Policy as code a strategic imperative – but scalability remains difficult

Policy as code is becoming ‘integral to the fabric of cloud development’, according to Styra – yet a new survey from the company has shown that alignment, visibility, and consistency remain issues.

The study from the cloud-native authorisation software provider, which surveyed 285 developers and technical decision makers, found that the overwhelming majority (94%) saw policy as code as ‘vital’ for preventative security and compliance at scale. 83% of organisations surveyed said they planned to invest more into policy as code as a solution.

Putting such an operation in place, however, appears easier said than done. More than a third (34%) of respondents said they found friction with a lack of alignment between teams. Other issues included a lack of visibility into authorisation, cited by 31% of those polled, as well as inconsistent or not centralised policy development (29%). Difficulty with meeting security, compliance and auditability requirements was also cited by 29% of respondents.

Policy as code, where policies – any rule or condition which governs IT operations and processes – are defined, updated, and enforced through code-based automation, enables different stakeholders, from developers to security engineers, to understand those policies. It differs from similar concepts, such as infrastructure as code (IaC), in the breadth of its capabilities.

As Tiexin Guo, senior DevOps consultant at Amazon Web Services, puts it, it is a combination of IaC, treating content that defines your environments and infrastructure as source code, and DevOps. “PaC can be integrated with IaC to automatically enforce infrastructural policies,” noted Tiexin.

This is where a tool such as the Open Policy Agent (OPA) comes in. OPA uses Rego, a declarative language, with policies being defined, implemented and enforced across microservices, CI/CD pipelines and API gateways, and subsequently through platforms such as AWS CloudFormation, Docker and Terraform among others.

OPA is created and maintained by Styra. The company announced the launch of Enterprise OPA in February, purpose-built for enterprises building new cloud-native applications and managing authorisation with large data sets. While OPA is not the only show in town when it comes to PaC tools – Sentinel by HashiCorp is another example – the survey found almost half of respondents who use PaC (46%) use OPA, or OPA Gatekeeper.

“Policy as code empowers developers and serves as a catalyst for making the contemporary development lifecycle more streamlined and secure,” said Tim Hinrichs, CTO of Styra. “However, as organisations grow, their authorisation needs will scale in complexity with them.

“In order to take the next step in their maturation, organisations need the right resources, technology, and expert guidance to ensure their authorisation platform can keep them secure and compliant while maintaining the developer productivity needed to be competitive in the marketplace,” added Hinrichs.

You can read the full report here (email required).

Photo by Karl Abuid on Unsplash

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Source