Corporate Security (CorpSec)

πŸ‘‹ Welcome to Corporate Security, we’re glad you’re here! You may also know us as the former IT Operations team that moved from the Finance to Security division in early 2024.

Need Help?

Please try exploring the following pages to see if your question has been answered in the handbook pages. If not, please ask in the #it_help channel and one of our Support Analysts will reply as soon as possible.

What We Do

Mission

Security Division Mission

As a remote company, we do not have office buildings, physical datacenters, or other traditional IT environments. All of our team members are issued a laptop that they use to work from home or on the road. Although our engineering and product teams are building software that is deployed on AWS and GCP, almost all of our corporate software is vendor-managed software-as-a-service (SaaS). Although this results in a simpler physical threat landscape, the cybersecurity threat landscape is vast and still requires a lot of attention to do it right.

Our mission is to empower our employees to be productive with the technology provided by the business, enable the business to be successful, protect our customers and their data, and provide internal security for GitLab (the company) and our team member’s use of GitLab (the product).

GitLab is both a company and a product. The Corporate Security department focuses on protecting the technology that the company uses to conduct business internally, and provides the hardware, software, and tools that our team members need to get their job done. We have a 24x5 technical support helpdesk for team members and have engineers that configure and maintain many of our company-wide tech stack applications. We also invest heavily in device trust and identity management to provide the highest level of security assurance for the administrators of our product and ensure all appropriate controls are in place when handling customer data.

Prime Directive

  • Safeguard our organization’s digital assets, ensuring the integrity, confidentiality, and availability of all data.
  • Implement robust security measures, fostering a culture of awareness and compliance among employees, and continuously monitoring and enhancing our information technology systems to protect against evolving threats.
  • Leverage the GitLab platform (dogfooding) to assist us in the securing of GitLab.
  • Provide reliable, secure and efficient IT and Security engineering, innovation, and services with Zero Trust principals to support cross-functional organizational goals

Scope

  • Architecting next-generation automation and integration between security-related systems that provides data consistency, reliability, strong security, and auditability.
  • Building relationships with cross-department system owners and proposing solutions to ensure our tech stack applications conform to our latest security best practices
  • Consolidating and refactoring legacy tech debt
  • Designing processes and choosing software tools that improves back office automation or mitigates security risks
  • Escalation engineering and crisis response for leadership teams
  • Factor in cost, security, compatibility, maintainability and user experience when making decisions
  • Growing other team members’ skill sets through mentorship to improve operational efficiency and encourage professional development
  • Handbook documentation for processes and systems architecture
  • Identity and access management (IAM)
  • Joint collaboration with process and system owners across the company for improving automation efficiency, security posture, and vulnerability management
  • Keeping leaders and stakeholders informed of next-gen initiatives and contributing to creating automated analytics for day-to-day IT and Security operations
  • Leading innovation opportunities between several teams with a willingness to experiment and to boldly confront problems of large complexity and scope
  • Making technical decisions on behalf of the department and organization while providing presentation support to leaders during technical discussions
  • New tech stack (vendor) application onboarding and provisioning
  • Onboarding provisioning, offboarding deprovisioning
  • Policy and configuration management for organization-wide applications and systems that we manage
  • Role-based access control (RBAC)
  • Shipping laptops to new team members and refreshing older models
  • Tech support for team members and temporary service providers
  • User experience and productivity optimization for internal software and tools
  • Vulnerability and malware risk mitigation
  • Workflow automation for employee lifecycle
  • X-Men, we are. Always be saving the day with a smile on your face!
  • Yesterday’s problems are tomorrow’s opportunties for iteration
  • Zero trust implementation

Direction and Strategy

Services

Engineering

Who We Are

See the Team Directory.

