GitLab Goes All In on Zero Trust to Secure a Fully Remote Workforce

Only a few companies can claim they’re working on solutions so cutting edge that they’re still uncovering new ways their product is useful. GitLab, a complete DevOps platform and lifecycle tool, is one of these companies.

What differentiates GitLab is its guiding philosophy: the company specializes in web-based, open-source code and DevOps lifecycle tools that empower programmers, engineers, and developers to build better software.

With a unique value proposition, a global user base, and a workforce that has always been 100% remote, GitLab was experiencing unprecedented growth. But securing its dispersed team came with challenges. This was further complicated by the fact that GitLab was gearing up to become a public company—regulatory compliance was a must, especially for a team operating across 67 countries.

GitLab rewrites the Zero Trust rulebook

With a product hosted exclusively on the cloud and a widely distributed workforce, implementing a Zero Trust approach to security was GitLab’s only option for staying compliant with global data protection policies. But the security team knew they were navigating unknown territory.

They faced several major hurdles:

• Not only was GitLab a large, fully remote company, but its IT architecture was entirely cloud-based—no on-prem infrastructure, no VPN, and no traditional perimeter.
• Its asset management was also limited: while there were protections in place for company-owned devices holding critical data, GitLab had little visibility into the individual devices of their dispersed workforce.
• Data classification was fluid and dynamic, and information could fluctuate from low priority to highly sensitive over the course of a single day. With such a large network of users, provisioning and deprovisioning accounts and access across the company’s increasing number of apps was difficult.
• On top of that, the company was committed to maintaining an open-core product that anyone could access and modify.

With all of these exceptions to the regular rulebook, GitLab had to ensure their approach to Zero Trust fit their circumstances. They had to consider:

• User identification: there had to be a reliable framework to ensure users were who they said they were.
• Device identification: all devices authenticated into the system had to be approved to contact GitLab.
• Data classification: a consistent and coherent means of classifying data was necessary for making effective access decisions.

GitLab also needed comprehensive data encryption, activity logs for all systems, and support for a content delivery network front end. Any solution, vendor, or partner subsequently adopted by GitLab had to be carefully chosen to ensure they wouldn’t complicate or compromise Zero Trust initiatives further down the line.

For functionality and flexibility, GitLab chose Okta

To achieve its goal of a full-scale Zero Trust framework, the team at GitLab selected Okta as their identity provider. Okta Single Sign-On (SSO) and the Okta Integration Network were major factors in this decision, as GitLab needed an identity solution that could seamlessly integrate their many SaaS apps.

With solutions such as Okta Lifecycle Management (LCM) to automate onboarding and offboarding for an unlimited number of users, Okta also offered the scalability GitLab needed after growing from 300 employees to 1,200 in a single year.

To take its Zero Trust ambitions from concept to realization, GitLab rolled out Okta over three stages:

1. Open beta. During the open beta phase, employees were invited to share their input and any initial concerns or preferences—which proved to be especially helpful as the GitLab team launched Okta Multi-Factor Authentication (MFA), as employees understood which factors made the most sense to different groups and different roles.
2. Initial live deployment. In this stage, solutions such as Okta SSO and Okta LCM implemented on a large scale. The GitLab team integrated non-critical apps, identifying possible problems and how to solve them, and testing solutions on GitLab.com as well. Within two months, GitLab had established confidence with the product across its employee base.
3. Critical app deployment. GitLab then integrated their core applications with Okta. For this part of the plan, overcommunication was necessary to ensure everyone was on the same page and understood when, why, and how user access would be changing. Dedicated Slack channels and other feedback forums were available to employees, and all scenarios were comprehensively and conscientiously tested.

Zero Trust becomes the standard at GitLab

With Okta, GitLab has proven that adopting Zero Trust is possible for organizations, no matter how exceptional their circumstances.

GitLab teams now expect everything to be in Okta.

• The security team only approves apps that are supported and app owners are working with them to ensure their favorite tools are included in the dashboard.
• Implementing Okta LCM has led to a 35% drop in onboarding template items, and GitLab has been able to eliminate shared accounts in favor of group policies.
• At the same time, ghost accounts leftover from human deprovisioning errors have been eradicated thanks to automatic offboarding.
• Compliance controls have also been drastically simplified, with identity and access management audits and control verification taking place in hours rather than days.

To further secure and simplify processes, GitLab’s infrastructure team trialed Okta Advanced Server Access (ASA), which proved to be such a success that the planned pilot was cut short and the platform went straight into implementation.

Creating the future as they go

As a leading global innovator, GitLab understood the importance of Zero Trust to protect its data and its users. Looking to accommodate their highly advanced technology and business model, GitLab turned to Okta to achieve the agility, capability, and scalability they needed to maximize security without compromising simplicity.

As dynamic work becomes the new norm for organizations worldwide, Zero Trust should be adopted—and in some cases, adapted—across the board.

To learn more about modern Zero Trust security, check out the following resources:

• Getting Started with Zero Trust: Never trust, always verify - Whitepaper
• The State of Zero Trust Security in Global Organizations - Report
• Zero Trust: A Global Perspective - Infographic