Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Compliance Group - Meetings / 15 Jan 2020
GitLab / Compliance Group - Meetings / 15 Jan 2020
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Compliance Group Roadmap Discussion

Description

Public Mural board: https://app.mural.co/t/gitlab2474/m/gitlab2474/1578411704319/125028f23f8400bba1d2c08290a459a970a2abf9
Slides: https://docs.google.com/presentation/d/1DY6q6D0_gJ5e6fp47DTy46824PXVaNvQa7C76uM63M8/edit?usp=sharing
Compliance Controls Epic: https://gitlab.com/groups/gitlab-org/-/epics/2423

A

Hey everyone thanks a lot for joining us for this conversation in compliance and get lab. I'm Jeremy Watson I'm a product manager get lab working on the manage stage of the DevOps lifecycle I'm here with Daniel Mora and Matt Gonzalez, to talk a little bit more about compliance to get lab our vision direction where we're going dan and Matt do want to quickly introduce yourselves sure.

B

Thanks Jeremy so Matt Gonzalez and I'm the product manager for the compliance group within the manage stage here at get lab and over to you, Daniel.

C

Unmute myself, sorry Daniel more I work with these fellows in the compliance managed group and I. Do the product, design and UX.

A

Thanks guys appreciate that so Matt I think we're here today to talk a little bit about. You know our direction as far as compliance goes. It's a really interesting problem. Space I know, you've been thinking about it a lot, and we have a lot of exciting things that we're working on here at Q lab love. To turn over to you, we can hopefully share some information with our audience about where we're going, yeah.

B

Sounds good, so let me share my screen and I think where I'm gonna start first is walking us through this mural board too, because I think what really helps me as a visualize everything and so the way that I'm currently thinking about compliance within gitlab. Is you have this overarching theme of frameworks right so every organization every business operates within an industry and those or multiple industries and those industries are regulated in some way.

B

The common frameworks people hear about are things like sarbanes-oxley for the financial sector socked to for just kind of industry, agnostic, a general data security, best practice framework gdpr for privacy regulation that originated in the European Union, and so we have all these competing frameworks. But a lot of these underlying fundamental similarities such as you know, segregation of duties and making sure that there's password management policies and managing access within the application or the environment or system that you're using, and so these frameworks create this broad high-level scope.

B

And so, within the frameworks we have requirements, the frameworks define what rules need to be followed for an organization to be compliant with their regulation or the the legal or regulatory framework, and so that manifests to me as compliance controls. Compliance controls are the the controls or the rules that exist either at the company level. Well, I guess that's at the organizational level, but inspired by or motivated by, the frame, the compliance frameworks themselves.

B

So if a compliance framework says, you have to have a separation of duties between the changes that are made made to your code and that code being approved to make it under your production environment. Well, then, you have to have controls in place that ensure you're following that procedure, and so within frameworks, the frameworks concept. We have these compliance controls and that manifests as things like merge request approvals. Do we have a policy in place for the various scanning that might take place, for the code are trying to push?

B

Do we have external systems that need to connect with get lab that we're calling out to four separate in-house policies? Do we have password management? Those types of controls, another element to compliance, is, what's called non-repudiation. The idea that no individual can deny that they took some action, and so that manifests for us as audit events. So the audit events feature or component of gitlab should be able to answer any question about who did what? When did they do it?

B

In what system did the change occur and right now, the focus is making sure that our audit events are very granular, because if, if there's any gap, if there's a question, you can't answer whether it's an internal or external auditor that creates a gap. That gap then creates more work for the organization and the day to day users of gitlab, because you have to then have what's called compensating controls if there is no formal control or if there's just a gap, it's out of your control, such as with a service you're using like git lab.

B

You have to still be able to find that data, and so audit events is we're trying to answer the questions like who took what action. What action did they take? Was that action compliant and was it authorized? And so these are the goals we're trying to achieve in terms of audit events and then finally, we have the reporting aspect. So visibility by way of audit events is great.

B

You can basically prove that you're compliant with the controls that have been put in place that help your company adhere to these frameworks, but you have to then be able to provide some tangible report to an auditor that auditor could be internal or external, which is a kind of recurring theme.

