Gjensidige builds on GitHub and Azure to put security front-and-center in new application platform

Gjensidige, the largest insurance company in Norway, must do all that it can to keep customer data secure. To achieve this, the company built on the combined capabilities of GitHub Enterprise and Microsoft Azure to deliver a modern ‘DevSecOps’ environment that puts security front-and-center at all times. Developer-first security tooling integrates seamlessly into existing development workflows, helping developers to write more secure code, embrace security best practices, and respond quickly to software supply chain vulnerabilities. All stakeholders can collaborate on security as a shared responsibility, enabled by policy automation and deep, real-time visibility into the company’s security posture.

Download video transcript

“In the past, security issues were often caught at the end of the development process, where they took a lot more time to fix. Today, with automated security controls embedded into their workflows, developers get instant feedback and can fix things right away”

Rida Aatif, Head of the Cloud Platform and Infrastructure Team, Gjensidige

A 200-year-old brand built on trust

Gjensidige is the largest insurance company in Norway, with a presence in Denmark, Sweden, and the Baltic states. The company offers a full range of insurance products, including protection for homes, automobiles, personal property, boats, valuables, life and health, travel, and pets.

With a history dating back to 1816, Gjensidige clearly wasn’t ‘born in the cloud.’ However, that’s not to say the company isn’t a modern enterprise. Today, Gjensidige does most of its business digitally, working hard to preserve and strengthen the trust it has earned from customers over its 200-year history as it engages with more and more policyholders online.

To foster that trust, at a minimum, Gjensidige must deliver an online presence that remains available at all times, giving customers the confidence that Gjensidige always stands ready to meet their needs. Just as important, in today’s online environment, to retrain that same trust, Gjensidige must do all that it can to keep customer data secure.

“For 200 years, we’ve helped safeguard the lives, health, and assets of our customers,” says Rida Aatif, Head of the Cloud Platform and Infrastructure Team at Gjensidige. “We need to remain just as vigilant in protecting their data. Trust is essential to our brand; we take it very seriously.”

Keeping customer data secure in the cloud

Although Gjensidige has always paid attention to security, as it began to embrace the cloud, the company realized that its existing approach to security would need to evolve. The journey began in early 2020, when Gjensidige selected Azure as its preferred cloud platform, with the goal of enabling application modernization at enterprise scale. By early 2021, planning, and experimentation, Gjensidige had a firm grasp on the complexities involved and had chosen an architecture based on Azure Kubernetes Service for its new Gjensidige Application Platform.

To optimize security, Gjensidige knew it would need to break some ‘old habits’ it had developed over the years. “In the past, application developers were in one silo and IT security was in another silo,” says Sigurd Falk, Lead Platform Engineer on the Cloud Platform and Infrastructure Team at Gjensidige. “We can’t afford to work like that today. Instead, we need a security-first mindset—with shared accountability for security from the start of the development process.”

Under the old way of working, while developers were mindful of security, it wasn’t front-and-center as they worked. Teams used different security tools, with excessive false positives during code scans often resulting in loose-ends. Dependencies in open-source software supply chain components weren’t tracked or managed consistently, and the IT security team didn’t have a consistent, top-down view of how security was being handled across the organization.

To properly secure its new application platform in the cloud, Gjensidige had to embed security into developer workflows with structure and predictability—and adapt to address the many ways security needs have changed over the past few years. Key considerations included:

How to best secure new architectures enabled by the cloud—specifically, the company’s chosen Kubernetes environment.
Enforcing security best-practices during development, such as preventing security keys from being stored in code or documentation.
Increased use of open-source software in the supply chain, along with all of the inherent dependencies and potential vulnerabilities.
Elimination of manual configuration in the DevOps pipeline (e.g., through infrastructure-as-code), and how to secure that infrastructure code along with other software assets.
Protection against how hackers are increasingly targeting upstream dependencies and engineering systems, resulting in potential vulnerabilities across entire development environments and software supply chains.

Gjensidige also had to break down the silos that existed between its development and IT security teams. This required increased visibility into security checks within the development process (including the lack thereof), as required for all of those teams to work together more effectively. “To foster deep collaboration, we needed to first create a single source of the truth for all things security-related—visible to all stakeholders at all times,” says Aatif.

Finally, Gjensidige had to achieve all this in a way that wouldn’t impede Developer Velocity. “We wanted to build an application platform that’s secure by design—and one that developers would want to use,” says Oyvind Bergerud, Senior Security Architect at Gjensidige. “To achieve this, we had to think of our new application platform as a product, with developers as its end-users. They had to trust what we were going to deliver, knowing that we built it for them.”

