Weaveworks announced a strategic
investment agreement with In-Q-Tel (IQT). The US
government agency linked not-for-profit investor has chosen to invest in
Weaveworks in order to help accelerate trusted application delivery and secure
infrastructure operations within the US government. Weave GitOps as the
industry's leading full-stack GitOps platform, enables organizations to manage
their entire system across on-premise and GovCloud locations in a way that
ensures security through repeatability and compliance controls. In-Q-Tel also
intends to introduce and maintain modern operations with continuous compliance
across an undisclosed agency's applications and multiple managed environments.
"After helping transform
DevOps teams in dozens of mature organizations such as the Department of
Defense, Fidelity, and Deutsche Telekom, we are confident that Weave GitOps can
help In-Q-Tel's government partners usher in modern application deployment and
maintenance processes, which is the next phase of their digital transformation,"
said Alexis Richardson, founder and CEO of Weaveworks."
In this post, we delve
into the challenges and opportunity to modernize the deployment process in a
compliant manner.
Continuous Delivery (CD)
has long been an end goal of software development. There is a vision
where new versions of software end up in the hands of the users with nothing
but automation in between. We all like to talk about how many deployments
a day we are able to do and vendors love to exclaim how they have reduced
deployment cycles from months to days. But to focus solely on the end result is
missing the value of the entire process and certainly negates a lot of the
complexity required for an enterprise organization and even more so for a
regulated industry or government agency.
Modernizing Complex
Applications through shifting left
Government agencies are
tasked with a particularly difficult mission bringing exceedingly complex
applications into the modern world. Digital transformation programmes
spend a lot of time configuring environments and rewriting code. Given the
nature of these applications as much time must be spent on the security and
data management requirements for those environments. Modern cloud
environments mean that security requirements and procedures have to be updated
and applied in parallel to the migration of the applications into these
environments. Due to the unique requirements of these Agencies the right
controls and capabilities must be built in right from the start.
Over the past years, we have
seen the most successful implementations where policy and compliance is
included from the start of development and continues throughout the development
cycle. By shifting thes compliance and security tests to earlier in the
development cycle we can reduce the cost of resolving them and speed up
deployments - this is where GitOps comes in.
GitOps Enables Trusted
Delivery
Trusted Delivery
together GitOps automation and policy-as-code controls. This means common
security and compliance controls are embedded in the software deployment
pipeline. Automation ensures that guardrails are put around the process,
continuously testing that the right controls are being applied.
With GitOps we have a
definitive record of every aspect of a deployment - this plays well in
situations where we want to guarantee that a deployment is compliant. By
enforcing policy during the deployment, we can ensure that it meets the
appropriate standards no matter who is doing the deployment, or what
environment the software is being deployed into.
In-Q-Tel chose to invest
in Weaveworks in order to help accelerate the development and delivery of
cutting-edge technologies to U.S. intelligence and defense
agencies. Beyond simply rewriting code, Weave GitOps, the industry's
leading full-stack GitOps platform, enables these agencies to manage their
entire system across on-premise and GovCloud locations in a way that ensures
security through repeatability and inherent controls.
Making Continuous
Compliance in an Offline World a Reality
Software repositories
have long been available in on-premise configurations yet often without some of
the functionality and integrations that makes them so attractive for
automation. The same can not be said for many of the other tools
necessary to operate a complete environment. Those tools are typically
offered as SaaS models only and rarely integrate well with on-premise
repositories and systems.
When evaluating
management and compliance software, make sure to confirm if it will be able to
function as desired in disconnected or firewall environments. Also ensure how
policy updates are done, how reconciliation agents contact the source and hosts
(push vs pull model), and whether things even continue to run when unable to
validate entitlements. By centralizing everything required for
infrastructure, applications, and policy in a local Git repository, teams can
be confident that it is available to all protected systems. It also
allows access by security teams and management so they can audit every piece of
the equation and ensure it adheres to the established policies.
Policy agents running
within systems should continue to operate with the most recent rules that they
have fetched. A continuously running multi-layer approach to enforcing
policy at code submission, deployment, and ingress will help ensure that
systems remain compliant. If manual changes are made to the code or the
system, the agents should automatically correct and report on the violation.