B

A lot of especially bigger organizations have internal comply or audit teams, because that's that's the the I guess the the small part of the funnel, where we're gonna be the team that makes sure that we're compliant with these one two three n number of frameworks, but we are kind of that first barrier right, so we're the ones who are gonna. Ask for this. These evidence, artifacts we're gonna, be the ones to make sure that policies are being followed and enforced and so generating the evidence. Artifacts could be anything from show me.

B

Oh I, see now here that my mural is actually not updated. So please disregard some of these sticky notes for now, but the audit reports could manifest, as anything from show me a sample of the last six months worth of merger quests, and show me that each of those merger quests had an issue that was tied to it or associated with it that documents. The change show me the last.

B

Let's say week worth of project setting changes show me an event where changes were made to merge, request, approval settings, and so those events should be captured within audit events, the audit events, category or just general within the operation of gitlab, but we have to be able to then generate the the tangible evidence that users can provide to their auditors, and so that's that's the high-level summary of how we're currently thinking about compliance.

B

That's.

A

Awesome that, thanks for that, so in summary, it sounds like you know, we have.

A

You know multiple frameworks, that organizations need to be in to adhere to and those distill down into a variety of compliance controls which, ideally we'll be able to you know, set with and get lab to allow enforcement of different behaviors and, in your instance, like this, those distill down into audit events, which will which we can kind of roll up and are reporting in at the reporting level, to be able to prove to a third-party auditor that these behaviors were adhered to and the framework was was followed. I is it this?

A

Does that sound about right, yeah.

B

Absolutely I think so: I think that's a that's a really concise way to put it and it does kind of trickle down in that manner. So.

A

I see something here at the top called the git lab control framework and there's a bunch of arrows. That kind of redirecting to that. Like can you? Can you talk about a little bit yeah.

B

Absolutely so something that I'm personally very passionate about is our internal security. Compliance team has done a lot of great work mapping what we call internally, the gitlab control framework to right now, sock to sarbanes-oxley and generally the iso standard for controls, and so I feel that there's an opportunity for gitlab to take this, a very credible thought, leadership role to say: we're already doing the work to consolidate these multiple frameworks, and so, if we can distill from that right, we say: okay!

B

Well, if you, if you enable the gitlab control framework, Identity and Access Management 1.2, then, ideally that means you're, adhering to Sauk to common control for the same requirements, you're adhering to the sarbanes-oxley controls for the same requirement as well as ISO, and so by simplifying the number of frameworks you have to manage I'm, hoping that we can simplify the process of staying up to date with the evolving landscape, but also make it easier for our customers to understand what effects are gonna take place using this single source of truth versus having to reference multiple frameworks at once.

B

I think.

A

That that makes a lot of sense if we iterate on that sufficiently. I think that that could make life a lot more simple for our customers, because you can trust the GCF to stay for us to maintain that according to changing standards- and it can kind of be a way to kind of abstract away a lot of this kind of the complexity around maintaining questions around South to Sox and I. So it was like. Ideally, you know, gitlab can be the the framework that you use for that right.

B

Yeah I think the the biggest value out there is that our internal security compliance team is already going to be constantly keeping up-to-date with this as part of our own compliance efforts, and so it makes sense to be very efficient about that and and leveraging their hard work to bring value to our coastal customers. I should say yeah.

A

I think dogfooding. This makes a ton of sense, so so I think the high level makes sense standing like. Can we go a little level deeper and talk about, like maybe specific epochs or issues or like the short-term goal, like goals for each of these areas and controls, events and reports yeah.

B

For sure, so, I think for compliance controls as a category. The focus right now is looking at what are the features we can add that could eventually become these resource lists, as you will or resources of controls. So, for example, if we can in if we implement something like disable self approval at the instance level. So this is a big pain point, because what happens is you have individual users in the current role in permission? Schemas that may be part of their job.

