Leading insurance provider improved developer productivity using secure, standardized, and automated development environments
Highlights
- Securing development environments for a regulated organization: a leading provider of insurance solutions moved to Gitpod Enterprise to improve the security posture of their development environments.
- Improving processing power: from developing on Windows machines with insufficient power, inhibited by inefficient endpoint security scanning to Gitpod’s ‘zero resource limitation’ ephemeral development environments.
- Reducing environment drift: previously, the platform team spent hours writing scripts and supporting different Windows operating systems. Now, with standardized development environments based on Linux, development matches production.
- Empower platform teams and enabled developers: compared to their previous VDI only solution, Gitpod gives platform teams the ability to define development environments in declarative configuration and developers improved developer experience, balancing compliance control with developer freedom.
About the company
Company ‘Y’ is a leading provider of insurance solutions with payments to policyholders exceeding 1 billion annually. They are authorized and regulated by financial authorities in their country.
Challenges of Virtual Desktop Infrastructure for software development
‘Y’ has a company mandate of using virtual desktops (VDI) powered by Citrix. Citrix is hosted in their data center and used for both administrative work and software development. Their VDI setup is based on the Windows operating system with developers writing applications that target Linux. Compatibility issues meant the platform team spent considerable time managing scripts.
For developers, special higher powered environments were procured for better performance, but led to long lead times causing challenges for their central IT team and slowing developer onboarding. Their platform team historically didn’t have ownership of this VDI setup so they were unable to empower developers with the right tools or access on their machines.
They mentioned that the DaaS providers from all the cloud vendors were underpowered when it came to building on a Windows machine. Decoupling VDI from the developer use case meant they didn’t have to go to these vendors with special requirements. Gitpod was developer-ready out-of-the-box and gave them the capacity to provision and tear down trivially.
Secure air gapped development environments
with Gitpod
‘Y’ had the opportunity to review their current inefficient VDI setup and address the negative impacts on developer experience and time-to-market. It was critical to them that any future solution would meet strict regulatory and compliance requirements, but give the required flexibility for development use cases.
They chose a solution where developers could use uniform VDI instances for administrative tasks and access Gitpod directly from their VDI for development.
The following are the benefits that ‘Y’ highlighted in their move to Gitpod’s standardized and automated development environments:
Decoupling software development and desktop use cases: By separating use cases for remote desktop access and development, developers have the power to build applications through dynamically sized environments without causing their admin applications, like Outlook, to crash. Security scanners are still installed on the VDI but no longer disrupt development flows in “delaying every system process launch”.
Alignment between development and production: Now, with standardized development environments based on Linux, development matches production and the platform team no longer has to write and manage scripts for many Windows operating system versions.
Flexibility of tooling installation: Finally, the platform team gained ownership and control of tooling, ensuring developers meeting compliance and security requirements while staying in flow.
Using VDI for administration and Gitpod
for development
Existing desktop-as-a-service (DaaS) vendors don’t give the power and flexibility that a standardized, automated development environment like Gitpod does for the developer use case. For example, with a VDI, compute resources are static and it’s not common to have more than one allocated VDI. With Gitpod, platform teams and developers can right-size their development resources to their task, and use the ephemerality of workspaces and timeouts to manage Cloud costs. This ensures developers are not needlessly over-provisioning resources and that any unused compute is spun down quickly and automatically.
Additionally, due to the fact that ‘Y’ virtual desktops are heavily instrumented with tooling like security agents from their central IT team, these agents would consume at least one out of the four CPUs available to the VDI. This would leave developers with not enough machine power to do their daily work.
Alignment between development and production
Previously, the platform team would have to write many scripts for the different Windows operating systems and specifications to ensure development environments were correctly set up. Those scripts would need to be installed and configured manually by developers.
With Gitpod, development environments are standardized and based on Linux, which aligns to how ‘Y’ systems run in production. The use of the Gitpod declarative definition for development environments allows the platform team to ensure development environments can be self-served by developers.
A secure platform for enabling centralization and control: implementation details
Installing Gitpod via CloudFormation
‘Y’ were supplied a CloudFormation template which installs all necessary resources to run the Gitpod application, like underlying clusters, databases, and networks.
As customizations to Gitpod, ‘Y’ provided:
- Their preferred region.
- Their VPC preference.
- Their custom domain.
This template took around 1 hour to install.
Following installation, ‘Y’ configured their private GitLab installation. Gitpod refers to the SCM provider as the source of truth for gating source code access. Any development environment started in Gitpod must also have access to the respective GitLab repository, allowing them to retain control over identity and access within their development environments through GitLab.
Networking configuration
‘Y’ opted for private networking configuration. All data transfer is through private connections and never over the public internet, providing an air gapped installation. They have a separate AWS account for their transit gateway that does all of the routing in their estate. The account separation keeps firewall and networking configurations private.
All traffic from any the public internet, direct connect, or other AWS accounts are routed through their firewall and inspection VPC to the target AWS account. This firewall is “deny by default”, adjusted by ‘Y’ to allow connections for Okta, GitLab, and AWS endpoints, controlling access, for instance to any unexpected source control repository outside of the installation.
When installed, Gitpod has no direct access to any nodes, pods or data from the running instance of Gitpod Enterprise. Select metrics about the installation are reported back to the Gitpod control plane that ensures healthy operation of the installation. Any data that is transmitted from the Gitpod Enterprise cell is provided to ‘Y’ for inspection.
Gitpod handles application updates
‘Y’ previously had poor experiences with self-hosted products, causing updates to take days or even weeks. With Gitpod, application updates are polled for by the instance itself, securely calling out to find and apply application updates. This ensures ‘Y’ receives a constant stream of product functionality updates, security and cost optimization fixes. When changes to infrastructure are required, they are automatically generated to an existing CloudFormation template. Due to the uniformity of the product, updates are applied in minutes, not weeks or months. To provide additional assurance and continuity, ‘Y’ opted for a blue/green infrastructure setup, choosing to run two installations of Gitpod to provide additional release assurance.