tl;dr
Policy as Code, is in my opinion, a logical future and the evidence base is growing as to its value. The challenges we face around machine speed decisions whilst enforcing policies of all types is becoming evident as we deal with technology, security, legislation and regulation.
From the continuous integration and continuous delivery pipelines of code and systems deployment through to allowing dynamic resource deployment by researchers the waterfront we contest is increasingly large and dynamic. These problems, and numerous others, have policies we need adherence to.
Below I take a quick canter through where it began, where it is today and the future opportunity we have.
Where it all began
Jason Chan from Netflix and his 2015 presentation titled Splitting the Check on Compliance and Security is as inspirational today it always has been.
He showed the way, opened the door but there was piece of the puzzle yet to be invented.
Hashicorp and THAT Strangeloop Presentation
In 2017 there was a emergent concept of Policy as Code. My first exposure came through Strangeloop in 2017 in a presentation by Armon Dadgar about Sentinel (not the Microsoft product) as used in Terraform to enforce security.
This video is great for so many reasons - not least for the value articulation. Which in summary is:
Versioning
Automation
Documentation
All of these provide value in themselves, but when combined they become a super power and then can be augmented with the likes of static analysis to find defects due to being machine readable etc.
they then followed up this presentation with this one:
Another excellent presentation came from the same conference on practical the value of a policy-as-code world from Jearvon Dharrie of Comcast. Jearvon’s presentation shows how Infrastructure as Code coupled with Policy as Code creates a real reduction in security/developer friction, thus increasing business agility while arguably being as secure as the old way of doing things, if not more so.
Microsoft Azure Resource Manager and Bicep
Where Hashicorp pioneered Microsoft has naturally followed. They introduced Bicep, which they described as (summary: Infrastructure as Code):
Bicep is a Domain Specific Language (DSL) for deploying Azure resources declaratively. It aims to drastically simplify the authoring experience with a cleaner syntax, improved type safety, and better support for modularity and code re-use.
Specifically it builds on Azure Resource Manager (ARM) templates:
Bicep is a transparent abstraction over ARM and ARM templates, which means anything that can be done in an ARM Template can be done in Bicep (outside of temporary known limitations)
Jesse Loudon has been showing the world how to leverage Bicep and Terraform to apply Azure Policy as Code:
Azure Policy as Code is the combination of IaC (Infrastructure as Code) and DevOps ensuring governance at scale is shifted away from click-ops and after-hours support towards a codified, policy-driven strategy
At the functional end he has released Bicep and Terraform code examples for the implementation of policy-as-code workflows in order to provide Azure governance guardrails and automation.
Microsoft has released extensive documentation similarly:
Two of the predominant approaches to managing systems at scale in the cloud are:
Infrastructure as Code: The practice of treating the content that defines your environments, everything from Azure Resource Manager templates (ARM templates) to Azure Policy definitions to Azure Blueprints, as source code.
DevOps: The union of people, process, and products to enable continuous delivery of value to our end users.
Azure Policy as Code is the combination of these ideas. Essentially, keep your policy definitions in source control and whenever a change is made, test, and validate that change. However, that shouldn't be the extent of policies involvement with Infrastructure as Code or DevOps.
Amazon AWS and Blended Policies
Amazon has taken it a step further with worked examples showing how you can ensure adherence with various policies and not just security.
Between Cloud Custodian and Open Policy Agent they have other examples such as Compliance as Code for Amazon ECS using Open Policy Agent, Amazon EventBridge, and AWS Lambda
When it clicks together you get something truly magical.
Closing..
Policy-as-code is really only getting started in part due the arrival of cloud and devops. Hashicorp’s Terraform / Sentinel combination along with Microsoft’s and Amazon’s response are here today and providing a lot of value to the organisations who deploy them.
But there is a larger opportunity here by applying Policy-as-Code to various other challenges. These might for example include data ingress and egress, especially when dealing with mountains of compliance.
We can foresee a world where we have various YAML powered policy engines with their policies held in source control facilitating real-time decision making and compliance.
Finally… if you liked this you might also like the weekly Cyber Defence news substack