B

Responsibilities is to is to deploy code, and so the way things are now they're able to go in and modify the merge request. Approval settings push code then re-enable those settings, and that creates this critical breakdown in the separation of duties, requirements and so a control like this, where we say you know, starting with self managed instance, administrators and eventually comm feature Perry. If admins can say well we're gonna, lock this down.

B

We're gonna require that at a minimum, these three settings for preventing the approval, merge request by the author by a committer and they can't modify the approvers list. If we, if we start there and say we think these are the three most critical settings within this particular context, that prevents non administrators from modifying that wolven theory. We've preserved that separation of duties workflow, so things like that.

B

That could be step one and then, as we add, additional features such as give admins self manage, admins and eventually com group owners, the ability to restrict the changing of a profile name that helps to preserve the identity and access management requirements, because part of non-repudiation is again saying that an individual can't deny that they took an action.

B

Well, if you can change your profile name in theory, you could say well that wasn't me that was some other person, that's shown in your audit events trail and if you don't have a way to correlate the two and disprove that then you're not maintaining non-repudiation and therefore your audit events lose some integrity, data integrity so longer term. Where I see this going, is that you know? If we have all of these features implemented, then we can say: okay! Well, maybe these these first three features comprise what we say is GCF control.

B

1.1, maybe the next three, our GCF control 1.2, and so we can then provide our customers with an experience in F that says based on your requirements, you know these controls help you maintain separation of duties. These controls help you maintain, non-repudiation, etc, etc, and then we create this very customizable, but seamless process or experience of then defining the policies that have to be enforced within your get live environment. That.

A

Makes a ton of sense, so it sounds like you know the things that I see the issues that you talk through and prioritize for 12.7 or kind of like these instance level, behaviors and controls that allow you to you pointed out to seem like self approval, disabling the ability to change your profile name to enforce contribution.

A

Have we considered kind of like a way of like showing this and like how many think we thought about the user experience? I know, we've talked a little bit about in the past about like? Is there a way of maybe showing these a single place of the UI? Is that something that we're also thinking about kind of planning, yeah.

B

Every question oh and Daniel: yes, please take this yeah.

C

So we've actually kind of started some research on this, so Matt and I have been working together along with Katherine, who is in our user research group to try and start generating in some direction on how to kind of merge all this. So we've done some preliminary work in terms of adding the compliance controls to particular sections within the settings of, for example, we have in the admin setting- or we have it also in the project level. Currently.

A

If there is there, a design, I think like I, was about to see something on the screen with one of you, my sharing your screen.

C

Yeah just one moment I'm looking for that here we go. Don't worry six.

C

So this was one of the initial research proposal who are doing this is kind of the initial workflow and just creating a new project, and so just trying to think about where we're creating these compliance protocols. So normally you would create a project within the project. There is a screen that allows you to set parameters.

C

These are the current default parameters and then the idea of you to add a new function called the compliance protocol section we're trying to think about what that section looks like another solution: we're trying to plan if we go to, for example, creating something within the projects.

C

You have your project listing as we want to change the active project status. So we would select the project from here. You would see the project details and then we would go to the sir computing security and compliance section and we're kind of trying to id8. What would could this feasibly be? Currently, we have just some general ideas, we're kind of again in the research phase, but this would be the initial part where we would just add the Gittler, the atlanta control framework from here we go and see. If these were now compliant or not.

C

Once you activated the status of that and then from here we would move on to looking at. For example, the merge request you'll see that there's a notice that this has failed, the compliance checks once this has been established and all this again is kind of preliminary research. We're just trying to see what makes sense does this flow create any sort of new questions and that we haven't thought of yet or any new problems and to see how we can resolve those questions.

A

Yeah I love that vision, I. Think that's really interesting. I love the idea of being able to apply a framework to at the project level, and then it could see it kind of distilled down. You know to the merge request level introduce what's complying it, not that you were about to show it in an issue related to the merge request. Sending widget do you might like sharing your screens on you. Do that I'm. First, one! That's going to plenty yeah.

B

For sure, so, I think I believe this is the issue that we're about to go over and- and this is currently scheduled for 12:00 8:00. This is a this. Is our current MBC thoughts based on the research Daniel just covered and what we think might manifest in twelve eight.

