During the past weeks, our Engineering team released a major re-architecture of the ThirdPartyTrust infrastructure: a new and improved Kubernetes cluster. This upgrade will make it easier and quicker to introduce changes and manage configuration items for each of our environments (development, testing, demo, stable). As the Head of DevOps at ThirdPartyTrust, I’m excited to tell you everything about this project.
Introducing the ThirdPartyTrust Kubernetes Cluster Using GitOps
Although most of our processes were already automated, they would be performed via a script. The script was a fast way of automating all the manual work in order to deploy the different artifacts in the different environments. However, this still required copying and pasting code, which was not scalable when we needed to make changes across our infrastructure.
We needed to decentralize and have smaller pieces of reusable code across all environments. This makes them easier to maintain, modify, or even replace.
Why is this update so important?
We have improved visibility over our infrastructure and developed more reliable pipelines to build and deploy code. Our delivery methods are stronger than before. Instead of some down times during upgrades we now have more secure and stable releases, and we’re on our way to zero downtime releases.
Zero downtime releases will allow us to deploy faster, new code, not only throughout the maintenance window but also throughout the day, knowing that we can roll back securely without affecting our customers.
The way I see it, these are the biggest benefits:
- Deploying new features will be easier, faster, and more reliable
- Added more robust rate limiting capabilities
- Serve more traffic in a cost effective manner
- Reproduce the cluster at any time (DR)
- Increasing visibility to detect and mitigate any issues at an early stage
- Reducing costs on the development infrastructure
How does this impact ThirdPartyTrust?
These changes will allow ThirdPartyTrust to release features in a faster, more secure and reliable way. This will in turn allow our team to innovate more and release fixes quicker.
In times where everything is moving so fast, this level of flexibility becomes a competitive advantage.
Secret Management: The Place Where it all Began
The first thing we need to know is that our software delivery approach is called GitOps. The GitOps methodology is all about implementing Continuous Deployment for cloud native applications —it basically says that your source of truth for every single item deployed in the infrastructure is in the Git repository.
This means that everything that’s deployed at any time can be seen by anyone without having to have access to the cluster, but by just inspecting the Git repository.
So when we deploy everything in the repository, we need to manage the secrets. A secret is a configuration item that could be a password, or a license key for a vendor service, or something similar. It is critical to hide the secrets not only from the people that don’t actually need to work with them but also from external parties —such as cybercriminals.
We have already replaced our secret management system with a state of the art encryption system. Now we have taken our security measure to the next level and have everything encrypted at rest in our Git repositories.
With the integration to our ticketing system, this improves the traceability as to who made a change, when it was done, and why it was done.
Why Should Secret Management be a Cybersecurity Priority for all Organizations?
Secret management is one of the cybersecurity aspects that most people tend to minimize. If for some reason secrets are exposed, an attacker could actually use those keys to impersonate an identity and gather data from the network of customers or employees, and use that information for more attacks.
Nowadays data is the new oil and we need to be very careful with how we manage our secrets and who has access to them.
Here go some useful tips:
- Rotating the passwords periodically
- Using multi-factor authentication for all your platforms and tooling
- Having an up-to-date infrastructure to leverage open source tools and blog posts of specialists or companies that have already gone through this
- Start small, but start now. Grab a piece of code or an item that can be delivered automatically has the least impact on the rest of your application, and try to automate it using this GitOps approach.
- Spend some time using this approach with that single feature, and then gradually introduce other features as well. The more you use it the more you will learn.
These best practices will always make for a more secure platform and a more secure company. Protecting our infrastructure is a way to protect our customer’s data too.
What are the next steps?
There is more to come on this front, like the ability to autoscale the infrastructure and recover faster as the platform’s activity increases. As you might know, we’ve experienced a huge surge in traffic as our network has recently reached 12,000+ vendors assessed and this number continues to grow at an amazing pace year over year.
These changes will also allow us to use state-of-the-art tools in various fields such as monitoring, admission controllers, logging, and the ability to handle increased traffic.
In addition to that, having automated the infrastructure creation into the software deployment allows us to start thinking about an automatic disaster recovery strategy.
And as always, these are just iterations and continuous improvements on the quality of the service we deliver to our customers.
I’m pretty excited that we have reached this point. I want to thank my DevOps Team and the entire Engineering Team at ThirdPartyTrust for their amazing work and support on this huge project.
We are at a point where we can start analyzing new scenarios to keep up with what people expect as practitioners of technology and cloud-based apps. These are exciting times!
To learn more about how ThirdPartyTrust can help you streamline your third-party risk assessment and monitoring process, request your free trial now: