Policy as Code: An opportunity to increase resilience while lowering the cost of compliance
Cyber resilience is now a game of scale, complexity, compliance and cost.
On one hand, we have organisations and supply chains growing in stature and complexity, whereas on the other we are witnessing an increasing need to demonstrate compliance and minimise costs.
Policy as Code, much like Infrastructure as Code before it, has the opportunity to further increase resilience while lowering the cost of auditing modern architecture.
How DevOps increased cyber resilience and drove down costs
In DevOps, Infrastructure as Code has allowed us to learn a lot about scaling while at the same time increasing resilience and minimising mistakes.
The concept behind this is that you describe, in a code-esque way, how you want systems built and deployed, and it is automatically built to that specification. As you typically use a continuous integration and delivery pipeline, you reap the benefits of change control and peer review for minimal investment, while at the same time maintaining consistency.
As DevOps styles of working become the norm, we have a huge opportunity to make security less complex and burdensome, as well as cheaper to deliver. When I consider this I always think back to the seminal presentation from 2015, delivered by Netflix’s Jason Chan, titled Splitting the Check on Compliance and Security (watch it; watch it now!)
Another excellent and recent example of this style of approach in practice is from Jearvon Dharrie of Comcast. Jearvon’s presentation shows how Infrastructure as Code creates a real reduction in security/developer friction, thus increasing business agility while arguably being as secure as the old way of doing things, if not more so.
The next step: Policy as Code
The next step, Policy as Code, has recently emerged.
Compared to Infrastructure as Code, it has the potential to allow organisations to demonstrate compliance and further increase resilience against human frailty in a more efficient and cheaper manner.
Policy as Code has been designed to complement Infrastructure as Code by defining rules/boundaries which are automatically checked prior to deployment against the codified policy. While this approach is embryonic the business case is clear, which will drive the adoption of this type of approach in forward-leaning organisations.
To end, this video from Armon Dadgar, CTO of HashiCorp (yes, the ones who develop Terraform) is worth the 40-minute investment. The types of improvements shown, as with DevOps and DevSecOps before them (and CI/CD more generally) provide the opportunity for significant increases in organisational velocity.
From DevOps design, build, operation & assessment through to Security Development Lifecycle consultancy, our various specialist practices can help.
Published date:  16 October 2017
Written by:  Ollie Whitehouse