Protecting cloud-native applications, services, and infrastructure
GitLab Protect enables organizations to proactively protect cloud-native environments by providing context-aware technologies to reduce overall security risk. Protect is a natural extension of your existing operation's practices and provides security visibility across the entire DevSecOps lifecycle. This visibility empowers your organization to apply DevSecOps best practices from the first line of code written and extends all the way through to greater monitoring and protection for your applications that are deployed in production.
The Protect Stage focuses on providing security visibility across the entire DevSecOps lifecycle as well as providing monitoring and mitigation of attacks targeting your cloud-native environment. Protect reduces overall security risk by enabling you to be ready now for the cloud-native application stack and DevSecOps best practices of the future. This is accomplished by:
The Protect Stage is made up of one group supporting the major categories focused on cloud-native security including:
The existing team members for the Protect Stage can be found in the links below:
Protect will focus first on providing reactive security solutions that are cloud native. Whenever possible, Protect capabilities will be cloud platform agnostic, including support for self-hosted cloud native environments.
For example, GitLab's current Protect capabilities leverage numerous open source cloud-native projects that integrate cleanly with Kubernetes to provide additional security in containerized environments. Any future expansion of security capabilities will come after the cloud native capabilities are mature.
Protect will focus on detecting and alerting on malicious traffic and activity as a first step followed by introducing prevention as a second step. This is valuable to you because it means that you can introduce Protect within your cloud native applications, services, and infrastructure gradually over time without disrupting your end users. This allows you to examine the alerts generated by Protect using detection policies to ensure all security settings are appropriate and accurate for your cloud native deployment prior to moving to protection policies. This allows you to eliminate false positives and prevents your users from having a poor user experience with your applications and services. Furthermore, Protect will provide you with evidence of malicious traffic and activity as well as any actions taken, allowing you to meet and exceed your compliance goals and requirements.
As examples, GitLab will provide:
One of the key advantages to GitLab being a single application for the entire DevOps lifecycle is that all of our stages are tightly integrated. This empowers Protect to both provide information into other stages, such as Plan, as well as to receive information from other stages, such as Secure.
Protect will leverage knowledge from the Secure Stage and provide virtual patching of security policies within Protect Categories. Additionally, Protect will eventually leverage Secure scanning capabilities to provide on-going scanning of applications after they have been deployed to production. This allows for detection of any new threat vectors or vulnerabilities that were published after the original push to production.
Protect will identify and protect against threats as they happen, and will also strive to provide actionable next steps to close a vulnerability or point of exploit, not just protect it.
Not only does shifting left and acting on results earlier give your apps better security, it helps enable collaboration with everyone at your company. We believe that security is everyone's responsibility and that everyone can contribute. Informing other stages is a powerful way to do this.
As examples, GitLab will provide:
Protect will leverage OSS security projects to build our solutions. Protect will contribute improvements to these projects upstream helping everyone be more secure.
Protect capabilities will be pre-configured to provide value to protecting your applications. Rather than require you to read documentation manuals and provide complex configuration files, GitLab will always provide reasonable defaults out of the box.
We will provide the ability for advanced and customized configurations, but these will only be needed based on your specific use case and when you feel comfortable doing so.
For example, GitLab is currently working on an intuitive policy editor UI to allow for configuration of Network Policies. While advanced Network Policies can be created and managed by editing the .yaml file, the majority of policy use cases can be accomplished with the simpler UI.
Effectively protecting applications running in production requires the following key software capabilities that will be developed over the next 3 years:
Although the Protect stage has grandiose aspirations and a broad vision, the next 12 months of effort are entirely focused on building a foundation of security tools and capabilities that can be expanded later as the stage matures.
Please note that all roadmap items and timelines are subject to change
Q3 FY'21 - (August 2020 - October 2020)
Q4 FY'21 - (November 2020 - January 2021)
Q1 FY'22 - (February 2021 - April 2021)
Q2 FY'22 - (May 2021 - July 2021)
Q3 FY'22 - (August 2021 - October 2021)
Currently the Protect stage is entirely focused on building out its container security capabilities. Specifically this includes support for applications that run in a containerized Kubernetes environment. Support is agnostic as to whether the application is hosted on premise or in the cloud as long as it is inside Kubernetes. Key initiatives in this group over the next 12 months will include establishing a baseline level of functionality in the following areas:
Towards the end of the next 12-month period, we plan to begin work on our Insider Threat category and deliver some initial capabilities there at a minimal maturity level.
Additionally, the Monitor:Health group is currently building out on-call schedule management. Once that feature set is complete, the Defend stage will be able to take advantage of it to automate the routing of security alerts to the right responder.
Although we will likely address many of these areas in the future (as described above in our 3 year strategy), we are not planning to make progress on the following initiatives in the next 12 months:
In our opinion, the Protect Stage aligns with the market that Gartner defines as the Cloud Workload Protection Platform (CWPP) Market.
Gartner “Market Guide for Cloud Workload Protection Platforms,” Neil MacDonald, Tom Croll, 14 April 2020 (Gartner subscription required)
We believe that GitLab currently aligns to the workload protection controls that Gartner defines in this market as follows:
The following metrics are used to evaluate the success of the Protect stage:
GitLab identifies who our DevSecOps application is built for utilizing the following categorization. We list our view of who we will support when in priority order.
