Operationalizing Cloud Security with Policy-as-Code
Provisioning and maintaining large, complex cloud infrastructure environments led to the development of infrastructure-as-code (IaC) in order to make the process more scalable and repeatable. The need to validate that these cloud environments adhere to industry compliance standard and internal policies led to the development of policy-as-code (PaC).
While it’s true that the development of IaC preceded the development of PaC for cloud configuration, it’s important to understand that doing IaC is not a prerequisite for using PaC. In fact, cloud teams need to adopt PaC because they’re likely using a variety of methods for provisioning and modifying cloud infrastructure, and they need a common method of validating that their infrastructure doesn’t violate policy or contain dangerous misconfigurations.
Policy-as-code is critical for cloud security because it’s simply not possible to keep cloud infrastructure safe from misconfiguration when relying on manual audits. No human can memorize thousands of rules and apply them to environments that typically involve thousands of resources and tens of thousands of configuration attributes.
Policy-as-code empowers engineers to quickly check the security and compliance of their cloud infrastructure and get feedback on violations. Policy-as-code can be peer-reviewed and audited. It can also be used to validate cloud environments on a frequent and ongoing basis, which is necessary considering how fast we’re changing them.
Policy-as-code is not unlike the programming languages we use every day to develop software. Just like programming languages express logical functions as code, policy-as-code allows you to express your required security posture as code. Programming languages use compilers and interpreters to provide developers with feedback on whether or not their code is functionally correct. Policy-as-code evaluations provide developers with feedback on whether or not their cloud infrastructure adheres to policy.
With policy-as-code, everyone is on the same page and speaking the same language when it comes to security. And policy-as-code makes it possible to “Shift Left” on cloud security by enabling developers to check their dev environments and infrastructure-as-code for issues early in the software development life cycle and make cloud security a part of CI/CD pipelines to prevent deploying misconfigurations.
There are policy-as-code options available to use for cloud infrastructure security, but many are proprietary, closed-source offerings provided by cloud security vendors. These are incompatible with other policy frameworks your organization may be using, and you’re unlikely able to apply them to specific use cases.
An open-source option available to cloud teams is Open Policy Agent (OPA), which provides significant flexibility for implementing cloud security policy. The Cloud Native Computing Foundation (CNCF) accepted OPA as a hosted project in April 2019.
OPA can evaluate any JSON output, which makes it extremely powerful and flexible for a wide variety of simple to sophisticated cloud use cases. One example is Regula, a tool that uses OPA to evaluate Terraform infrastructure-as-code. There’s a robust OPA ecosystem and community, and it’s easier to find engineers that know OPA.
You can learn more about Open Policy Agent here and about Regula here.