How to onboard development contractors securely and quickly using Gitpod

Talia Moyal Head of Outbound Product at Gitpod

May 9, 2024

There are three things every organization working with development contractors, third-party developers, etc. should know when it comes to onboarding and security:

1. Contractors can skip tedious and manual onboarding, even with BYOD policies in place.

2. Access management for source code and internal resources (like cloud accounts and databases) can be granted temporarily, centrally and instantly

3. Virtual desktop infrastructure is not a best practice for secure development environments

All of the above depends on cloud development environments (CDEs).

In this post, we’ll cover how cloud development environments can make life both easier and secure when it comes to onboarding developers.

How to get contractors submitting PRs on day 1 with one click onboarding

The value of Gitpod’s cloud development environments is simple: automated, pre-configured, and secure development environments for anyone*. Your onboarding flow can look something like this: log in via SSO and open a workspace.

And this isn’t an exaggeration. Gitpod developers onboard in minutes because all they need to do is open a workspace which already has source code cloned and is running securely in their cloud account. All necessary packages are installed, and access to internal resources such as databases, cloud resources or other systems is pre-configured.

What does this mean for contractors?

• Elimination of the time-consuming process of setting up a local environment, including all of the required system access and oftentimes, doing so in a completely different timezone to the majority of your development team.

• Bring-your-own-device policies are accepted – contractors can use any device ranging from laptops or Chromebooks with Mac, Windows, or Linux operating systems, to iPads and iPhones, for development with Gitpod.

• Less time nagging, or even trying to find the right person on your platform team to support issues like cloning the right repositories into the right locations, using the correct environment variables, setting up appropriate network configurations, etc.

• Ability to submit a PR on the day they start.

How to simplify access management for contractors

Gitpod cloud development environments help you onboard anyone* in minutes, while also helping you control the access they have. Instead of granting contractors access to entire internal systems or VPNs, which is typical with traditional hardware or laptop issuing, they get secure access to only the specific code and systems they need. This is enabled by Gitpod’s short-lived ephemeral workspaces and access controls.

To put this into context, here’s what logging into Gitpod looks like for a contractor, all done in a matter of seconds:

1. Your contractor accesses Gitpod, which runs privately behind your VPN and within your private network (i.e. VPC).

2. Your contractor verifies their identity using Single Sign-On (SSO) from providers like Google, Okta, etc., and multi-factor authentication (MFA).

3. Contractor is given source code access using GitHub, GitLab, BitBucket, etc., so that Gitpod can clone source code on the contractor’s behalf.

4. Contractor starts a workspace which is launched securely inside your corporate network (i.e. VPC). Source code is not cloned on the contractor’s device.

5. On start, the workspace pulls any required access and secrets (databases, cloud access, etc.) required for their project using fine-grained OIDC rules.

6. The contractor can efficiently edit their remotely running code using the editor of their choice, i.e. VS Code or JetBrains

7. If the contractor pauses their work, the workspace automatically shuts down, which effectively revokes any access to source code and secrets.

At any point, you can remove your contractors access to your Gitpod instance, therefore immediately revoking all source code access, and internal system access.

This is done from a central location at the time of onboarding as well as offboarding. What does this mean for contractors?

• Immediate access to only the tools, dependencies, extensions, etc. that your organization wants them to use.

• Immediate removal of access on the day your contractor finishes – because Gitpod’s development environments are controlled by the platform teams, once access is revoked there is no way for contractors to access the same systems via their hardware.

For more, see modeling identity and access with Gitpod.

How to secure development environments for contractors and a quick history on virtual desktop infrastructure

It is a common misconception that virtual desktop infrastructure is the only way to provide secure development environments for contractors. This is mostly because adoption of VDIs started around 2005-2006 when organizations wanted to move away from managing desktop PCs and thought thin clients would be an economical solution for employees that were in office.

Once VDIs started to see increased adoption, organizations realized they were not in fact a cost effective solution, and in many cases were more expensive than the desktop PCs they began with. Because of this, adoption between 2015-2020 became hyper-focused on allowing third-party access to resources securely. The use case shifted from in office employees to offshore employees, especially as regulated industries expanded globally.

And finally, between 2020-now we’ve seen adoption shift from solely offshore employees to how to extend a corporate desktop for the work from home employees.

While VDIs have worked reasonably well for non-developers they have been grossly insufficient for developers. They can end up costing more per hour than a cloud development environment, may take upwards of five minutes to start up, and often lack critical integrations and workflows essential for modern development, such as container-based development and cloud integrations.

This is why Gitpod’s cloud development environments are your best option for providing secure, remote access to contractors. Here are some of the reasons:

• Ephemeral development environments: Gitpod is the only ephemeral cloud development environment solution on the market. Ephemeral workspaces ensure that each development environment starts clean and with fresh credentials. Developers can request the right amount of compute (i.e. CPU and memory) unlike static VDIs. Ephemeral workspaces also spin-down on timeouts, saving cost on over-provisioning.

• Reduced attack surface: CDEs help to reduce the surface area that a breach can occur on because everything related to development happens within an isolated environment. Ephemeral environments take that a step further by being short-lived, reducing the risk of malware persistence and code exfiltration further.

• Data residency and control: Sensitive data and intellectual property never leaves Gitpod’s development environment as this information will never reside on a contractors hardware.

What does this mean for contractors?

• They can wipe a development workspace clean and spin up a new one if required with the click of a button.

• They can work from anywhere in the world because data residency and control lives within the cloud development environment.

If securely onboarding developer contractors within a few minutes is interesting to you, book a demo with us or try Gitpod for free.