Gitlab hero border pattern left svg Gitlab hero border pattern right svg

GitLab Security Compliance Controls

GitLab's Security Controls

Security controls are a way to state our company's position on a variety of security topics. It's not enough to simply say "We encrypt data" since our customers and teams will naturally want to know "what data do we encrypt?" and "how do we encrypt that data?". When all of our established security controls are operating effectively this creates a security program greater than the sum of its parts that will demonstrate to our stakeholders that GitLab has a mature and comprehensive security program that will provide assurance that data within GitLab is reasonably protected.

GitLab Control Framework (GCF)

We have tried to take a comprehensive approach to our immediate and future security compliance needs. Older and larger companies tend to treat each security compliance requirement individually which results in independent security compliance teams going out to internal teams with multiple overlapping requests. For example, at such a company you might have one database engineer that is asked to provide evidence of how a particular database is encrypted based on SOC2 requirements, then again for ISO requirements, then again for PCI requirements. This approach can be visualized as follows:

graph TD; SOC2_Requirement1-->Team1; SOC2_Requirement1-->Team2; SOC2_Requirement2-->Team1; SOC2_Requirement2-->Team2; PCI_Requirement1-->Team1; ISO_Requirement1-->Team2;

Given our efficiency value here at GitLab we wanted to create a set of security controls that would address multiple underlying requirements with a single security control which would allow us to make fewer requests of our internal teams and efficiently collect all evidence we would need for a variety of audits at once. This approach can be visualized as follows:

graph TD; SOC2_Requirement1-->GCF; SOC2_Requirement2-->GCF; PCI_Requirement1-->GCF; ISO_Requirement1-->GCF; GCF-->Team1; GCF-->Team2;

Adobe's open source compliance framework served as the starting point for this efficient method of collecting security control evidence. It has been adapted and expanded as needed and the result is the below list of controls grouped by families and sub-families.

Clicking a control below that has a link will take you to a page with a variety of information about that control.

Control Prioritization

There are a number of controls without links due to the way that GitLab has prioritized the documentation of all of these controls. A control without a link should not be taken to mean that GitLab is not in compliance with a specific control’s requirements, but rather that we are not yet tracking evidence of the operation of that control. Supporting documentation for all controls will be built out as we continue to iterate on our compliance program and pursue additional compliance certifications.

Control Ownership

Control Owner - Ensures that the design of the control and the control activities operate effectively and is responsible for remediation of any control activities that are required to bring that control into a state of audit-readiness.

Process Owner - Supports the operation of the control and carries out the process designed by the control owner. The process owner is most likely to be interviewed by an auditor to determine whether or not the process is operating as intended.

What is considered Production?

The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may include third-party systems that support the business of GitLab.com.

Functions to run gitlab.com Production Rationale for Determination Location
gitlab-ops (ops.gitlab.net) YES host of the Chef cookbooks and metadata GCP
gitlab-production (gitlab.com) YES host of live .com SaaS website and end user OAuth GCP
gs-production YES host of GitLab version checker - version-gitlab-com GCP
Route 53 YES host of DNS AWS
Chef server Yes host of chef server Digital Ocean
gitlab-ci LIMITED hosts runner managers GCP
dev-gitlab-org Yes host of OAuth Azure
Sub-functions of gitlab.com Production Rationale for Determination Location
gemnasium-production YES hosts services used by dependency scanning GCP
Functions that support gitlab.com Production Rationale for Determination Location
customers-gitlab-com YES host of .com subscriptions Azure
license-gitlab-com YES host of GitLab license management AWS
Indirectly supports running of GitLab Production Rationale for Determination Location
gitlab-security YES host of GitLab Security team tools GCP
DELKE YES Third party logging GCP/Elastic
InfraELK YES .com logging GCP/Elastic
env-zero YES host of Bootstrap GCP GCP
gitlab-dr YES production backups GCP
service-prod YES host of design-gitlab-com GCP
Prometheus YES dashboards-gitlab-net GCP
PagerDuty YES page on-call engineers PagerDuty
Fastly YES host of CDN Fastly

Data Classification Policy

For GitLab's data classification policy, please refer to the data classification page.

Security Controls Feedback

If you have any feedback on any of the security controls or related documentation, please add it as a comment in this issue.

Security Control Changes

The GitLab compliance team is responsible for ensuring the consistency of the documentation of the security controls listed below. While normally we welcome any GitLab team-member to make edits to handbook pages, please be aware that even small changes to the wording of any of these controls impacts how they satisfy the requirements for the security frameworks they map to. Because of this, we ask any changes that need to be made to this page and the underlying guidance pages to start with a comment in this issue. The compliance team will then engage with you and make any appropriate changes to these handbook pages.

List of controls by family:

Asset Management

Backup Management

Business Continuity

Change Management

Configuration Management

Data Management

Identity and Access Management

Incident Response

Mobile Device Management

Network Operations

People Resources

Risk Management

Security Governance

Service Lifecycle

Site Operations

Systems Design Documentation

Systems Monitoring

Third Party Management

Training and Awareness

Vulnerability Management