SAFEHARBOR-REGISTRY-SOLUTION

THE COMPLIANCE ORIENTED ENTERPRISE DISTRIBUTION OF HARBOR

In every major DevOps practice, there are these four items, an ideation tool, a build tool, a repository/scan tool set, and a ticketing system. These make up the four pillars of any large-scale DevOps practice. So critical are these tools to these practices that there will be budgets for funding regardless of changes good or bad in the macro economy

The general trend in the consumption of software is there has been a notable increase in the percentage of container developments of applications in the last 6 months as mainstream software companies have all started initiatives to distribute their revenue producing software in a container-based format.

Cyber-attacks and data breaches have become a weekly event in the news. Many of these issues revolve around the software pipeline. Critical to any of these DevOps pipelines is the repository. Organizations now realize the importance of their pipelines and at the heart of these systems is the repository, where the intellectual property is stored. The three main groups that work with these pipelines, Development (DEV), Test/Q&A, and Operations (OPS), have all realized that a secure repository is central to their operations.

The world is moving to open source because it provides a deterministic path to long term control and resource supply for the business. Compliance oriented companies know that open source in the wild must have guard rails with support and must be deployed in a controlled manner. Devgistics has accomplished this through its enhanced version of Harbor, allowing it to be used in the most secure and regulated organizations.

Current market offerings are limited to two solutions, but neither of these solutions are container native. Both solutions come from a previous methodology: Sonatype Nexus is a virtual machine solution and JFrog is a SaaS solution that handles artifacts. They were both pressed into the service of performing the basic function of a container registry, but neither are built to be a container native registry. In addition, both are built on a 15-to-10-year-old code base/architecture.

Harbor as a container repository has feature parity with all other major repositories in the market. It would naturally make sense that the world would start a move toward open-source Harbor just like Jenkins 10 years ago to mirror the trend from moving from proprietary solutions to open-source solutions.

Critical to any organization's consumption of open-source software is to first know who and where the contributions are coming from. The Harbor project’s main issue is that the majority of contributors are from mainland China. While this might not be a big issue for smaller organizations, it could be very problematic for larger ones that want to make sure their IP and code remain safe and secure. While China’s contributions could be worrisome if it were just proprietary, the great success of open-source projects is that we can review, inspect, and make changes to the overall code base. Devgistics did find some vulnerabilities and have made submissions to address them.

The recent onslaught of cyber-attacks has proven that software pipelines are vulnerable. Above the immediate damages caused by these recent high profile cyber-attacks; the real damage is the long-term loss of an organization’s reputation. Ensuring that an organization’s pipeline is secure is very critical to not only avoid a very costly clean up, but to protect their reputation.

Deployment Methodologies

  • Difficult to Deploy Reliably
  • Focused on Single Cloud Deployment
  • No Ability to Deal with Air Gapped Environments
  • Lacking Distribution with Remote & Edge Use Cases

Storage

  • Most Options Based on Older Generation of VM focused Solutions
  • Need High Availability of Images Files for Reads
  • Replication Issues
  • No Real Federation of Storage

Limited Solutions

  • Limited Integration with Key System
  • Limited Scope of Use with Hybrid Cloud Offerings
  • Tied to Other Solution Offerings

Underdeveloped Market

  • Lack of Feature Development
  • No Full Feature Set per Solution
  • SaaS or Application Only, No Appliance Offering
  • No Multi Arch or Platform Support

In addition, as compliance-oriented entities realize that they are in transition to a container native world we start to see other weaknesses in traditional repository deployment architectures. We have older technology, limited choices, the wrong storage model, and designs that have never been corrected in the market. Given that the market is underdeveloped with only a few real options for enterprise. Most of these options are not addressing the need for a very robust storage layer that can deal with the need to make recently written data highly available to mass numbers of incoming requests. Most of these solutions just use the AWS S3 API and leave the organization left to fill that void. Due to this lack of having a real storage layer, causing issues with trying to deploy these registries both on prem and in air gapped environments.

To address the market requirements to meet compliance, having a true container native system, reducing risk from using solutions from unknown sources, and solving the need for a highly available storage layers, Devgistics has developed its own distribution of Harbor that addresses all these needs with an offering that can be consumed as a virtual or hardware-based appliance for the modern repository. The market needs a repository to work in highly distributed edge and single site environments with ease of setup and Zero Trust security principles built from the ground up. We offer a virtual, physical, or cloud hardened repository with the concepts of parallel read/write storage to make sure your repository can withstand the load and function without failure.