Accelerating Innovation with Policy as Code
Adoption of infrastructure as code automation continues to gain momentum, but integrating security into developer workflows still poses challenges to most organizations.
In this highly competitive technology landscape, speed to market is critical, which means that security cannot be a source of friction towards innovation. Modern security teams must provide solutions that integrate into existing developer workflows, and the way to achieve that is through the adoption of policy as code.
The term policy as code refers to high-level code to manage and automate policy definition. The policies may be internal security controls for how infrastructure must be configured or specific controls set by compliance frameworks such as PCI, SOC 2, or HIPAA.
Each control is written as an automated attestation that is designed to run as part of a software development lifecycle. as opposed to traditional computer security policies captured in a document meant to be evaluated by humans. Policy as code contains both the documentation and rationale for the policy, as well as the automated tests for making assertions on the assets they are validating.
First, we should preface this by stating that when it comes to infrastructure as code and policy as code, they are both GREAT but serve different purposes, which is why you need them both. Whereas infrastructure as code is automation that takes action to change the state of infrastructure, policy as code is used to validate infrastructure that is compliant with a given policy.
As policies change within your organization, you can develop new or update existing policies, and deploy them across your environments before making any changes. This iterative approach allows you to understand how your infrastructure measures against the policy, and then use Infrastructure as code to change the state of infrastructure to be in line with the policy.
The results derived from running policy as code can be provided to auditors as proof of meeting requirements during a compliance audit, making painful, manual audits a thing of the past.
Additionally, results can be used in a more proactive manner such as stopping a software build that does adhere to the policy or preventing a deployment from reaching production that does not meet security requirements. A more passive approach to this pattern could be that a failing policy triggers notifications being sent to the appropriate response teams for further investigation, or even triggering an end-to-end automation workflow to remediate the violation.
Policy as code has many benefits for organizations that adopt it.
When implementing any kind of automation, DevOps, or DevSecOps practice, the biggest challenges arise not from technology, but from the cultural divide between the people and teams responsible for its implementation.
As not all security engineers write code, and not all software developers understand security and compliance, Policy as Code provides a great opportunity for these two groups to collaborate to produce policy as code, and reduce friction caused by traditional manual policy audit processes. This shared work fosters better cross-team connections and overall empathy within the organization.
The term “shift left” is all about running code and tests as far left as possible where risk is lower, and the cost of failure does not carry the impact that failures in product cause.
With policy as code, developers can catch security issues in the earliest stages of development. Policies can be executed in local development on the developer’s workstation before pushing changes to GitHub or GitLab. Next, changes get tested in a pipeline, that assures coding and execution standards are met and - using policy as code - a secure and high-quality output product is delivered.
Developers can catch issues before they ever reach production environments. Finally, despite strong pipelines, there are always possibilities for things to go wrong in production environments. Using policy as code, these deployments can be monitored and validated as well.
"The Only Constant in Life Is Change"
One thing is for certain, and that is policies will change. When policies are written as code, they can (and should) be stored in version control systems such as GitHub, or GitLab.
The policies live alongside the codebase they are written to provide guardrails for. As GitHub and GitLab are meant for collaborative software development, both developers and security teams can iterate on policies, providing an audit trail of who changed what, why that change happened, and when that change happened. All of this change is captured in Git history, and versioned over time.
When a security policy exists as a traditional document, it is not easily adapted to the unique environments they are meant to govern without creating multiple versions of the policy. For example, it might be acceptable to have API keys be rotated every 90 days in one environment but have them rotated every 30 days in another high-security environment.
Policies as code make this easy by providing parameters that can be treated just like variables used in software development. The parameters may provide a default value, but that value can be set differently allowing for the same policy to be used in any environment but customized for the requirements of that environment.
Mondoo is built upon years of experience working with companies around the world to help them automate security and integrate it into the software development lifecycle. As the creators of Chef Inspec, co-founders of DORA, and creators of dev-sec.io, we have been at the forefront of the Policy as Code movement since the very beginning and learned through hands-on experience what does and does not work.
We understand that policy as code is not just for testing cloud environments, but for all of the critical infrastructure, you depend on to run your business including public cloud (AWS, GCP, Azure), private cloud (VMWare), SaaS products, Kubernetes, containers, and servers and endpoints, and more.
Mondoo Query Language (MQL) is an exciting new approach for developing policy as code because it is a lightweight, ultra-fast query language purpose-built for searching and filtering infrastructure configuration data and making assertions about it. The language is built on data querying principles found in GraphQL combined with lightweight scripting.
Furthermore, Mondoo comes with an ever-increasing library of certified policies as code that are ready to be deployed at scale across your environment providing value that you can achieve in minutes, rather than weeks, months, or even years.
If you have not yet done so, sign up for a free Mondoo account and start your journey today!