In-built infrastructure security advantage with policy as code

In-built infrastructure security advantage with policy as code Tim Smith is Product Manager for Chef at Progress. Tim is a passionate open source advocate with over a decade of direct involvement in open source projects and communities.


It is impossible to discuss where DevOps trends are heading without mentioning policy as code, the writing of code in a high-level language to manage and automate policies in the developmental process.

In an ever-evolving regulatory landscape, organisations simply don’t have the right technology or resources to scale their security and compliance efforts. Policy as code provides the much-needed agility to address regulations or standards as they emerge. This means that new compliance checks can easily be programmed and shared with the community, allowing both organisational and industry collaboration.

What is policy as code?

To clarify, policy as code is an extension of the infrastructure as code movement, which has been implemented in DevOps circles over the last ten years. Now is the time for policy as code to come into its own, to break out of its niche DevOps territory and into the mainstream technology remit. A greater understanding of what it actually is, and the real challenges it solves, will enable policy as code to be embraced to its full potential.

Policy as code originated from the principles of Test-Driven Development where users first defined the business case or ‘desired state’, in code. In applying these principles to infrastructure, the desired state is known “as code” and it is applied to test any changes in infrastructure. With the rapid growth of app production, this kind of pre-launch testing is vital for organisations.

The software development life-cycle is under pressure to deliver products to market more rapidly. Often this means that compliance and security fall by the wayside and policies end up being enforced manually, which causes developmental delays. Embedding policy as code in the early stages of development ensures every change from that point onwards is validated. This means that risks that might appear later on in production can be eliminated, minimising disruption and giving greater business confidence.

Why do we need it?

There are some key external factors and trends that make ‘policy as code’ imperative in our growing digital industry. The compliance and regulatory landscape is growing in complexity for organisations across all industry sectors. Organisations don’t always have access to the technology or resources to be able to ensure security and compliance grows with the business. The beauty of policy as code is that it delivers the required flexibility to comply with regulations and standards as they appear. It enables compliance checks to be programmed and shared with the community, and for the organisation to collaborate with the wider industry.

There are significant advantages of the automation that policy-as-code offers. Most importantly, it delivers business resilience, as it goes beyond compliance and minimises disruptions; and it also presents specific opportunities in terms of security.

DevOps teams rely on automated pipelines to reliably build and deploy code for a production environment. Manually updating policy is something that developers will do anything to avoid. By adopting policy as code, teams can establish security barriers within these pipelines to prevent major incidents later on in production. As environments and regulations become increasingly complex and distributed, organisations are investing in policy-as-code to provide a significant business advantage.

Which industries will benefit the most from adopting policy as code?

All organisations, regardless of industry, will benefit from adopting policy as code. We only need to look to the high-profile ransomware attacks across industries, which are a testament to this need. For instance, in May 2021 the Colonial Pipeline paid hackers $4.4 million in cryptocurrency after a hack that created gas shortages across the East Coast. Later that month, JBS paid an $11 million ransom in Bitcoin in response to a ransomware attack that halted operations of its US meat supply.

Any changes which happen to a system outside of a pipeline introduce risk and systems which must then be constantly validated to make sure “rogue” activity has not happened and systems remain in the desired state. This is vital for organisations needing to manage hundreds of different devices within complex hybrid architectures – including governmental bodies, banking, insurance, healthcare and energy organisations.

There are some key considerations to make before deciding to implement policy as code. Despite their very different goals, senior developers, and security and IT strategists should collaborate with the CIO or CTO to ensure policy as code has mutually-beneficial objectives for all parties.

While developers focus on time to launch, IT/Ops work to maintain system continuity and minimise outages. Security will be only focused on the organisation’s vulnerabilities and risks. Policy as Code builds security into the development lifecycle and opens up the communication lines between these all too often disparate parties to collaborate and help each other where they can.

Most importantly, organisations need to combine their teams to deliver effective compliance management. Through building compliance into all systems and applications, all teams in development – IT/Ops, security and compliance – have equal involvement in testing across all stages of the application deployment cycle.

With environments and regulations gaining in complexity, and the growing pace of innovation, policy as code can enable systems to have in-built security.  This avoids the need to repeat development processes for new apps. There is no doubt that in ensuring automated policy compliance, policy as code generates significant operational efficiencies.

(Photo by Roth Melinda on Unsplash)

Looking to revamp your digital transformation strategy? Learn more about Digital Transformation Week taking place on 11-12 May 2022 and discover key strategies for making your digital efforts a success.

Tags: , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *