Policy as Code
What is Policy as Code?Policy as Code is a general term that often refers to writing code in a high-level declarative language which describes policies. The purpose of Policy as Code is to codify policy definitions in software, which allows for consistent, automated assessment of policy compliance in modern software development practices such as version control, automated testing and automated deployment. It also enables development, operations, and security teams to verify and enforce policies, either within specific clusters or across the entire organization. Policy as Code eliminates the need for manual decisions with regard to identifying and verifying problems in infrastructure before deployment. Doing so removes human error, increases efficiency at the organizational level, allows for a large number of policies or changes, and protects systems from threats and disruptions.
How Policy as Code WorksPolicy as Code provides a user-friendly way to make decisions while testing a service. It relies on three elements in order to make those decisions. The first is the policy itself; the coded logic that models the decision-making process and which parts of configurations are relevant. Second is the data, which describes what compliance looks like – the valid values for compliant configurations. Finally, the query submits a specific configuration to be evaluated for compliance with the policy. That configuration may be pulled from a service, application, environment, or configuration file. After policies and data have been established, they must be enforced. But trying to accomplish this manually in the face of constantly changing software is onerous and impractical. With Policy as Code, the policy engine is integrated into automated processes which provide queries as source code changes. This triggers the decision process based on the aforementioned policy and data, thereby automating compliance checks based on your defined policies. The end result is a determination of whether the query (and hence, the source code) is in compliance and adheres to the standards established in the Policy as Code.
Benefits of Using Policy as CodePolicy as Code enables development teams to identify errors and compliance violations quickly and early in the software development process. Because the Policy as Code is stored with the rest of the source code, it provides unambiguous documentation of the compliance criteria and enables consistent evaluation of compliance throughout the software lifecycle in manual and automated processes. Specific benefits include:
Relying on a separate GUI or command line tool to enforce policies defined elsewhere is not ideal because you lose correlation between the policies (and versions) you want to enforce and the policies that are actually enforced. With Policy as Code, policies are stored as simple text files managed by a version control system to deliver pull requests, history, and more. This also allows team members to easily determine if the policy has changed.
Storing policies in source code files enables automation through integration with CI/CD tools. This provides visibility and control over cloud environments to quickly identify vulnerabilities and violations in the same processes used to build and deploy the system. Automation ensures consistency and a documented history of compliance.
Policy as Code fits into proactive and reactive governance controls, enforcing infrastructure policies in pipelines and runtime, and augmenting visibility. These proactive controls ensure the system remains in compliance, and reactive controls ensure any violations are recognized and documented in case of audit.
Test Before Deployment
Unlike web consoles, which rely on live or ephemeral systems for testing, Policy as Code policies can be run prior to a resource being provisioned, and noncompliant resources blocked from being created or modified by the policy. Testing before deployment can be applied to an entire stack or to specific resources to ensure the infrastructure is validated in advance, which saves time and money.
Realize Cost Savings
Policy as Code can be utilized to create rules that prevent under-or over-utilization of specific resources, as well as identify areas of waste, all of which creates a more efficient, cost-effective infrastructure. It also ensures teams are able to focus on mission-critical projects rather than on labor-intensive manual processes. Policy as Code also reduces variations in infrastructure which reduces attack surface and, by extension, maintenance costs.
Manage Best Practices
Policy as Code can be used to group similar policies into policy sets aligned to specific compliance standards or scenarios instead of managing them individually. Doing so facilitates consistent enforcement of best practices across development, testing and production in an efficient and seamless manner.