Codified Security and Compliance with Policy as Code
We’ve recently acquired Magalix, a policy as code security and enforcement engine. Codified policies extend GitOps pipelines with governance, verification, and security. Learn more about policy as code, its benefits, and how it works.
The 16-point Checklist for GitOps Success
Liquid Metal is Here: Supported, Multi-Cluster Kubernetes on micro-VMs and Bare Metal
Level up Security Management with HashiCorp Vault and Flux
In late January, we announced the acquisition of the policy management and enforcement startup, Magalix. Magalix has hundreds of policies in its policy library, ranging from Kubernetes security best practices to compliance to operational best practices.
Since then, we have been working diligently on incorporating policy as code into GitOps pipelines, otherwise known as developer guardrails. Developer guardrails are safety barriers but for software development lifecycles. They are governance rules for security, operations, and compliance to allow for a faster more autonomous development cycle.
This article will walk you through the fundamentals of policy as code, share some background information, and explain some of the benefits organizations can reap by enforcing policy into their development lifecycle.
What Exactly is Policy as Code?
Policy is defined as a set of ideas or plans that are used for making decisions. Handbook-based policy management, whether in large or small organizations, is not practical and often implemented in a non-uniform way. To fully realize the benefits of cloud-native - agility, reliability, efficiency - business leaders must find a way to scale policy governance. Automating security and compliance checks is a good place to start, to avoid the manual processes and security teams oversight that slows things down. As humans remain the weakest link, organizations must take steps to secure cloud-native applications while mitigating risk. According to Gartner, human error and misconfigurations will account for 95% of cyber security incidents.
So how can companies mitigate the risks associated with human errors? How can organizations safely balance innovation with risk? They can do so with embedded security and compliance gaurdrails into their software lifecycles. This is what we call policy as code.
Policy as code is a programmatic approach to applying and enforcing rules (policies) to an organization’s cloud resources. It’s an effective way to uniformly define, maintain, and implement policies across the software development lifecycle.
Business leaders can define these policies, and teams can then codify these policies using some type of programming language such as YAML or Rego. These policies can be defined in a declarative format in the git repo, providing powerful capabilities for change management - version control and fine-grained access control.
Automating security and compliance checks with policy as code will allow teams to detect errors and violations early on in the software lifecycle, i.e. shifting left. Doing so will create developer-centric experiences, security will be built in your system design, and organizations will have security-conscious teams.
Types of Policies
Policies can be classified into three types:
1. Security and compliance policies:
These ensure that security best practices are considered during the development lifecycle, such as the MITRE ATT&CK. Compliance policies ensure the adherence to industry standards and compliance rules such as PCI DSS policies or CIS standards policies.
2. Resilience policies:
These policies include the best practices for deploying applications on Kubernetes, such as configuring health probes to ensure Kubernetes can do its automation correctly.
To ensure and improve the continuity of your business application, you need to make your system highly available and fault-tolerant. This can be done by enforcing specific policies in your Kubernetes clusters, such as verifying that spec’s replicas count is two or greater.
3. Coding Standards:
These policies can be company-mandated policies and checks, helping organizations apply governance standards using a centralized playbook.
For example, a business has a rule that all personally identifiable information (PII) must be encrypted when it’s stored. A policy can be codified into the system which is automatically triggered whenever a developer submits code. If the submitted code violates the policy, the code is automatically rejected.
Benefits of Policy as Code
Find and Fix Errors Early on
The adage “prevention is better than cure” applies not only to physical ailments but also to software defects. Finding and fixing errors early in the software lifecycle is easier, less time-consuming, and cheaper than if detected later. According to IBM Systems Sciences Institute, it can cost 100x more to fix a software defect in production compared to in the design phase.
With the enacted guardrails, developers will have frequent feedback: at commit, build, deploy, and runtime. They will have the autonomy to find and fix any security or compliance issues, and any misconfigurations are caught early on.
Centralized Policy Management
By using a centralized policy management platform, teams can define, enforce, and manage a string of policies through a single interface. Teams no longer have to use different languages, APIs, and various tools to ensure proper governance.