Contact Us

  • Tier 1 Self Service
  • Tier 2 Helpdesk Support
  • Tier 3 Escalation and Systems Engineering
  • Tier 4 Automation Engineering
  • Tier 5 Architecture and Crisis Management
  • CorpSec Issue Tracker
  • Engineers and System Owners - See CorpSec Systems for GitLab group handle and Slack group handle.
    • #corpsec Slack Channel (for technical support, please ask in #it_help)
  • Helpdesk Team
    • #it_help Slack Channel
    • @it-help Slack group
    • it-help [at] gitlab [dot] com
    • @gitlab-com/gl-security/corp/services
  • Management Team
    • @gitlab-com/gl-security/corp/managers
    • Tag the respective functional team manager or director in Slack.
      • Director - Steve Manzuik
      • Program Management - Steve Manzuik, Kim Waters
      • Device Trust - Eric Rubin
      • Helpdesk Support - Michael Beltran
      • Infrastructure - Jeff Martin
      • Laptops and Logistics - Michael Beltran
      • Onboarding and Offboarding Day-to-Day Operations (Helpdesk Services) - Michael Beltran
      • Onboarding and Offboarding Policy and Strategy (Identity Engineering) - David Zhu
      • Platform Engineering (Custom Software Development) - Jeff Martin
      • SaaS Engineering - David Zhu, Eric Rubin
      • Sensitive Data or Employment Requests - Michael Beltran

Automation
Corporate Security (CorpSec) Support

As GitLab has grown organically, several departments and functional groups have their own System Administrators (“Tech Stack App/System Owners”) that handle day-to-day management of the tech stack applications that are specific to that department or functional group, within the framework of organization-wide compliance, infrastructure, and security best practices. Each tech stack application at GitLab has a System Owner that is the DRI for handling the implementation and day-to-day operational support for the team members that utilize that application (in their department or functional group). This has an added benefit of preventing the traditional IT department from being a bottleneck and allows each department to self-service as part of GitLab’s efficiency for the right group subvalue.

CorpSec Direction

Thank you for your interest in the direction of Corporate Security. See the internal handbook for our direction and roadmap with OKRs.

CorpSec Engineering

The Engineering team members are organized functionally based on the category of tech stack applications that we manage.

System Owners

Functional Team Systems Managers Engineers
(Corporate) SaaS
Engineering
1Password
GitLab.com IAM Policies
Google Apps
Google Calendar
Google Drive
Google Groups
Google Mail
Google Users
Google Workspace (Org)
Nira
Okta Applications
Okta Groups
Okta Users
Okta Workflows
Service Accounts
Slack
Zoom
EM David Zhu
EM Eric Rubin
PM Kim Waters
Staff Mark Loveless
Adam Huss
Clayton Shank
Erik Lentz
Jacob Waters
Justin Bisutti
Marcus Whitaker
Mohammed Al Kobaisy
Zack Hardie
Device Trust
Engineering
DriveStrike
Jamf MDM
Mobile Devices
NordLayer VPN
Okta Verify
SentinelOne EDR
Software Updates
YubiKey
EM Eric Rubin
PM Kim Waters
Staff Mark Loveless
Adam Huss
Clayton Shank
Justin Bisutti
Zack Hardie
Identity
Engineering
ABAC and RBAC
AuthN and AuthZ Policies
Identity Governance (IGA)
No Code Automation
Onboarding
Offboarding
Role Entitlements
EM David Zhu
PM Kim Waters
Staff Jeff Martin
Erik Lentz
Jacob Waters
Marcus Whitaker
Mohammed Al Kobaisy
Infrastructure
Engineering


Related Infrastructure Services
AWS
Azure
DNS
Domain Names
Google Cloud
Tech Debt Cleanup
Teleport Bastion
EM (Acting) Jeff Martin
PM Kim Waters
Staff Jeff Martin
Mohammed Al Kobaisy
Vlad Stoianovici
Platform Engineering
(Self-Service Internal
Provisioning Software)

Related Demo Systems
Related Sandbox Cloud
Access Check (accesschk)
Access Control (accessctl)
Demo Systems (gitlabdemo.com/cloud)
HackyStack
Provisionesta Open Source Packages
Systems Administration Handbook
Training Systems (trainingctl)
(Corporate) Terraform Config Mgmt
Staff Jeff Martin Jeff Martin
AJ Romaniello (People Ops)
Byron Boots (Sec Assurance)
James Sandlin (Sec Assurance)
Jacob Waters (CorpSec Identity)
Logan Stucker (Demo)
Scott Cosentino (Training)
CorpSec Services

This is a placeholder page. Please see the links below for any child pages that exist.

