Blog

What is policy-as-code?

Rowan Udell
Rowan Udell
September 12, 2024
What is policy-as-code?

Policy-as-Code (PaC) is an innovative approach to managing and enforcing organizational policies. By treating policies as code, organizations can automate policy enforcement, improve consistency, and integrate security and compliance measures directly into their IT infrastructure and processes. This approach not only enhances security and compliance but also aligns with modern DevOps and agile methodologies, fostering a more responsive and adaptable approach to security.

Security policies

Traditional policies represent the rules and guidelines that a business has decided to follow with regards to the standards and requirements of their, and their employees’ activities. The exact policies vary between organizations, and are often driven by the sensitivity of data they are entrusted with by their customers, their compliance obligations, and the risk appetite/profile of the business.

Some example policies in a security context might be “all data must be encrypted in transit and at rest” or “all access to production resources need approval” and “if you’re on-call, you can access these resources automatically”. Related to security, policies might be driven by compliance requirements, such as GDPR, PCI, or other industry-specific frameworks. Beyond security, policies can also represent financial or operational controls such as limiting what resources can be provisioned in order to reduce costs, or what cloud regions can be used to protect data sovereignty.

Traditional policy challenges

PaC represents an evolution in the maturity of applying, managing, and verifying policies in a way that can scale without compromising security. Due to the criticality of what security policies cover, and the potential impact if they’re not applied, it’s important that they are followed to the level that’s expected.

Before PaC, policies would need to be manually communicated, implemented, and verified. This could be an involved, resource-intensive, and error-prone process, especially in a modern cloud-based environment! Even in systems that supported defining your organization’s policies, they usually required manual implementation that could not be easily tracked, versioned, or verified. This situation was not helped by the fact that in larger organizations, policies could change independently over time or for different teams, to the point where they become contradictory and making it impossible to adhere to all the relevant policies.

Benefits of treating policies as code

Treating policies as code means we can benefit from the learnings of decades of software development. Techniques to improve the quality of our code now apply to our policies at the same time, such as test driven development, linting (static analysis for consistency and common issues), and source code management (such as management via git).

By codifying policies in a sensible format, policies are made explicit and visible. These traits unlock benefits such as making policies less ambiguous and allowing them to be reviewed separately from the system that uses them. It also allows policies to be centralized, which directly helps with ensuring consistency by facilitating security approaches such as "trust, but verify" which allows development teams to move fast and still maintain their security.

More than just software development, PaC allows modern software delivery and automation techniques such as DevOps, and the related DevSecOps, both of which rely on Continuous Integration and Continuous Delivery (CI/CD) pipelines to streamline and improve the speed of delivery without sacrificing security.

permit (
    principal,
    action == Access::Action::"Request",
    resource
);

A sample Cedar policy that allows all principals to make requests for access in CommonFate.

It’s common to compare PaC to Infrastructure-as-code (IaC), but keep in mind that it operates at a different level. Frequently PaC applies to IaC, so that infrastructure definitions and deployments meet the policies of the organization. By combining PaC and IaC, security is no longer a limiting factor when deploying infrastructure and applications in the cloud.

In an increasingly digital world, the “everything-as-code” approach is rising in popularity due to the benefits it affords. By treating more security capabilities as code, it enables security to “shift left” and be addressed sooner during software and system development, rather than being tacked-on as an afterthought. This means teams improve their ability to deliver software safely, without giving up on velocity. Like other “as code” approaches, PaC requires application and business owners to define their needs and requirements up-front, which ultimately improves security in the long term.

Integrating legacy systems is also a common stumbling point for organizations adopting PaC, and while there are no magic solutions, teams that practice good security at any level, get better at security overall.

The challenge associated with these benefits is the increased learning curve now put on engineers. Developers need to be more aware of security, and security teams need to be more comfortable reading and writing code.

Summary

PaC represents a transformative approach to security and compliance in modern IT environments. By treating policies as code, organizations can automate enforcement, improve consistency, and integrate security seamlessly into their development processes. While challenges exist, the benefits of PaC - including enhanced visibility, agility, and alignment with DevOps practices - make it a key tool for building resilient, secure systems.

Share this post
Rowan Udell
IAM Expert