Why you should deploy your own confidential GitLab
The challenge
Relying on online platforms such as GitHub to manage sensitive source code is convenient, but also comes with security and compliance implications. In essence, users of such offerings have no way of telling who is able to access their repositories. Hackers or malicious insiders could gain access to private repositories or bugs in the platform’s own code could lead to data leaks.
To address such threats, companies often resort to running GitHub Enterprise or its competitor GitLab on-prem in a self-managed way. However, maintaining on-prem infrastructure is typically costly, comes with its own security challanges, and is often not even an option.
The solution
Confidential computing provides a cost-effective alternative to on-prem deployments. It is a groundbreaking technology that ensures that data is always encrypted, even during processing. If applied correctly, confidential computing can shield even complex applications from the cloud infrastructure. Not even system administrators, cloud provider employees or privileged attackers can access workloads protected this way. And this property can even be verified remotely. Basic confidential-computing features are readily available on major clouds like Azure and GCP. However, these basic features cannot protect complex and scalable applications like GitHub or GitLab.
For this, you need a solution like Constellation. Constellation is an open-source software that protects entire Kubernetes deployments end-to-end with confidential computing on public clouds. In essence, Constellation can shield and runtime-encrypt any application that can run on Kubernetes. Thus, with Constellation, you can run a complex source-code management system like GitHub Enterprise or GitLab on the public cloud, while having the assurance that the code is always encrypted and cannot be accessed by the cloud provider or attackers coming through the infrastructure.
Technical details (how to…)
Constellation ensures that all components of the K8s cluster run in runtime-encrypted and isolated CVMs. This ensures that data written to cloud storage by databases is automatically encrypted, and the cryptographic keys for this data are generated and managed within the CVMs, all this without any additional coding from the developers. Constellation also verifies the integrity and authenticity of all CVMs and ensures that they are running the same “good” Constellation node image. This means that all data leaving the CVMs remains encrypted. For example, when using databases like Redis or PostgreSQL, the data they write will be encrypted. After running the Constellation init command, you can be confident that you are communicating with an end-to-end confidential cluster via kubectl. For more information, please see the Constellation docs.
In this blogpost, you can follow a step-to-step tutorial on how to deploy GitLab on Constellation.
Follow us on LinkedIn to get all our newest updates. If you are interested in learning more regarding confidential computing general concepts, you can read our comprehensive whitepaper.