CorpSec Systems and Tech Stack
The Corporate Security department provides configuration management engineering and tech support helpdesk services for team members and temporary service providers (aka contractors, vendors, etc.) for the company-wide systems that we manage. The systems directory provides a list of all of our systems with quick reference links to administration runbooks, end user documentation, issue templates, mentionable groups, and tags that are used in GitLab epics, issues, and merge requests.
CorpSec Team Directory

The Corporate Security department provides tech support helpdesk services for team members and temporary service providers (aka contractors, vendors, etc.), and configuration management engineering for the company-wide systems that we manage.

Team Directory

Team Member Identity Roles Group Tags
Adam Huss
Adam Huss
AMER
ahuss
@adamhuss
corpsec_eng_device_trust
corpsec_eng_saas
@gitlab-com/gl-security/corp/device
@gitlab-com/gl-security/corp/saas
Alex Krusiec
Alex Krusiec
AMER
akrusiec
@akrusiec
corpsec_svc_helpdesk @gitlab-com/gl-security/corp/helpdesk
Bruno Ferreira
corpsec_svc_helpdesk @gitlab-com/gl-security/corp/helpdesk
Clayton Shank
corpsec_eng_device_trust
corpsec_eng_saas
@gitlab-com/gl-security/corp/device
@gitlab-com/gl-security/corp/saas
David Zhu
David Zhu
AMER
dzhu
@dzhu-gl
corpsec_eng_identity
corpsec_eng_platform
corpsec_eng_saas
corpsec_mgr_eng
@gitlab-com/gl-security/corp/identity
@gitlab-com/gl-security/corp/managers
@gitlab-com/gl-security/corp/code
@gitlab-com/gl-security/corp/saas
Eric Rubin
Eric Rubin
AMER
erubin
@ericrubin
corpsec_eng_device_trust
corpsec_eng_saas
corpsec_mgr_eng
@gitlab-com/gl-security/corp/device
@gitlab-com/gl-security/corp/managers
@gitlab-com/gl-security/corp/saas
Erik Lentz
Erik Lentz
AMER
elentz
@eriklentz
corpsec_eng_identity
corpsec_eng_saas
@gitlab-com/gl-security/corp/identity
@gitlab-com/gl-security/corp/saas
Eoghan Dunne
corpsec_svc_helpdesk @gitlab-com/gl-security/corp/helpdesk
Jacob Waters
corpsec_eng_identity
corpsec_eng_platform
corpsec_eng_saas
@gitlab-com/gl-security/corp/identity
@gitlab-com/gl-security/corp/code
@gitlab-com/gl-security/corp/saas
Jeff Ford
Jeff Ford
AMER
jford
@jeffford_
corpsec_svc_helpdesk @gitlab-com/gl-security/corp/helpdesk
Jeff Martin
corpsec_eng_identity
corpsec_eng_infra
corpsec_eng_platform
corpsec_mgr_program
corpsec_svc_infra
@gitlab-com/gl-security/corp/identity
@gitlab-com/gl-security/corp/infra
@gitlab-com/gl-security/corp/code
Jenny Wong
Jenny Wong
AMER
jwong
@jwong6
corpsec_svc_helpdesk @gitlab-com/gl-security/corp/helpdesk
Justin Bisutti
corpsec_eng_device_trust
corpsec_eng_saas
@gitlab-com/gl-security/corp/device
@gitlab-com/gl-security/corp/saas
Kim Waters
Kim Waters
AMER
kwaters
@kimwaters
corpsec_mgr_program N/A
Marcus Whitaker
Marcus Whitaker
AMER
mwhitaker
@mwhitaker
corpsec_eng_identity
corpsec_eng_saas
@gitlab-com/gl-security/corp/identity
@gitlab-com/gl-security/corp/saas
Mark Loveless
Mark Loveless
AMER
mloveless
@mloveless
corpsec_eng_device
corpsec_eng_saas
corpsec_mgr_program
@gitlab-com/gl-security/corp/device
@gitlab-com/gl-security/corp/saas
Maximillian Hirata
corpsec_svc_helpdesk @gitlab-com/gl-security/corp/helpdesk
Mic Rohr
Mic Rohr
AMER
mrohr
@mic_rohr
corpsec_svc_helpdesk
corpsec_svc_logistics
@gitlab-com/gl-security/corp/helpdesk
@gitlab-com/gl-security/corp/logistics
Michael Beltran
Michael Beltran
AMER
mbeltran
@mbeee
corpsec_mgr_svc
corpsec_svc_helpdesk
corpsec_svc_logistics
@gitlab-com/gl-security/corp/helpdesk
@gitlab-com/gl-security/corp/logistics
@gitlab-com/gl-security/corp/managers
Mohammed Al Kobaisy
corpsec_eng_identity
corpsec_eng_infra
corpsec_eng_platform
corpsec_eng_saas
corpsec_svc_infra
@gitlab-com/gl-security/corp/identity
@gitlab-com/gl-security/corp/infra
@gitlab-com/gl-security/corp/code
@gitlab-com/gl-security/corp/saas
Steve Ladgrove
Steve Ladgrove
JAPAC
sladgrove
@sladgrove
corpsec_svc_helpdesk @gitlab-com/gl-security/corp/helpdesk
Steve Manzuik
Steve Manzuik
AMER
smanzuik
@smanzuik
corpsec_dir
corpsec_mgr_program
@gitlab-com/gl-security/corp/managers
Vlad Stoianovici
Vlad Stoianovici
EMEA
vstoianovici
@vlad
corpsec_eng_infra
corpsec_eng_platform
corpsec_svc_infra
@gitlab-com/gl-security/corp/infra
@gitlab-com/gl-security/corp/code
Zack Hardie
Zack Hardie
AMER
zhardie
@zhardie1
corpsec_eng_device_trust
corpsec_eng_saas
@gitlab-com/gl-security/corp/device
@gitlab-com/gl-security/corp/saas

