Skip to main content

Cloud security fundamentals part 4: Align and automate with policy as code

Written by:

November 3, 2022

6 mins read

Security policies are still awaiting digital transformation.

A key phrase in today’s cloud-driven world, “digital transformation” generally refers to the ongoing work of digitizing formerly paper-based processes. “Paper,” however, is not literal — many processes don’t use paper, but still flow as if they were. Uploading a document to Google Drive, in other words, doesn’t amount to digital transformation.

In this sense, IT security policies still have a long way to go. In many companies, security teams codify security policies into handbooks, PDFs, and checklists, and enforce written policies manually. But manual work, reliant on human reinforcement and human follow-through, is vulnerable to mistakes.

A security policy can be strict and comprehensive on paper, but lenient and limited in practice. When error-prone processes such as these are scaled to the cloud, the risks can be immense.

It doesn’t have to be this way. By using policy as code (PaC), companies can create and reinforce security policies that scale.

User education is stressful and difficult to scale

A common mantra in the security industry is that “the human is always the weakest link.” With humans as a common point of vulnerability, security teams have had to work on educating end users about behaviors that will keep them and the company more secure. This education can range from simple (use strong passwords instead of weak ones) to more complex (design cloud environments without misconfigurations that open the company to attack).

Educating users, however — even technical ones — is not easy. According to ESG research, 38% of cybersecurity professionals report that the most stressful part of their jobs is getting users to understand cybersecurity risks and change their behavior as a result.

This isn’t to say that users don’t care about security. Rather, it suggests that the demands of any user’s job might tempt them to take easier paths, such as writing a password on a sticky note or skimming security policy documents while building an environment. It’s less about not caring and more about bandwidth.

The gap between a priority and a preference is wide, and it reveals that manual reinforcement of security policies is neither a scalable nor sustainable strategy.

Policy as code is objective and automatic

PaC is a scalable solution to a problem that’s already reached a massive size.

Cloud environments can often contain hundreds of thousands of resources and even vaster amounts of configurations. No one human can memorize or reinforce all of the associated security rules — especially when the environment is constantly changing. And even when a given policy is captured and recorded, the user on the other end might still ignore or misinterpret it. In addition, written policies often contain some amount of ambiguity, and cloud use cases vary considerably. So it's often left up to engineers to figure out how policies should apply to what they're building.

PaC leverages the programmability of the cloud by making cloud security programmable too. With PaC, security teams can express security and compliance rules in languages that applications can read and automatically validate. In cloud environments, PaC can check other code, both at the application and infrastructure levels, for non-compliant conditions.

With PaC, security teams can create a single source of truth that is clear, objective, and easy to interpret. This truth creates alignment across teams, and with that alignment comes speed (due to both automation and mutual understanding). This ensures that development teams don’t need to sacrifice speed for the sake of security or vice versa.

Security teams as policy vendors

Security teams using PaC to create and reinforce security policies can shift their roles from enforcers to maintainers. Instead of manually writing policies and educating users on how and why to follow them, security teams can become domain experts who maintain PaC libraries, transmit best practices, and ensure follow-through.

PaC, however, is not a panacea, and security teams will benefit from keeping three things in mind as they implement it:

  1. Use a PaC framework that works across the software development lifecycle (SDLC). Using different frameworks at different stages leads to disagreement and security gaps.

  2. Don’t use proprietary PaC products. PaC offerings from vendors often lack the flexibility enterprises need for their specific use cases. Open source is usually the best option when implementing PaC.

  3. If you don’t have access to cloud compliance experts, use pre-built libraries that compliance experts have already developed and distributed. This way, you can interpret sometimes ambiguous controls, apply the controls to your specific use case, and express them in PaC.

With these three factors in mind, PaC becomes a tool security teams can implement well.

Only code can scale to the cloud

Scalability is the key to cloud security. The cloud is simply too complex — too large and too disparate — for manual, human effort to be effective. Only code can scale up to meet the demands of the cloud while also providing the granularity security policies need.

Posted in:

How to Build a Security Champions Program

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.