Building a security-first application platform

Gjensidige built on the combined capabilities of GitHub Enterprise and Microsoft Azure to deliver a modern ‘DevSecOps’ environment that puts security front-and-center at all times—from developers writing code to running that code in a production environment. According to Aatif, the company’s DevSecOps approach is a natural evolution of where they were already headed—and another reason that Gjensidige decided to use Azure. “We were already doing DevOps, embracing the cloud, adopting Kubernetes, and so on,” he says. “The additional cloud services we used to achieve our security goals—namely, GitHub Advanced Security and Microsoft Defender for Cloud—are parts of the same ecosystem. Everything flows well and ‘just works’—regardless of whether we’re modernizing legacy applications or building new cloud-native ones.”

Gjensidige chose Microsoft for other reasons, as well. One was data residency, with two new Azure data centers in Norway providing an easy way to meet regulatory requirements. Microsoft’s own commitment to security was also compelling, giving Gjensidige confidence that they would be working with a company that understood it deeply, at all levels—from internal research and product development to running a global cloud platform. “Microsoft has a security-first mindset in all that they do,” says Aatif. “Having access to that same expertise as we built our own application platform was invaluable.”

In taking advantage of all that GitHub and Azure had to offer, Gjensidige relied deeply on training and other forms of skills transfer from Microsoft. Before Covid-19, they sent developers to classroom training at the Microsoft Technology Center in Norway. They also took advantage of courses offered through Microsoft Learn, enrolling all developers in the Azure Fundamentals class. Participation in the Microsoft Unified Support program provided access to additional guidance and expertise, such as access to Global Black Belts in various technology areas.

Prescriptive guidance provided by the Microsoft Cloud Adoption Framework for Azure also proved helpful, such as how to create landing zones for building new applications and modernizing existing ones enterprise scale. “The Cloud Adoption Framework gave us out-of-the box recipes for secure implementation—so we didn’t have to innovate anything new” says Ritesh Grover, Cloud Solution Architect at Gjensidige. “We simply aligned its policies to our requirements, hand-picked the recipes we needed, and implemented it. It gave us an easy way to ensure we’re doing things the same way Microsoft does.”

The Microsoft DevSecOps solution

Before getting into exactly what Gjensidige built and how it works, it’s worth examining the full Microsoft DevSecOps solution. At a high level, it serves two functions.

The first function, illustrated across the top row of the diagram below, is about securing the developer workflow as code is being created.
The second function, shown across the bottom row of the diagram, tends to the code after it's deployed in production.

The Microsoft DevSecOps solution is a unified environment that spans development workflows through security operations.

Now let’s take a deeper dive into the various DevSecOps solution components Gjensidige is using, what they do, and how the company is putting them to use.

Embedding security into developer workflows

At Gjensidige, developer workflows are supported by GitHub Enterprise, which provides a comprehensive platform for “shifting left” on security—that is, for embedding security into developer workflows in a way that keeps it front-and-center at all times. “Shifting-left on security is part of an evolution at Gjensidige—one that happened a bit organically,” says Aatif. “We’ve done DevOps for several years and DevSecOps is the next step in that evolution, getting developers to think about security as well as operations when they’re coding. Our goal on the platform team to make that as easy for them as possible.”

A key enabler in keeping security front-and-center for developers is GitHub Actions, which enables consistent and predictable automation in development workflows. “I really love using GitHub Actions, which makes it simple to automate just about anything,” says Philip Rost Wehinger, who leads the Cloud Analytics Group at Gjensidige. “The necessary infrastructure is handled by GitHub, so implementing new automations is a trivial task.”

A good example of such automation is repo creation, which is now fully policy-driven. “Repos are no longer created manually,” explains Falk. “Instead, we used GitHub Actions to create an automated, self-service process. The push of a button creates a predictable, policy-driven environment that incorporates security best practices, including all of the necessary default permissions, branch protections, pull request approvals, and so on.”

To make security as front-and-center as possible, Gjensidige has chosen to make all code available to all developers by default. “This gives developers the power to easily collaborate--to contribute, to suggest, to comment, and to share best practices across teams,” says Falk. “We can do this because of how we’ve automated and added guardrails to our GitHub environment.”

During repo creation, automated scanning for security vulnerabilities is turned-on for supported programming languages and/or code frameworks. Powered by GitHub Advanced Security, these scans are helping Gjensidige find and address potential security vulnerabilities as soon as possible in the development process—so that developers can immediately fix them.

