What is Unified Policy as Code, and Why Do You Need It?
By: Tim Hinrichs
Uptime.
Reliability.
Efficiency.
These used to be perks, elements of forward-thinking and premium-level enterprises. Now they’re a baseline expectation.
Today, consumers expect information, resources, and services to be available on-demand, updated in real time, and accessible without fuss. Imagine trying to Google something or place an order from Amazon only to be told, “Please try again in 48 hours. Sorry for the inconvenience.”
These drivers have pushed enterprises to adopt the cloud and cloud-native architectures because the cloud facilitates uptime, reliability, and efficiency. In the containerized world, discrete components can be created, changed, and updated independently without affecting components. Now, if one part of the code crashes, it doesn’t bring down the rest of the code.
Bottom line: Everyone can order prescriptions, shop shoes, pay bills, and generally do whatever they need, whenever they need to do it.
Adopting a well-managed cloud-native architecture also means that:
- Small problems stay small.
- Updates can be made in real time without taking everything offline.
- Scaling (both up and down) can happen on an as-needed basis without having to scale massive codebases.
- Multi-tenancy is made easy.
- Deployments are more efficient and cost-effective.
- Monthly bills stay predictable and manageable because you never pay for more power or network than you need.
This is all made possible thanks to automation, which is made possible because of a shift to “everything as code.” This doesn’t mean the cloud replaces people; it simply lets them get back to doing what they do best. No human can monitor and scale services fast enough to meet the needs of a Cyber Monday, global news phenomenon, trending streaming series, or the Next Big Thing.
However, if you automate without security and compliance top of mind, you still have manual processes that slow everything down. So, the question becomes, how do you automate those checks? That’s where policy as code comes in.
What is policy as code?
Now, when we say policy as code, we don’t mean “policy in code.” People have been doing policy in code for 50 years, writing a smattering of authorization rules into their apps. And 50 years ago, it was revolutionary—but today we expect more.
Policy in code results in unrelated policy, in unrelated languages, in unknown places, with unknown roles, groups, and people. Small changes to (or errors in) one element can take down the whole thing. Making simple changes is cumbersome; making accurate changes across multiple apps can be nearly impossible.
With policy as code, policy is decoupled from the app, platform, or service. Each part gets its own, discrete, standalone component that can be changed, updated, replaced or scaled independently. That means you can change the coding for the policy without changing the coding for the app.
This translates directly to the three cloud benefits we started this article with: reliability, uptime, and efficiency. When rules need to change—maybe new regulations tighten restrictions on who can access an app, maybe a new type of data needs protecting, or maybe an anomalous activity is picked up and presents a threat—policy changes can be enacted immediately without downtime or disruption to the app itself.
And because the policy is code, just like the app is code, teams can monitor, audit, and more easily collaborate on those policies with the existing cloud-native tools, processes, and pipelines they already use.
However, while decoupling policies is good, it can still mean that each product or service could have its own custom way of configuring policy and that developers could write custom code to implement policy checks. The challenge then is that if anyone wants to run a report about who has access to what, they will need to understand 57 different solutions to authorization, figure out how to query them all, figure out how to piece the results together to give a holistic perspective, and then realize that they’ll have to do that all over again the next time they need a report. Except, the next time will likely include different technologies since the team will have moved on to solve new problems. Not efficient.
Instead, cloud-native teams need a way to both decouple policy and use a common toolset and language for defining that policy wherever it is deployed.
Unified policy as code
To meet our cloud goals, we need to look to the cloud for solutions. A general purpose policy engine like Open Policy Agent (OPA) can provide a single standard for policy across the stack—meeting the goals of both decoupling and unifying policy as code.
With a single policy framework, and single language for policy as code, defining and controlling access across multiple diverse apps, as well as infrastructure, is possible for the first time. Decoupled policy is easy to monitor and maintain, and unification of all the rules puts every stakeholder on the same page. Styra operationalizes OPA for the enterprise, leveraging its capabilities to the fullest to deliver a comprehensive, vertically integrated solution to policy as code.
In simpler terms, unified policy as code means any authorized person in the enterprise can easily manage anything related to policies—and they’ll be using the same language and toolset as everyone else in the enterprise, making collaboration seamless. Reporting and understanding is also seamless. Whether policy authors are in security, compliance, governance, or deployment, they can easily communicate on policy definitions and downstream implications. Say goodbye to 57 different implementations of policy logic.
Containerization is here. Cloud migration and digital transformation have begun in earnest. Standards have emerged both for processes and technologies. OPA has millions of downloads per week, bringing its standard of policy as code to the cloud, Kubernetes, containers, and applications. Policy as code is a highly accessible reality, with significant upside. It is easier than ever for enterprises to define code and leverage automation.
As you move to the cloud, make sure you get the most from the shift. More reliability. More uptime. More efficiency. Easier collaboration and communication. Simpler deployments. Implementing unified policy as code makes things simpler now, and it’s also an investment that will keep paying off.
Learn how Capital One uses policy as code to drive the highest levels of efficiency and compliance.
This article first appeared in InfoWorld on April 8, 2021.