B

So it's been refined a bit down into this higher fidelity type of prototype, and so we think that there's the opportunity to add in this compliance settings expandable area within the project settings that would then allow a customer to say yes, I, want to end label or excuse me, enable the gate live control framework right now we're looking at the existing features. We have. That makes sense our seem to be a universal ask across the board, such as disabling self approval at the instance and soon to be the group level for comm users.

B

So there there's some consideration there as far as timing, to make sure that we have both of those features available to be able to bring this to all of our customers, though this is the first iterative step and you know, may later iterate to include comm, but that's where it stands right now, as far as the current prototype in MVC to Daniel's point we're also, ideally trying to include even just this informative indication within the merger quest widget.

B

That says, you said that you wanted this control in place, that the merge request, approval settings were restricted and enforced at all times. So we just want to show you that for every merger quest this was in fact the case.

B

Simple simple, visual artifacts like that that we'd like to eventually generate CSV exports for or some some export for, simple indicators like that are useful for an auditor, because it answers the question of what you say: you're enforcing it now show me you are, and the visual indicators should also provide that detail to show well I, guess it's already kind of there and by way of the approvers list and a screenshot of those settings being locked down. So, for example, if auditor says okay, you say that these settings are enforced.

B

So then show me the settings and the settings from a admin view should be in theory different than what the non admin sees non admin would be unable to make changes which an author would ask show me that they can't make changes and then the actual indicator on the merge request. Widget would show that we are tracking that this was in force, and so it's kind of that that front full start to end tracking of the process to show what we say. You do show me you're, saying it and show me the evidence.

B

Yeah.

A

That's that makes a lot of sense. I, really like the way that's being displayed in the UI I. Think that's interesting, I think one thing that I'm that we need to make sure that we we consider is iteration I, think that you know when we're considering these frameworks, they can quickly like roll up like tons of different requirements and controls. I. Think it's!

A

Okay, if you just start with, you know one if, like the GCF framework, only enforces like one or two controls, so we can iterate on adding to them and just talk to it very clearly what is and is not in the GCF, because I think that iteration could be really hard here. If we just kind of look like to let the requirements explode for these frameworks and do too much so like.

B

But I.

A

Really, I really think it's a it's a core approach: yeah.

B

Absolutely I agree with you: a hundred percent, the the first settings or requirements that would be available would be that disable self approval, I think realistically, the first iteration will be that it's available only to self managed instance, administrators in a perfect world. You know the the waiting would be small enough that we could also include com, feature parity because I know this is a pain point for comm customers as well, but I think realistically would be iterating on that self managed and then followed by feature parity to comm and.

A

We don't think we can accomplish both, because there's no admin forbid lab calm, that's user accessible. So is that the reason or abilities in the admin level like? Is that the reason right.

B

That would be the primary challenge and figuring out. How do we bring disabling self approval at the group level, which is another issue as well I believe it's linked to this. Let me find that.

B

You I don't know if I'm going to find it quickly, but there-there is an issue that I'll make available in the mural. That's in the slide presentation that will be posted with this video that links to that. But there is a partner issue that brings disabling self approval to the group level so that comm customers will have a way to do that. Okay,.

A

Sounds good that makes sense I'm happy to take that on to a separate conversation, but glad you're thinking about both and trying to iterate as quickly as we can by starting starting where we can make sense. I think that that kind of concludes this conversation thanks a lot for the help. If people want to like dive into these issues and these epics in the direction a little bit deeper, you know we're gonna kind of go yeah.

B

So I'll provide I. Think I can provide a public mural link, I assume, but I'll provide at least the PowerPoint slide. That's linked within the mural link. Here the presentation just summarizes what we've talked about here, separated by category so the compliance frameworks, compliance controls, audit events and audit reports so that detail we made available in the video description awesome.

A

Thanks a lot for that, thanks for the conversation y'all, this was great, really helpful and thanks for sharing your thinking here, this is exciting direction. Yeah.

B

I appreciate you guiding it along thanks.

C

Anyway, thanks y'all, thanks guys good good.

B

To see I see.