Functional Org Chart

graph TB

CORPSEC_SVC["<b>Corporate Security (CorpSec)</b><br><i><b>Director:</b> Steve Manzuik</i>"]:::violet

CORPSEC_SVC_HELPDESK["<b>Helpdesk Services</b><br><i><b>Manager:</b> Michael Beltran</i><br><i><b>Analysts:</b> Alex Krusiec (AMER)<br>Bruno Ferreira (EMEA)<br>Eoghan Dunne (EMEA)<br>Jeff Ford (AMER)<br>Jenny Wong (AMER)<br>Max Hirata (JAPAC)<br>Mic Rohr (AMER)<br>Steve Ladgrove (JAPAC)"]:::emerald
CORPSEC_SVC_LOGISTICS["<b>Logistics Services (Laptops)</b><br><i><b>Manager:</b> Michael Beltran</i><br><i><b>Analysts:</b> Mic Rohr</i>"]:::emerald
CORPSEC_SVC_INFRA["<b>Infrastructure Services</b><br><i><b>Program Manager:</b> Jeff Martin</i><br><i><b>Engineers:</b> Mohammed Al Kobaisy (EMEA)<br>Vlad Stoianovici (EMEA)"]:::emerald

CORPSEC_ENG_SAAS["<b>(Corporate) SaaS Engineering</b><br><i><b>Eng Managers:</b> David, Eric</i><br><i><b>Program Manager:</b> Kim Waters</i><br><i><b>Staff Engineer:</b> Mark Loveless</i><br><i><b>Engineers:</b> Adam, Clayton, Erik,<br> Jacob, Justin, Marcus, Mohammed, Zack</i><br><br>1Password<br>GitLab.com IAM Policies<br>Google Drive<br>Google Workspace<br>Nira<br>Okta Configuration<br>Service Accounts<br>Slack<br>Zoom"]:::fuchsia
CORPSEC_ENG_DEVICE["<b>Device Trust Engineering</b><br><i><b>Eng Manager:</b> Eric Rubin</i><br><i><b>Program Manager:</b> Kim Waters</i><br><i><b>Staff Engineer:</b> Mark Loveless</i><br><i><b>Engineers:</b> Adam, Clayton, Justin, Zack</i><br><br>DriveStrike<br>Jamf MDM<br>Mobile Devices<br>NordLayer VPN<br>Okta Verify<br>SentinelOne EDR<br>Software Version Updates<br>YubiKey"]:::fuchsia
CORPSEC_ENG_IDENTITY["<b>Identity Engineering</b><br><i><b>Eng Manager:</b> David Zhu</i><br><i><b>Program Manager:</b> Kim Waters</i><br><i><b>Staff Engineer:</b> Jeff Martin</i><br><i><b>Engineers:</b> Erik, Jacob,<br>Marcus, Mohammed</i><br><br>ABAC and RBAC<br>AuthN and AuthZ Policies<br>Identity Governance (IGA)<br>No Code Automation<br>Onboarding<br>Offboarding<br>Role Entitlements"]:::fuchsia
CORPSEC_ENG_INFRA["<b>Infrastructure Engineering</b><br><i><b>Program Manager:</b> Jeff Martin</i><br><i><b>Engineers:</b> Mohammed, Vlad<br><br>ARs and IAM (AWS/GCP)<br>Amazon Web Services (AWS)<br>Azure<br>Billing and Cost Mgmt<br>Domains and DNS<br>Google Cloud (GCP)<br>Multi-Tenant Org Architecture<br>Sandbox Cloud<br>Secrets Mgmt Platform<br>Tech Debt Cleanup<br>Teleport Bastion"]:::fuchsia
CORPSEC_ENG_PLATFORM["<b>Platform Engineering</b><br><i><b>Program Manager:</b> David Zhu</i><br><i><b>Staff Engineer:</b> Jeff Martin</i><br><i>(+ contributors per project)</i><br><br>accesschk (IAM/RBAC)<br>accessctl (IAM/RBAC)<br>demosys (IAM/RBAC/Infra)<br>hackystack (Infra)<br>provisionesta (API/Auditlog)<br>Systems Handbook<br>trainingctl (Student IAM)<br>Terraform (Config Mgmt)"]:::fuchsia