To capitalize on the opportunities listed above, the Protect Stage has features that make it useful to the following personas today.
As we execute our 3 year strategy, our medium term (1-2 year) goal is to provide a single DevSecOps application that enables SecOps to work collaboratively with DevOps and development to mitigate vulnerabilities in production environments.
Security teams and Security Operations teams are the primarily day-to-day users of Protect features. Over time, GitLab aims to become the primary tool they use to protect, monitor, and manage the security of their production environments. As most organizations have limited resources and/or security talent, we will strive to make the entire user experience as simple and easy to use as possible so as to minimize the skill set and number of individuals required. Additionally, summary-level dashboards and reports will eventually be provided to allow for clear reporting up to executives.
Protect is fundamentally different from all other GitLab stages because its primary target user sits outside the Development organization in a Security team that is most commonly within a larger IT department. Consequently there are two primary paths to adopting Protect.
Protect is focused on providing enterprise-grade security capabilities to protect production environments. The intent is to provide enough value in paid features so as to allow Protect to contribute in a significant way over the next 3 years toward GitLab's company-level financial goals.
Although paid features are the primary focus, there are several reasons why features for unpaid tiers might be prioritized above paid features:
This tier is the primary way to increase broad adoption of the Protect stage, as well as encouraging community contributions and improving security across the entire GitLab user base.
As a general rule of thumb, features will fall in the Core/Free tier when they meet one or more of the following criteria:
Some examples include:
This tier is not a significant part of Protect's pricing strategy.
This tier is not a significant part of Protect's pricing strategy.
This tier is the primary focus for the Protect stage as the security posture of an organization is typically a primary concern of the executive team and even the board of directors. Just as a major security incident has far reaching consequences that impact the entirety of an organization, the features and capabilities that successfully protect against those types of attacks tend to be valued with equal weight. The types of capabilities that fall in the Ultimate/Gold tier vs an unpaid tier should be those that are necessary for an organization, rather than an individual, to provide for adequate security of their production environment.
As a general rule of thumb, features will fall in the Ultimate/Gold tier when they meet one or more of the following criteria:
Some examples include:
There are a few product categories that are critical for success here; each one is intended to represent what you might find as an entire product out in the market. We want our single application to solve the important problems solved by other tools in this space - if you see an opportunity where we can deliver a specific solution that would be enough for you to switch over to GitLab, please reach out to the PM for this stage and let us know.
Each of these categories has a designated level of maturity; you can read more about our category maturity model to help you decide which categories you want to start using and when.
Check Docker images for known vulnerabilities in the application environment. Analyze image contents against public vulnerability databases using the open source tool, Clair, that is able to scan any kind of Docker (or App) image. Vulnerabilities are shown in-line with every merge request. This category is at the "viable" level of maturity.
A Web Application Firewall (WAF) can examine traffic being sent to your web application and can detect then block malicious traffic before it reaches them. The ModSecurity WAF is installed via Auto DevOps behind the ingress controller in your Kubernetes cluster. It is configured by default to run the OWASP ModSecurity core ruleset. This category is at the "minimal" level of maturity.
Unified policy and alert security orchestration capabilities across all of GitLab's scanners and security technologies. This category is at the "minimal" level of maturity.
Priority: medium • Direction
Detect and respond to security threats at the Kubernetes, network, and host level. This category is at the "minimal" level of maturity.
Container network security allows the implementation of network policies in Kubernetes to detect and block unauthorized network traffic between pods and to/from the Internet. This category is at the "minimal" level of maturity.
There are several top-level features that span across all groups and categories in the Protect stage.
The alert dashboard is the central location for viewing and managing alerts. The long-term plan is to aggregate alerts from all categories at the project, group, and instance levels and visualizing those alerts in both a list-view as well through explorable charts and graphs. Alerts will be eventually be capable of being prioritized based on the severity of the alert (defined by the policy that generated the alert) as well as an analytical algorithm that scores the alert based on its level of risk. The alert dashboard will also host the central workflow for taking action on alerts, including any auto-suggested remediation actions or recommended policy tuning changes.
The policy management experience is the central location for policies across both the Secure and Protect stages. Here users will be able to have the flexibility of managing policies directly in code or in a streamlined UI editor. As part of the long-term vision for the policy management experience, users will be able to view a complete history of all changes and easily revert to a previous version. A two-step approval process can optionally be enforced for all policy changes. Eventually the policy management UI will be extended to provide visibility into the performance overhead of each policy. Suggestions into policy adjustments that might help either reduce false positives or increase overall security coverage will be provided in this section as well.
There are a number of other issues that we've identified as being interesting that we are potentially thinking about, but do not currently have planned by setting a milestone for delivery. Some are good ideas we want to do, but don't yet know when; some we may never get around to, some may be replaced by another idea, and some are just waiting for that right spark of inspiration to turn them into something special.
Remember that at GitLab, everyone can contribute! This is one of our fundamental values and something we truly believe in, so if you have feedback on any of these items you're more than welcome to jump into the discussion. Our vision and product are truly something we build together!
Last Reviewed: 2020-09-15
Last Updated: 2020-09-15