The cloud today, candidly speaking, is no longer an option. It is but a necessity to thrive, remain agile and improve competitiveness in a tight global market.When we speak of the cloud, the conversation almost automatically veers towards security. While cloud security has vastly improved over the years and has gained the confidence of the enterprise, there still lie opportunities for improvement.
According to The State of Cloud Security 2020 report:
- 70% of organizations hosting data/workloads in the public cloud experienced a security incident
- 44% of organizations stated data loss/leakage was one of their top 3 security concerns
- Multi-cloud organizations report more security incidents than those using a single platform
- 66% of organizations leave back doors open to attackers through misconfigured cloud services
Given these security concerns and with the rise of tighter compliance and regulatory landscape, enterprises need to improve and strengthen their cloud security.
The objective of policies is to protect the cloud infrastructure by controlling access, managing infrastructure operations, and setting limits and reduce the blast radius of incidents.
Policy-as-a-Code employs the writing of code in a high-level language to automate and manage policies easily.
Policy-as-a-Code becomes relevant since automation in the cloud and DevOps narrative is only increasing. It also becomes important today as software products and services have to be tested heavily and comprehensively to verify their health, readiness, performance, and accuracy. It is only with these guarantees that enterprises can release products/services confidently into the market.
By enabling Policy-as-a-Code, enterprises can drive automated decision-making while allowing developers and engineers to manage features-driven work without sacrificing compliance.
The high-level language employed in Policy-as-a-Code is dependent on the policy engine which takes a query input, adds data, and a policy to provide a query result. These policies can be expressed in declarative languages as well and can be used for authorization control, infrastructure provisioning in the cloud, and Kubernetes control.
How does Policy-as-a-Code improve cloud security?
The enterprise benefits of Policy-as-a-Code are significant when it comes to saving costs and improving the cloud security posture.
Here are a few ways in which Policy-as-a-Code improves cloud security:
Improve access management
Policy-as-a-Code is a great way to drive access management and authorization. It helps enterprises draw up policies that prevent inadvertent access to important and confidential resources such as databases and storage, workflows, etc. Policy-as-a-Code helps in implementing fine-grained access control for an application by establishing policies to check authorization.
This becomes especially important in the DevOps narrative – While leaving services open to the internet might not be a problem in production, but it can mean being open to vulnerabilities during development and testing. Testing environments could be less secure than production environments and developer instances can remain inadvertently available even post-development.
However, by leveraging Policy-as-a-Code, enterprises can control ingress and egress to and from resources, mitigate the likelihood of unauthorized access to resources or even data breaches. Essentially, Policy-as-a-Code enforces the security best practices regardless of the type of environment, whether it’s development, test, production, and secures the software supply chain.
Drive compliance and security
The compliance and regulatory landscape are becoming increasingly stringent in the wake of rising security concerns and with sensitive data now residing in the cloud. Enterpriseshave to make sure that their cloud security is optimized and that all enterprise policies regarding the same for the compliance and regulatory requirements fit in seamlessly with the organization’s needs.
Policy-as-a-Codemakes it possible to have custom policies written in OPA (Open Policy Agent), identify cloud resources that violate enterprise policies, proactively mitigate them to ensure compliance, and fine-tune enterprise policies so that they can improve the cloud security posture.
Easier and improved validation before/during deployment
Policy-as-a-Code also helps organizations create a pipeline that validates application, infrastructure, and deployment processes. In the DevOps world, this can be an important consideration point owing to the CI/CD process.
Using Policy-as-a-Code, enterprises can validate the resource graph before and also during deployment. Out of compliance resources can then be easily identified and blocked from being modified or created by a policy. Policy-as-a-Code also validates the infrastructure before deploying resources making security more airtight.
As the number of automated systems increases, it becomes essential to protect these automated systems and ensure that they do not perform any dangerous actions.Given the rising volumes of automation, Policy-as-a-Code can serve as a guardrail for these automated systems. Manual verification for these becomes a time-consuming and error-prone process. By employing Policy-as-a-Code, enterprise policies can easily keep up with automated systems and ensure their safekeeping.
Creating the right checks in place is an important and major part of keeping the cloud environment secure. Setting the right checks is also essential to the software delivery process in the wake of cloud application development and the rise of development methodologies like DevOps that employ a lot of automation and harness the power of the cloud to collaborate. To improve cloud security, it thus becomes essential to catch errors or noncompliance faster and earlier in the lifecycle. Further, Policy-as-a-Code benefits developers and operators directly by enabling repeatability, versioning, and testing and can bring the best of breed security and granular control in the cloud.
(The author is Anurag Sinha, Co-founder and Managing Director at Wissen Technology and the views expressed in the article are his own)