CORPSEC_SVC --> CORPSEC_SVC_HELPDESK
CORPSEC_SVC --> CORPSEC_SVC_LOGISTICS
CORPSEC_SVC --> CORPSEC_SVC_INFRA
CORPSEC_SVC_HELPDESK <--> CORPSEC_ENG_SAAS
CORPSEC_SVC_HELPDESK <--> CORPSEC_ENG_DEVICE
CORPSEC_SVC_HELPDESK <--> CORPSEC_ENG_IDENTITY
CORPSEC_SVC_LOGISTICS <--> CORPSEC_SVC_HELPDESK
%% CORPSEC_ENG -.- CORPSEC_ENG_SAAS
%% CORPSEC_ENG -.- CORPSEC_ENG_DEVICE
%% CORPSEC_ENG -.- CORPSEC_ENG_IDENTITY
%% CORPSEC_ENG -.- CORPSEC_ENG_INFRA
%% CORPSEC_ENG -.- CORPSEC_ENG_PLATFORM
CORPSEC_SVC_INFRA -.- CORPSEC_ENG_PLATFORM
CORPSEC_ENG_PLATFORM -.- CORPSEC_ENG_IDENTITY
CORPSEC_ENG_PLATFORM -.- CORPSEC_ENG_INFRA
CORPSEC_SVC_INFRA <--> CORPSEC_ENG_INFRA
%% CORPSEC_ENG_IDENTITY -.- CORPSEC_ENG_PLATFORM
%% CORPSEC_ENG_INFRA -.- CORPSEC_ENG_PLATFORM

classDef slate fill:#cbd5e1,stroke:#475569,stroke-width:1px;
classDef red fill:#fca5a5,stroke:#dc2626,stroke-width:1px;
classDef orange fill:#fdba74,stroke:#ea580c,stroke-width:1px;
classDef yellow fill:#fcd34d,stroke:#ca8a04,stroke-width:1px;
classDef emerald fill:#6ee7b7,stroke:#059669,stroke-width:1px;
classDef cyan fill:#67e8f9,stroke:#0891b2,stroke-width:1px;
classDef sky fill:#7dd3fc,stroke:#0284c7,stroke-width:1px;
classDef violet fill:#c4b5fd,stroke:#7c3aed,stroke-width:1px;
classDef fuchsia fill:#f0abfc,stroke:#c026d3,stroke-width:1px;