The types of scans performed by GitHub Advanced Security include:

Code scanning - searching for potential vulnerabilities and coding errors, such as vulnerability to a SQL injection attack. These scans are powered by CodeQL, an industry-leading semantic code analysis engine developed by GitHub.
Secret scanning - checking for keys, tokens, and other secrets that may have been checked into a repo.
Dependency review - showing the full impact of changes to dependencies and the details of any vulnerable versions—including automated fixes to many vulnerable dependencies. (Dependency review also covers open source, as described in this article.)

“We use code scanning on every pull request, as a natural part of the developer workflow,” says Bergerud. “In fact, every time we’re pushing new code, it’s scanned several ways. Developers get instant feedback and can fix security issues on-the-fly, such as moving secrets out of code and into Azure Key Vault—as recommended in the Cloud Adoption Framework.”

Adds Falk, “As we move new projects into the Gjensidige Application Platform, we’re catching a lot of vulnerabilities in our open-source dependencies. Fortunately, we’re now able to stay on top of them and have setup alerts to notify teams when new vulnerabilities are found.”

Code scanning, secret scanning, and dependency review are all included with a GitHub Advanced Security license, at no additional cost. Because GitHub is open and flexible at all levels, the company was able to easily integrate several additional, third-party scan engines into its pipelines. For example, after an image is built and before it’s sent to Azure Container Registry, a GitHub action kicks-off a container scan using Trivy, a utility from Aqua Security. Another GitHub action kicks-off a scan of Terraform code using TFsec, another utility from Aqua Security.

“I really love using GitHub Actions, which makes it simple to automate just about anything,”

Philip Rost Wehinger, Leader, Gjensidige

Securing a Kubernetes environment at scale

The runtime environment for the Gjensidige Application Platform is based on Azure Kubernetes Service, a managed Kubernetes environment that gives the company integrated CI/CD, built-in scalability, and enterprise-grade security and governance. “We wanted to empower developers by segregating development tasks from infrastructure, so they can focus on what the business needs,” says Grover. “Containerization on Azure Kubernetes Service enables this quite well.”

In adopting Kubernetes, Gjensidige had to adapt how it thought about application security at runtime. Once again, the Cloud Adoption Framework provided extensive guidance—for example, on topics like cluster and application security on Kubernetes. “The threat model today has changed, especially with increased use of open source,” says Grover. “This makes things like network micro-segmentation and securing individual containers essential for security. That way, if there’s a vulnerability, you get a contained one instead of an uncontained one.”

Falk elaborates on how Gjensidige is achieving this with Azure Kubernetes Service. “In our Kubernetes cluster, we’re implementing a zero-trust environment and securing traffic between pods using network policy. This gives us fine-grained control over network flow, so that a malicious actor can’t easily get into our network and talk to a sensitive service.”

For this zero-trust approach to work, Gjensidige had to make it easy for developers to let their applications communicate. “We’re doing this through infrastructure as code, putting that code in GitHub, and giving developers access to it to open-up communication channels between individual containers,” explains Falk. “One thing I really like about Azure Kubernetes Service is how we can use managed identities for Azure resources to eliminate the need for developers to manage credentials. We wouldn’t have that in a bare-metal Kubernetes environment.”

From a security perspective, Gjensidige is also benefiting from how containerization on Azure Kubernetes Service makes patching easier. “By containerizing microservices, they're independent and it's easier to patch them separately,” explains Bergerud. “After we’ve patched the code and rebuilt its container, we can redeploy that container without touching or affecting anything else.”

Finally, Gjensidige is looking into how it can use additional third-party monitoring agents to scan running containers. “It’s easy to scan container images before they’re deployed, but threats can also be introduced while your containers are running,” says Bergerud. “We’re in the process of evaluating different solutions—Aqua being one of them—to scan containers within our production environment for threats that may have been introduced after deployment.”

Security posture management and workload protection

Having taken steps to shift-left on security, the company still had to pull all security-related information together and make it visible to all, in a way that helps developers and IT security collaborate more effectively. That’s where Microsoft Defender for Cloud comes into play, which Gjensidige is using to continuously monitor and manage its security posture.

With Microsoft Defender for Cloud, results of the many security scans and other checks in the development pipeline are aggregated, augmented with additional information, and surfaced via security-specific dashboards in the Azure Portal. One such indicator calculated by Defender for Cloud is called ‘secure score’, which helps the Gjensidige security team understand its current security situation and work to improve it.

With secure score, Defender for Cloud continually assesses the company’s resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score so that Gjensidige can monitor its current security situation at a glance: the higher the score, the lower the identified risk level. The secure score is shown in the Azure portal pages as a percentage value, with underlying values also clearly presented. Defender for Cloud's recommendations page lists outstanding actions necessary to raise the secure score—including instructions for each recommendation to help remediate the specific issue.

