The Benefits of Policy as Code
Styra is a company built to reinvent policy and authorization for cloud-native development. Accordingly, part of their focus is Policy as Code, “The best way to understand it is the idea of taking software engineering best practices and applying them to policy, authorization, and the controls that govern who can do what or what can do what inside of your systems,” explains Torin Sandall, VP of Open Source at Styra.
As to the benefits of Policy as Code, Sandall makes it very clear when he says, “We’re getting to the point where it’s not possible to manage policy and authorization security manually anymore.” Sandall points to the fact that the old-school method of keeping track of rules in a spreadsheet, PDF, or Wiki, and hoping they get enforced, doesn’t work or scale in today’s landscape. Those older methods also can’t keep up with all of the options developers have access to. Today’s trends call for a new method of managing policy and authorization in larger organizations.
The big problem with modern technology is that with the ability to develop and deploy so quickly, the risk is that you might not have all the security and access controls in place that are necessary in a modern environment. According to Sandall, “When you start handing over control of compute, network, and storage resources to a wide range of people, and they’re no longer being managed by a core group of operation staff that know how to set everything just right, you open yourself up to a lot of risk.”
Sandall also brings up how today’s admins and developers can implement controls that work for now. But what happens when those threats evolve? What happens when the requirements change? At that point, Sandall says, “The controls that have been implemented are out of date.”
Sandall offers a few tips for implementing Policy as Code. The first is that you need to follow a three-step process of ‘crawl, walk, run’. “Take a look at Open Policy Agent (OPA) and see how it could be mapped to your problem space, because often it can, and often, it provides a very good solution,” adds Sandall.
“And then, once you build up some conflict and once you build up some confidence around Open Policy Agent for that problem space, you’ll probably start to see other areas where it can be applied,” he continues.
Sandall also mentions that people should follow a gradual adoption path. And with hundreds of possible teams working on hundreds of services, it’s important to adopt a new approach, which is exactly what Open Policy Agent was designed for.
Video summary was written by Jack Wallen