Skip to main content

The Importance of Policy as Code in Your Compliance Strategy 

0 mins read

What is policy as code?

Policies are one key way that organizations ensure software is high quality, easy to use, and secure. Manual reviews are one method to check software is compliant, but they are time-consuming, error-prone, and impossible to scale. Policy as code (PaC) automates this decision-making process by codifying and enforcing policies. It can be used to automate validation procedures to control and manage infrastructure.

How does policy as code work?

Policy as code allows teams to automate the policy decision-making process by codifying them using a high-level declarative language. A policy as code tool sits beside the systems or applications that are being monitored and simulates the policy-checking decisions that previously would have required manual checks.

Policy as code tools require three inputs to output a decision:

  • Policy: Code that models the decision-making process used to determine whether a software release is compliant. This could include a set of conditions around application quality, performance, ease of use, security, and more.

  • Data: Information about a service, a Kubernetes configuration, a CI/CD tool, among others.

  • Query input: Triggers the decision-making process based on the policy and data.

Common policy as code tools include Open Policy Agent (OPA) and HashiCorp Sentinel, which use the Rego and Sentinel languages respectively. OPA is generic, while Sentinel only works with other Hashicorp products such as Terraform.

OPA uses the Rego language to encode policies and runs as a service. Relevant data is fed into OPA’s document store in JSON format, and OPA returns a query result based on the data and policies.

Policy as code use cases

Infrastructure provisioning

Policy as code is used to automate policy checks around security, operations, and compliance.

Authorization and access control for API’s

For enforcing policies relating to the authorization of a service. Policy enforcement platforms can be used for CI/CD pipelines, Kubernetes, cloud platforms, and more.

Kubernetes controls

Kubernetes offers features and access controls to create secure clusters, but it lacks built-in security. Policy as code enables engineers and developers to implement and enforce controls in different Kubernetes resources like pods, nodes, and clusters.

Compliance and auditing

Organization, industry, and government standards such as HIPAA and PCI often require numerous stipulations around networking, data storage, and computing. Policy as code gives a natural way to codify these stipulations and move them early into the development process. Decision logs showing the policy, input, and query results enable auditing of policy decisions.

Benefits of using policy as code

Since policy as code codifies policies in text files, it enables software development best practices for policy management and enforcement. This includes version control management, continuous integration, automated testing, and continuous deployment.

Policy as code has several advantages over manual policy checks:

Faster and more efficient deployments

Policy as code enables sharing and enforcing policies at scale, which is much more efficient than manually applying policies. The ability to automate leads to faster operations. Engineers can uncover errors or instances of noncompliance early in the software development cycle, improving software delivery.

Automated testing, governance, and approvals

It’s easy to automate policy testing using CI/CD tools, making it possible to identify vulnerabilities and policy violations and ensure policies are met before deployment. Policies themselves can be set through a GUI and then tested using a pull request workflow to ensure they maintain system behavior before merging.

More reliable and secure applications

Relying on engineers to manually check hundreds of applications inevitably results in mistakes arising from human error and different interpretations of policies. Policy as code allows consistent policy enforcement throughout the development lifecycle. The ability to group policies into sets further helps manage and enforce policies.

Sandboxing

Policy as code provides guardrails for sandboxes, which is a way to isolate applications from each other, to prevent dangerous behavior. The level of automation around sandboxes makes manual verification impractical, so policy as code is critical for securely implementing sandboxes.

Collaboration

Having a systematic way to write and manage policies fosters collaboration within and across teams. For instance, developers and security teams can work together to ensure a release complies with expectations. Furthermore, policy as code reduces the need for developers to go back and forth with policymakers to obtain approval for each new release. Developers can use the policy as code tool to automatically verify and remediate code.

Infrastructure provisioning

Policy as code can be used to write and enforce policies around infrastructure authorization and utilization, such as policies aimed at efficient infrastructure usage and enforcing firewalls. This means companies can take advantage of cloud or hybrid infrastructure while improving their security and compliance posture.

Better version control

Storing policies as text files brings the benefits of version control management to policy management. To update policies, engineers only need to modify existing code, and with version control they can revert to an earlier version in the event a new policy creates a problem. Other team members can then easily detect when one or more policies have changed.

Codified policies with comment explanations

All stakeholders can understand the background information and logic behind a policy by reviewing code. Commenting functionalities eliminate the need to contact engineers or security teams.

Policy as code versus infrastructure as code

Modern ecosystems encompass a variety of tools and deployment models, including software as a service (SaaS), public and private clouds, on-premises infrastructure, virtual machines, and containers.

Enterprises rely on multiple cloud providers, each with its own security programs, and use a variety of orchestration and management tools to provision resources. It requires expertise to integrate all these components so they can communicate, ensure patches are up to date and detect and remediate vulnerabilities.

Reviewing, approving, and auditing changes to infrastructure is time-consuming and results in delays between proposing and implementing changes. There is also a cost element around licenses, hardware, and vendors, so meeting operating demands in an efficient way is a key challenge.

Infrastructure as code has emerged as a way to automate the process of provisioning infrastructure using code. Policy as code bridges infrastructure as code and DevOps. It has a much wider range of use cases that can be applied throughout the development lifecycle encompassing security, compliance, data management, and more.

Policy as code tools need to support multiple platforms and integrations, limit access to authorized users, and grant access on a least-privilege basis. Policies define boundaries, using allowlisting, blocklisting, or a combination, and monitor infrastructure to assess compliance across clouds and throughout the infrastructure lifecycle.

Learn more about policy as code

Tools like OPA are a simple way to apply PaC to security or other IT domains. Snyk Infrastructure as Code (Snyk IaC) leverages OPA to do its policy scanning within the CI/CD pipeline. You can add your own custom rules to your scans with a few simple commands. Check out the Snyk IaC documentation as well as our article, Developing custom IaC rules with Snyk, to get started.

Up Next

From Control to Collaboration: Democratizing Security

The industry is still building security based on an outdated model. Where enterprises used to purchase, issue and manage the means of computing, now we need to distribute security to mobile users globally. How do we adapt?

Keep reading