“Secure score helps us see where we can do better, so we can then follow up with the appropriate teams,” says Bergerud. “It gives us a convenient, common set of security-related metrics and KPIs that we can collaborate on.”

Defender for Cloud also helps Gjensidige with regulatory compliance, providing a dashboard into the company’s compliance posture based on how they’re meeting specific compliance requirements. By default, every Microsoft Defender for Cloud subscription has the Azure Security Benchmark assigned. Gjensidige can also add standards such as NIST SP 800-53, SWIFT CSP CSCF-v2020, Azure CIS 1.3.0, and CMMC Level 3.

“In the past, there were more questions than answers. Today, security is baked-into our application platform from the moment a new repo is created.”

Rida Aatif, Head of the Cloud Platform and Infrastructure Team, Gjensidige

Results

Through developer-first tooling that integrates seamlessly into existing development workflows, Gjensidige’s modern DevSecOps solution is helping developers write more secure code, embrace security best practices, and respond quickly to software supply chain vulnerabilities. All stakeholders are empowered to collaborate on security as a shared responsibility, enabled by policy automation and deep, real-time visibility into the company’s security posture.

“Gjensidige today is a digitally native company; everything new that we do, we do in the cloud,” says Aatif. “New teams are being onboarded to our new application platform quickly, and as they are, they’re quickly finding and cleaning-up lots of vulnerabilities. In the past, there were more questions than answers. Today, security is baked-into our application platform from the moment a new repo is created. We’re a lot more confident about security today.”

As of December 2021, 13 development teams at Gjensidige have adopted the company’s new application platform, including Wehinger’s Cloud Analytics team. And even with security front-and-center as developers work, it hasn’t slowed them down. “Our new application platform is a joy to use,” he says. “In the past, security issues were often caught at the end of the development process, where they took a lot more time to fix. Today, with automated security controls embedded into their workflows, developers get instant feedback and can fix things right away. Such capabilities make us much more predictable in our deliveries to the business.”

While shifting-left has been a cultural change for developers, they’re finding it’s not as hard as some had thought. “We’re not forcing teams to use the Gjensidige Application Platform—it’s entirely their choice, and they can move to it at their own pace,” explains Aatif. “They know they’ll need to own what they build and, if its broken, they’ll need to fix it. We’re just providing a ‘happy path’ that uses self-service and automation to make their jobs easier and help them work faster. So far, not one team embarking on a new project has chosen a different path.”

In addition to increased Developer Velocity, the company’s move to Azure is empowering developers in other ways. Containerization on Azure Kubernetes Service lets them focus on business functionality instead of infrastructure, and they no longer need to implement their own mechanisms for logging or monitoring. “Many of the basic infrastructure needs that developers had to think about for every new project are now baked-into our application platform, ready to configure and use,” says Aatif.

Aatif also appreciates how the company’s new application platform is an open environment, enabling project teams to choose from a broad range of third-party tools. “Azure Kubernetes Service works great with other tools,” he says. “We use a lot of SaaS solutions that aren’t from Microsoft, including Splunk Cloud, Grafana, Prometheus, Confluence Cloud, and many others. They all integrate well with Azure, so it’s not an area we struggle with today.”

The company’s new application platform is also making life easier for Bergerud’s IT security team as well, which now works closely with security champions that are embedded in most development teams. “Before, risk assessments for a project were done by IT security,” explains Bergerud. “Today, they’re done by the individual development teams, with our support. In the past, we were the enforcers and goalkeepers, which didn’t work well. Now we’re more like coaches and consultants. Developers are taking more responsibility for security, knowing that we’re always there to help them if needed.”

Increased transparency into the development pipeline has been a major enabler in helping Bergerud’s IT security team shift to a more consultative role. “Through Microsoft Defender for Cloud, we can monitor the outputs of GitHub Advanced Security scans, view reports on container security, see where the vulnerabilities are, determine where we need to focus, and identify which teams may need our guidance,” says Bergerud. “Having such deep visibility into the development pipeline—with GitHub as our single source of the truth—has been a real game-changer for us.”

Although Aatif is pleased with the progress the company has made so far, he admits the work isn’t done. “We’ve made a good start over the past year, getting developers to take ownership for security and putting it front-and-center in their workflows,” he says. “Our mind-set today is ‘You built it… you own it… and if needed, you fix it.’ And we’ve given them the tools to do that. However, we’re not just building for today—we need to build for security in the future. Fortunately, we now have a powerful yet open DevSecOps platform to build on.”

Find out more about Gjensidige on Twitter and Facebook.