Virtualization Technology News and Information
In-Q-Tel invests into Weave GitOps to modernize and bring compliance to government apps and infrastructure

Weaveworks announced a strategic investment agreement with In-Q-Tel (IQT). The US government agency linked not-for-profit investor has chosen to invest in Weaveworks in order to help accelerate trusted application delivery and secure infrastructure operations within the US government.  Weave GitOps as the industry's leading full-stack GitOps platform, enables organizations to manage their entire system across on-premise and GovCloud locations in a way that ensures security through repeatability and compliance controls. In-Q-Tel also intends to introduce and maintain modern operations with continuous compliance across an undisclosed agency's applications and multiple managed environments.

"After helping transform DevOps teams in dozens of mature organizations such as the Department of Defense, Fidelity, and Deutsche Telekom, we are confident that Weave GitOps can help In-Q-Tel's government partners usher in modern application deployment and maintenance processes, which is the next phase of their digital transformation," said Alexis Richardson, founder and CEO of Weaveworks."

In this post, we delve into the challenges and opportunity to modernize the deployment process in a compliant manner.  

Continuous Delivery (CD) has long been an end goal of software development. There is a vision  where new versions of software end up in the hands of the users with nothing but automation in between. We all like to talk  about how many deployments a day we are able to do and vendors love to exclaim how they have reduced deployment cycles from months to days. But to focus solely on the end result is missing the value of the entire process and certainly negates a lot of the complexity required for an enterprise organization and even more so for a regulated industry or government agency.

Modernizing Complex Applications through shifting left

Government agencies are tasked with a particularly difficult mission bringing exceedingly complex applications into the modern world.  Digital transformation programmes spend a lot of time configuring environments and rewriting code. Given the nature of these applications as much time must be spent on the security and data management requirements for  those environments. Modern cloud environments mean that security requirements and procedures have to be updated and applied in parallel to the migration of the applications into these environments. Due to the unique requirements of these Agencies the right controls and capabilities must be built in right from the start.

Over the past years, we have seen the most successful implementations where policy and compliance is included from the start of development and continues throughout the development cycle. By shifting thes compliance and security tests to earlier in the development cycle we can reduce the cost of resolving them and speed up deployments - this is where GitOps comes in.

GitOps Enables Trusted Delivery

Trusted Delivery together GitOps automation and policy-as-code controls. This means common security and compliance controls are embedded in the software deployment pipeline. Automation ensures that guardrails are put around the process, continuously testing that the right controls are being applied.

With GitOps we have a definitive record of every aspect of a deployment - this plays well in situations where we want to guarantee that a deployment is compliant. By enforcing policy during the deployment, we can ensure that it meets the appropriate standards no matter who is doing the deployment, or what environment the software is being deployed into. 

In-Q-Tel chose to invest in Weaveworks in order to help accelerate the development and delivery of cutting-edge technologies to U.S. intelligence and defense agencies. Beyond simply rewriting code, Weave GitOps, the industry's leading full-stack GitOps platform, enables these agencies to manage their entire system across on-premise and GovCloud locations in a way that ensures security through repeatability and inherent controls. 

Making Continuous Compliance in an Offline World a Reality

Software repositories have long been available in on-premise configurations yet often without some of the functionality and integrations that makes them so attractive for automation.  The same can not be said for many of the other tools necessary to operate a complete environment.  Those tools are typically offered as SaaS models only and rarely integrate well with on-premise repositories and systems.  

When evaluating management and compliance software, make sure to confirm if it will be able to function as desired in disconnected or firewall environments. Also ensure how policy updates are done, how reconciliation agents contact the source and hosts (push vs pull model), and whether things even continue to run when unable to validate entitlements.  By centralizing everything required for infrastructure, applications, and policy in a local Git repository, teams can be confident that it is available to all protected systems.  It also allows access by security teams and management so they can audit every piece of the equation and ensure it adheres to the established policies.

Policy agents running within systems should continue to operate with the most recent rules that they have fetched.  A continuously running multi-layer approach to enforcing policy at code submission, deployment, and ingress will help ensure that systems remain compliant.  If manual changes are made to the code or the system, the agents should automatically correct and report on the violation.

Published Thursday, May 05, 2022 11:52 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2022>