4 Cloud-Native Predictions for 2023

As AuthZ Becomes Mainstream, Policy as Code, Infrastructure as Code and Software Supply Chain Security Will Merge

It’s the holiday season, which means it’s time for the greatest gift of all: next year’s predictions. Last year, we predicted that in 2022 security teams will embrace cloud-native tools to automate manual checks, that enterprises will increasingly shift on-prem resources into the cloud and that we’d see the emergence of a clear authorization market. 

This year, we asked our co-founder and CTO Tim Hinrichs to share his 2023 predictions for the cloud-native and authorization spaces. 

Prediction one: We’ll continue to see the advancement of authorization and policy as code in general. 

In 2022, we saw the authorization and PaC market really solidify. From an analyst perspective, we saw the validation of the Policy-Based Access Management (PBAM) market from KuppingerCole, while GigaOm charted a new landscape of PaC solutions in its Radar Report. Gartner, meanwhile, sees the rise of PaC and Externalized Authorization Management (EAM) in its 2022 Gartner Hype Cycle for Application Security. Of course, we’ve seen dozens of leading organizations vocally embrace policy as code and Open Policy Agent (OPA) in their own deployments, such as those we hosted at Cloud Native Policy Day.

In 2023, we’ll only see those trends continue. Moreover, far from being an emerging technology area, cloud-native authorization will increasingly be accepted as mainstream, if not a core feature of most deployments, as enterprises look to continue to improve security and compliance while accelerating developer velocity. 

Prediction two: Alongside PaC, we’ll see significant growth of Policy as Data. 

The value of policy of code is that you can pull authorization policies out of software, out of wikis, out of tribal knowledge and put it into code. But increasingly, we’ll see more and more emphasis on policy as data. That is, a larger and larger percentage of the decision making for policies will come out of the data — data about user attributes, data about your environment, data about your security posture and the like. As a result, we’ll see more and more tooling, features and policy products that are focused on policy as data and the way that you have to solve for application authorization. 

Prediction three: There will be more and more “hooks” for OPA to work natively in existing software formations. 

We saw this year how companies like AWS and HashiCorp put hooks in place to allow customers to use Open Policy Agent (OPA) within their software — the AWS CloudFormation Hook in the first case and HashiCorp Terraform Cloud Run Tasks in the latter (and in both cases for managing infrastructure as code). Generally speaking, these hooks allow customers to put policy checks or guardrails in place and validate their cloud resource plans against them before releasing them into production — in these cases, before releasing Terraform Plans on Terraform Cloud or provisioning resources in AWS CloudFormation. We’re likely to see large enterprises and cloud providers continue to build this kind of functionality for OPA into their products, given the popularity of OPA as a policy decision point and the need for platform engineering teams to build security, compliance and operational guardrails into their workflows and developer platforms. 

Prediction four: Software supply chain security and infrastructure as code will merge. 

Enterprises are applying the concepts of software supply chain security to everything in their stack. This is not just ensuring the security of individual applications that they’re running on platforms, but applying those same concepts to the platforms underneath the applications. The idea is controlling security across the entire stack — the infrastructure, as well as the components of applications, in a single cogent, holistic way. As a result, software supply chain security policies, infrastructure as code, policy as code — each of these elements will need to come together, and in 2023, they increasingly will. Startups may even start saying that they do software supply chain security, but really, they’re building a framework for building and running applications ± from top to bottom, from platform to application — with a single packaging structure for that. As we’ve learned, there’s enormous power in putting your platform and your applications into these sorts of repositories and having a single way to manage their governing policies.