Okta helps GitLab add Zero Trust to the list

An all-remote company scales up

GitLab makes collaboration software for the software development life cycle, and GitLab teams eat their own dogfood—building and developing the same online collaboration software that the company uses internally. Naturally, it is designed to allow people to work together asynchronously, from anywhere.

Since the company’s inception, team members have been iterating and documenting all of its remote work processes in an online handbook which, like GitLab’s core software, is an open-source project. While co-founder and CEO Sid Sijbrandij initially tried to get people to commute to a physical office space, he soon gave up the effort because it simply didn’t add value.

Today, GitLab is scaling that all-remote model at an incredible rate, onboarding nearly 1,000 new employees in the past year. In the time of COVID-19, the company provides an exceptional example for other organizations to follow.

“When you have 1290+ employees in 67 countries, you have to be really comfortable with documentation and being able to work on the same projects across different time zones,” says Bryan Wise, vice president and head of IT. “We have a handbook-first mindset, we use the GitLab product to document the handbook, and we use Slack, Zoom, and Google as our primary collaboration tools.”

The lack of physical office space means it’s “cloud-first, cloud-everything,” says Wise. To manage access to those tools and to balance its open-source culture with a Zero Trust security strategy, the company needed a strong identity and access management (IAM) partner.

Can open-source embrace Zero Trust?

When Mark Loveless started as a senior security engineer at GitLab in 2019, he wasn’t sure that striking a balance between open-source and Zero Trust was a realistic goal. Truthfully, he says, “I was horrified by this prospect.”

He was nevertheless inspired by the GitLab culture and its mission to “change all creative work from read-only to read-write”—building an inclusive and progressive world where “everyone can contribute.”

GitLab is a unique company with a unique set of Zero Trust realities. “Google’s BeyondCorp model was intended for somebody else, mainly Google,” he says. “Not for us. We need something more open and flexible.”

The open-source culture extends beyond the company itself to a community of coders and followers who are all invited to contribute to GitLab’s product as well as its corporate handbook. “We have people checking in code from all over the place,” says Loveless. “That poses some interesting security challenges.”

GitLab’s exponential growth adds to the intrigue, and the company has an IPO scheduled for November 2020, which increases compliance and auditing requirements. “These are huge issues for us to overcome,” he says.

The company’s rapid growth has made lifecycle management processes a big focus. Before Okta, says Loveless, “we were kind of roughing it.” Onboarding and offboarding were manual processes—“an absolute, massive time sink.” When people left the company, deprovisioning got done with a hope and a prayer that critical access points weren’t left open to attack.

GitLab also has asset management challenges because for the first several years of operation, everyone at the company used their own devices. “The company started buying employee laptops maybe two-and-a-half years ago,” says Loveless.

For their Zero Trust initiative, the GitLab team is focusing on user and device identification, as well as on classifying data so that the team can create and enforce access control policies across systems. They’re also looking to make sure all data in transit is encrypted, and they want to see robust logging data from all their systems, pulled together in one place.

A flexible Zero Trust foundation

To address these challenges, Loveless and team are reducing each problem to manageable chunks. They turned to Okta because they saw the opportunity to implement a centralized tool for managing identity—one they could connect easily to their growing portfolio of SaaS applications.

Okta provided a way for GitLab to proceed incrementally, while offering a solid foundation for a broad Zero Trust strategy. “Without a product like Okta, you really can’t achieve that model,” says Wise. “The fact that you get telemetry—better understanding of who’s logging in, where they’re logging in from, what operating system they’re using—those things are important whether you’re remote, or not.”

Okta’s flexibility was huge for GitLab. Because team members were so used to logging in from their personal devices, it was important to offer an array of authentication mechanisms.

“We had people who said, ‘What is this Okta Verify app? I don’t want to load a work app on my personal phone,’” says Loveless. “It was fine because we could offer them U2F (FIDO Universal 2nd Factor), YubiKey, or TOTP (Time-based One-Time Password). Having a product that supported all of that played a big part in addressing the concerns that people had.”

Leading with the user experience

In true GitLab style, the team began their Okta deployment by offering an open beta in April 2019, inviting staff members to opt in and gathering their feedback as the program progressed.

“The beta helped us engage people and get buy-in,” says Loveless. By May, the team was ready to move to an initial live deployment. They started with non-critical apps but included GitLab.com. “We were building up trust with users and also our own trust in Okta,” he says.

Critical app deployment began in July, and the team’s overcommunication habit was an important success factor. They had set up a dedicated Slack channel during the beta, and that feedback and constant line of communication was critical for letting people know which apps were moving to Okta, and when.

To get universal buy-in, Loveless says it was important to sell the user experience benefits first. “Coming in and saying, ‘Hey, the security team wants you to do this security stuff because of security,’ wasn’t a good way to get users to jump on board,” he says.

“We made it as transparent as possible. We were up-front about how everything worked and what we were trying to do, but we focused on the user experience,” says Loveless.

