA in our GitLab documentation.
MFA relates to the following compliance standards:
Illustrative GitLab controls for MFA:
Undoubtedly, one of the biggest risks to your environment is logical access. To reduce the risk, we recommend administrators ensure access is restricted based on the principle of least privilege. Access should be monitored continuously as access changes can occur multiple times, daily, in most organizations. In order to appropriately review access in your GitLab instance, it is important to first understand the access security structure within GitLab.
Within GitLab, there are six different roles that can be assigned to users - “Guest”, “Reporter”, “Developer”, “Maintainer”, “Owner” and “Administrator”. Privileged access within GitLab is considered to be the “Administrator”, “Owners”, and “Maintainers” roles.
Owners and Maintainers are considered administrative because these roles have permissions to do highly sensitive actions including but not limited to: managing merge settings; enabling or disabling branch protection; managing access to a project; managing access tokens; exporting a project; and deleting issues, merge requests, and projects.
As privileged access is the highest risk to your environment, these roles should be tightly controlled.
Some best practices in regards to ensuring access is restricted based on the principle of least privilege include:
When inappropriate access is identified, it is important to take immediate, mitigating actions by checking the user's last login date and checking audit logs as they are available to ensure no inappropriate transactions were performed. These mitigating actions should be conducted upon identification to ensure accessibility of information and to understand potential exposure.
Refer to our GitLab documentation regarding permissions and roles for more information.
Privileged access relates to the following compliance standards:
Illustrative GitLab controls for privileged access:
Within GitLab, role-based access can be used to give access to repositories and branches at the project level. By utilizing protected branches, further restrictions can be configured on certain branches in order to protect them. Protecting your default branch is the most important; this branch is often called "master" or "main".
Some best practice in regards to protection rules include:
Protected branches should be configured in accordance with your organization's change management policy. Here's an example of how to configure protection rules according to our recommendations:
Example of how to configure branch protection rules
This example shows that anyone with the “developer” and “maintainer” roles are allowed to merge to the default branch and “no one” is allowed to push directly to the default branch without a merge request. Further, codeowner approval must be obtained prior to merging.
Protected branches can be modified by anyone with at least “maintainer” access. In order to monitor if protected branch settings are inappropriately modified, administrators should consider implementing a monitoring control by utilizing audit events.
Refer to our GitLab documentation regarding protected branches for more information.
Branch protection settings relate to the following compliance standards:
Illustrative GitLab controls for branch protection settings include:
Changes to your project repository typically start with a merge request. If your default branch is protected, commits must be done through a merge request. By configuring your merge request settings with approval rules ensures that changes are properly approved prior to deployment to production. Within the merge request approval settings you can specify the number of approvals required and the allowed approvers for specific merge requests.
In addition, there are a number of approval settings that further enforce segregation of duties within change management:
Merge request approval settings should be configured in accordance with your organization's change management policy. An example of how to configure merge requests according to the best practices outlined above is as follows:
Example of how to configure merge requests
In the example above, you can see that at least two approvers are required: to enforce segregation of duties and that the approval settings are enforced.
If your change management policy requires approvals from different groups or departments, such as the business owner and the data owner, those approval groups can be added as additional approval rules. When enabled, these settings provide reasonable assurance that your organization’s GitLab instance enforces segregation of duties and systematically enforces your organizational change management policy.
To ensure all projects under a certain group have the same merge request approval settings, at the top-level group, group approval settings can be configured. These settings cascade to all projects that belong to the group.
Merge request approval settings can be modified by anyone with at least “maintainer” access. In order to monitor if merge request approval settings are inappropriately modified, consider implementing a monitoring control by utilizing audit events.
For more information, refer to our GitLab documentation around merge request approvals and settings.
Merge approval settings relate to the following compliance standards:
Illustrative GitLab controls for merge approval settings include:
Audit events are a way to view changes made within GitLab and can be leveraged as a detective and monitoring control for continuous monitoring of configured settings. A report can be generated on the audit event, which can then be provided to auditors to evidence your company’s compliance for the audit period for a specific, configured setting.
Audit events can be configured at the group, project and instance level.
It is best practice to monitor the following audit events in your GitLab environment:
As previously mentioned, merge approval settings and protected branch settings can be modified by anyone with “maintainer” access. By monitoring these critical settings for audit events, it can be determined if the protected branch settings or merge approval settings were modified during the period. If the settings were modified, investigation can occur to understand the potential impact and be an indicator to turn the setting back on.
Here’s an example of what these audit events look like:
Example of audit events
In this example of audit events, we see the following:
Audit events can be streamed to third-party systems. The advantage of this is to integrate into a security information and event management (SIEM) system for centralized monitoring and alerting.
To learn more, check out the GitLab documentation surrounding audit events.
Audit events relate to the following compliance standards:
Illustrative GitLab controls for audit events:
How does GitLab help you maintain your compliance? Have a favorite feature that helps your org maintain its compliance that we missed, let us know in the comments!
Interested in learning more about how your organization can leverage the compliance features offered within GitLab? Connect with a specialist to learn more.
Cover image by Miguel Á. Padriñán on Pexels