Manager Org Chart

graph LR

JLEMOS["Josh Lemos<br>CISO"]:::slate
KWATERS["Kim Waters<br>Program Manager"]:::slate
SMANZUIK["Steve Manuzik<br>Sr Director, CorpSec"]:::orange

subgraph "Support Helpdesk (aka End User Services)"
direction TB
AKRUSIEC["Alex Kruseic"]:::emerald
BFERREIRA["Bruno Ferreira"]:::emerald
EDUNNE["Eoghan Dunne"]:::emerald
JFORD["Jeff Ford"]:::emerald
JWONG["Jenny Wong"]:::emerald
MBELTRAN["Michael Beltran<br>Manager"]:::orange
MHIRATA["Max Hirata"]:::emerald
MROHR["Mic Rohr"]:::emerald
SLADGROVE["Steve Ladgrove"]:::emerald
end

subgraph "Device Trust and SaaS Engineering"
MLOVELESS["Mark Loveless<br>Staff Engineer"]:::violet
AHUSS["Adam Huss"]:::fuchsia
CSHANK["Clayton Shank"]:::fuchsia
ERUBIN["Eric Rubin<br>Manager<br>(Device Trust and SaaS)"]:::orange
JBISUTTI["Justin Bisutti"]:::fuchsia
ZHARDIE["Zack Hardie"]:::fuchsia
end

subgraph "Identity, Infrastructure, Platform, and SaaS Engineering"
DZHU["David Zhu<br>Manager<br>(Identity and SaaS)"]:::orange
ELENTZ["Erik Lentz"]:::fuchsia
JWATERS["Jacob Waters"]:::fuchsia
MWHITAKER["Marcus Whitaker"]:::fuchsia
MALKOBAISY["Mohammed Al Kobaisy"]:::fuchsia
VSTOIANOVICI["Vlad Stoianovici"]:::fuchsia
JMARTIN["Jeff Martin<br>Staff Engineer<br>(Infra and Platform)"]:::violet
end

JLEMOS --- SMANZUIK
SMANZUIK --- MBELTRAN
SMANZUIK --- ERUBIN
SMANZUIK --- DZHU
KWATERS -.- SMANZUIK
MLOVELESS -. Device<br>Trust .- ERUBIN

MBELTRAN --- AKRUSIEC
MBELTRAN --- BFERREIRA
MBELTRAN --- EDUNNE
MBELTRAN --- JFORD
MBELTRAN --- JWONG
MBELTRAN --- MHIRATA
MBELTRAN --- MROHR
MBELTRAN --- SLADGROVE

ERUBIN --- AHUSS
ERUBIN --- CSHANK
ERUBIN --- ZHARDIE
ERUBIN --- JBISUTTI

DZHU --- JWATERS
DZHU --- ELENTZ
DZHU --- MWHITAKER
DZHU --- MALKOBAISY
DZHU --- VSTOIANOVICI
JMARTIN --- DZHU
SMANZUIK --- MLOVELESS
SMANZUIK -.- JMARTIN
JMARTIN -. Infrastructure<br>Services .- MALKOBAISY
JMARTIN -. Infrastructure<br>Engineering .- VSTOIANOVICI

classDef slate fill:#cbd5e1,stroke:#475569,stroke-width:1px;
classDef red fill:#fca5a5,stroke:#dc2626,stroke-width:1px;
classDef orange fill:#fdba74,stroke:#ea580c,stroke-width:1px;
classDef yellow fill:#fcd34d,stroke:#ca8a04,stroke-width:1px;
classDef emerald fill:#6ee7b7,stroke:#059669,stroke-width:1px;
classDef cyan fill:#67e8f9,stroke:#0891b2,stroke-width:1px;
classDef sky fill:#7dd3fc,stroke:#0284c7,stroke-width:1px;
classDef violet fill:#c4b5fd,stroke:#7c3aed,stroke-width:1px;
classDef fuchsia fill:#f0abfc,stroke:#c026d3,stroke-width:1px;
How We Work (CorpSec)

We have four approaches to how we work:

  1. Support Helpdesk Services - We provide 24x5 technical support and access requests for team members and temporary service providers (contractors). Please help us prioritize your access request with corpsec-priority::ar-high (same/next day) or corpsec-priority::ar-low (same/next week) label.

  2. Configuration Operations - We handle day-to-day small configuration and change requests (less than an hour) for configuring the SaaS systems that CorpSec is responsible for. This also includes escalations from our helpdesk analysts. Please create an issue in our issue tracker with your request and add the corpsec-priority::ops-high (same/next day) or corpsec-priority::ops-low (same/next week) label. You can ask for preliminary guidance in #it_help and our on-call team members will respond and/or tag an appropriate engineer.

Last modified November 1, 2024: Remove trailing spaces (6f6d0996)