Simplifying identity for users and admins

In eight months, Okta helped the GitLab team transform the way everyone at the company accesses their work. With Okta Single Sign-On and Okta Adaptive Multi-Factor Authentication, the team standardized the access and authentication process and dramatically simplified IAM.

In the process, they reduced the IT friction the company was experiencing, so business leaders could adopt new technologies easily without adding risk. GitLab instituted an “MFA by default” policy and quickly achieved universal adoption. They enabled Okta ThreatInsights and Risk-Based Authentication, adding more authentication steps for high-risk applications.

The team also streamlined onboarding and offboarding at GitLab with Okta Lifecycle Management. When Loveless started at the company in February 2019, it took three weeks for him to gain access to all the applications he needed to get work done. Today, the company’s human resources software, BambooHR, is tightly integrated with Okta. Provisioning actions begin the moment an HR team member makes changes in BambooHR.

“Okta took the account creation process of onboarding from three weeks down to a minute,” he says. “A new user is created in BambooHR. That profile information is immediately exported into Okta and from there we create accounts in all these other systems. It’s pretty much all automated.”

The same automation allows the team to remove access completely and automatically when someone moves on from GitLab. “It’s absolutely phenomenal,” says Loveless. “Lifecycle automation was a huge success story for us.”

Getting into good compliance shape

Loveless says compliance reporting has also been “dramatically simplified,” paving the way for GitLab to become a public company. “Some of the auditing went from weeks to hours, simply because you can get to everything quickly and export it out,” he says.

Using Okta Universal Directory, the team was also able to eliminate shared accounts. “We’re grateful that we can put policies in place, create groups that they apply to, and grant access,” says Loveless.

GitLab has also used Okta to standardize its password policies, simplifying compliance with various data privacy laws around the world. Rather than having different standards for users in different locations, the team simply instituted one high set of standards that complies with all global privacy laws and pushed it out across the company.

Extending least-privilege access to infrastructure

As successes piled up, the security team’s case for Okta grew across GitLab and Okta became an integral part of the GitLab culture.

“The tipping point came when application owners started hunting us down,” says Loveless. “They’d hear from their co-workers, ‘Hey, if you put your app in Okta, you don’t have to create all the accounts anymore.’”

As a result, the security team has successfully cataloged its technology stack and put rules in place for application adoption. “Okta is part of our enterprise architecture initiative going forward,” says Wise. “If an application doesn’t adhere to Okta standards, it would have to be an unbelievable product, meeting a unique business need, for us to move forward with it.”

Business champions appeared from across GitLab. “Our infrastructure team had a project coming up that would involve creating a lot of accounts,” says Loveless. “They said, ‘Hey, we’ve been using Okta for everything else. Could we use it for SSH access?’”

The team started a month-long pilot with Okta Advanced Server Access (ASA) and cut it short after two weeks because they didn’t need to wait for full implementation. “Everyone was like, ‘Oh, this’ll work. We’re fine,’” says Loveless. “It’s a wonderful solution for creating accounts—wham-o!—just like that.”

The GitLab team prefers Okta ASA as its method of securing SSH access because of the ability to scale across their elastic infrastructure fleets and automate account life cycles and policies. Whenever new infrastructure gets spun up, new accounts appear nearly instantaneously. Whenever a new user joins the team, they gain automated access in minutes. ASA also allows GitLab’s DevOps-centric organization to move fast without breaking things.

Building on frictionless authentication

The GitLab security team is currently evaluating endpoint management solutions, including Okta device trust. “We’re getting to the point where we can control those assets better,” says Wise. They’re also looking at Okta Workflows, to achieve the next level of lifecycle efficiencies.

As they proceed, the team is moving toward centralizing all user and group profiles in Universal Directory. “We’ve never had a server farm where we run Microsoft Active Directory or LDAP,” says Peter Kaldis, IT manager at GitLab. “More and more, Okta is our directory for everything.”

With that project complete, Loveless says the team will be able to create and enforce granular security policies and meet customer compliance requirements even more easily.

He also dreams of building a completely passwordless environment for GitLab. “If I had a career goal, it would be to end the password,” he says. “The fact that we have a second factor is because the first factor is insecure, so why have the first factor?”

Between GitLab’s cutting-edge DNA and Okta’s identity management expertise, Loveless has more hope than ever of achieving that goal. “It could happen in my lifetime,” he says.

When it comes to more immediate achievements, Okta has already met one overriding criteria: “In our security department, we leave things better for end users than when we started,” says Loveless. “Any solution needs to make things easier. If it’s very hard or extremely complex, then we look for a better solution.”

With Okta, the team now has frictionless authentication that users don’t have to think about. “It’s like muscle memory,” he says. “When they get out of their car, they automatically lock the door. That’s how we want the identity process to work here.”

About GitLab

GitLab is the world's largest all-remote company, with more than 1,290 team members in more than 67 countries and regions. The company’s DevOps platform was built from the ground up as a single application for all stages of the DevOps lifecycle, enabling Product, Development, QA, Security, and Operations teams to work concurrently on the same project. Built on open-source software, GitLab leverages the community contributions of thousands of developers and millions of users to continuously deliver new DevOps innovations.