Business leaders and security and compliance teams can craft the policy playbooks according to the necessary business outcomes. These policies are codified once, and enforced everywhere. Teams no longer have to revert to manual handbook-based policy management; everything is automated.
Developer guardrails provide faster feedback, through actionable and self-servicing alerts. By doing so, everybody wins. Developers will have the autonomy they need to move fast and security will have time to scale their expertise and knowledge. And business leaders will rest assured that security best practices are baked into their CI/CD systems.
Mitigate Risk - Reduce Human Error
Research suggests that 95% of cloud security incidents are due to human error. By shifting security and compliance left through automated checks, by enforcing security best practices, you mitigate risk associated with human error.
Historically, security teams have been viewed as gatekeepers. Their focus on the threat landscape has slowed down or hindered speedy code delivery. In contrast, the DevOps teams are operations-oriented. Speed and agility are their number one priority. They have been at odds with their conflicting goals, slowing down the development process.
Organizations can speed up development and eliminate silos between security and DevOps teams with the codified security and compliance guardrails. Now, security and compliance are everyone’s priorities.
Implementing policy as code is not a one-time activity. Any newly introduced code and every CI/CD pipeline iteration can trigger policy violation. With guardrails enacted across the software pipeline, you prevent and detect any new violations from taking place.
Policy in Action: How it Works
Organizations can write their own policies using any of the available open-source tools or use a policy as code enforcement engine like the Magalix platform (now part of Weaveworks).
1. Create your Policy Playbooks
The first step of incorporating policy as code into your DevOps pipelines is to create the policies. These policies can be based on organizational best practices, compliance standards, or security frameworks.
2. Codify your Policies
The next step would be to codify them: write the policies in a high-level language such as Python, Yaml, or Rego. The language you choose depends on the policy enforcement engine or platform you’re using. At Weaveworks, our policies are written in Rego and are built off the OPA engine.
The created policies can be vetted and approved by the teams concerned, such as security, compliance, team leads,..etc.
3. Integrate Policies into your CI/CD Pipelines
By using our policy enforcement engine, you can enforce the policies into your CI/CD pipelines and prevent violating changes from being deployed. The engine will continuously monitor assets and configurations for any violations at every stage of the software lifecycle.
- Commit Time: here, the agent will scan the infrastructure as code (IaC) templates before committing to the repo, flag any violations, and auto-remediate any violations (where applicable).
- Build time: we call the policies here “misconfiguration guardrails.” The guardrails will block the build if any violating changes are discovered.
- Deploy time: the policy agent will prevent any deployment, manual or automatic, from being introduced to a Kubernetes cluster if the deployment artifact violates any policies. The developer will receive immediate feedback explaining why the deployment was blocked.
- Run time: the agent will continuously scan the Kubernetes runtime for Policy violations and identify any violations related to industry and region-based regulations. The administrator will have visibility against the current status of a policy against running artifacts.
4. Understand your Cloud Security and Compliance Posture Analytics
In addition to preventing violating changes from being deployed, the policy engine regularly scans your cloud-native assets and generates compliance reports covering all security policies, standards, and best practices.
With Weaveworks, you will have access to 2 types of reports:
- Tactical reports that will drive engineers to take immediate actions to fix any security/governance issues, such as discovered data protection violations
- Compliance reports will show you the trends and compliance status, such as your progression towards PCI-DSS, HIPAA, SOC, etc.
Policy Management for Trusted Application Delivery
GitOps adoption is on the rise as DevOps teams look for new ways to accelerate development time frames. GitOps helps centralize and automate many of the developer's activities. Integrating policy into the GitOps pipelines will allow errors and security vulnerabilities to be caught automatically before they make it into production. This is what we call Trusted Application Delivery -
GitOps coupled with a policy enforcement engine.
For more information around trusted delivery and its benefits, check out this article: Trusted Delivery: Policy as Code Integrated into GitOps Workflows.
Policy as code is now available through Weave GitOps. Book a demo to learn more about policy capabilities and how it fits with GitOps.Book a demo