Automating policy enforcement is a key component of ensuring development teams are releasing secure applications in today’s fast-paced, cloud-native world. Many DevSecOps teams are achieving this by utilizing policy as code.
According to Tim Hinrichs, co-founder of Styra, policy as code provides a specific file format for policy that is readable by machines, which allows developers and security teams to automate more of the compliance process. Traditionally, developers would write code and the company’s compliance requirements are stored somewhere, likely in a PDF or Word document that would be sent along in emails and then manually checked before releasing an application. With policy as code, this can be done automatically.
Not only does this automation reduce the chance for things to accidentally pass through as a result of human error, it can also help reduce the friction between development and security teams.
RELATED CONTENT: What a successful shift-left security program looks like
According to Hinrichs, traditionally the relationship between development and security has been a bit confrontational because developers are just trying to get their work done and their applications released, but also at the same time they have to appease the security teams.
“It’s becoming more of a partnership because we see more of these security teams providing tools and frameworks that actually make it easier for these developers to get their jobs done, but to do so in a way that meets all the security and compliance and operational requirements that are on those applications … By having the right tooling in place, by having the right frameworks in place, I think in the end it just makes the overall goal of having secure applications easier from an organizational point of view because there’s more collaboration,” said Hinrichs.
In addition to automation, the other benefit policy as code brings is that policies are decoupled from an application. This means policies can be run wherever a developer wants: at the application level, the platform level, etc.
According to Hinrichs, one of the age-old problems companies talk about is that they have an ecosystem of software systems that are wildly different. And within the ecosystem, permissions, authentication, and policy need to be managed across all components.
“Policy as code enables us to finally solve that problem because once you have a first-class file format that allows you to define policies, and those policies can be integrated into all those different software systems, then suddenly you’ve given these enterprises the ability to have a single toolset, a single framework, a simple language for expressing those policies across their stack, and that enables a whole bunch of really powerful capabilities that security loves, that compliance loves, that operations loves,” said Hinrichs.
Hinrichs believes that policy as code is crucial to the success of the cloud-native movement. “The reason I say that is because what is the goal at the end of the day of this cloud native approach to building and running software? For me it’s very simple — it’s that we want an organization to be able to deliver software more quickly than ever before,” said Hinrichs.
When teams are trying to release updates to their code in minutes or days, rather than every few weeks, it makes it all the more important to have portions of the release process automated. With policy as code developers can automate the security, compliance, and operational checks, rather than needing to wait for a change management board to perform manual reviews.
“Developers can write their code, they can push it into a CI/CD pipeline, and now suddenly they’re told immediately there are these security issues or there are these compliance issues or these operational issues,” said Hinrichs. “They can fix those problems and very quickly get to a point where they are not only releasing their code, but releasing secure code as well. So I think it’s inherent in the entire cloud native, it’s crucial for the entire cloud native movement.”