Using policy as code as the core of managing risk and automation was the topic at one session at the ONUG Fall 2022 Session. 

Titled Managing Risk and Automation with Policy as Code, the panel included:

• Don Duet (Chairman & Co-Founder, Concourse Labs)
• Ruoh-Yann Huang (SVP, Global Head of Network Automation and Telemetry, Bank of America)
• James Walker (Managing Director, Network Services, Bank of America)
• Yesim Akdeniz (Managing Director for Network Services, Citi)
• Xiaobo Long (Sr. VP of Cloud Platform Security Engineering, Citi)
• Alexandra Shulman-Peleg (EY Americas Cloud Cybersecurity Leader, Managing Director, Ernst & Young LLP)
• Kimberly Fields (Director, Cloud Risk and Compliance, Raytheon Technologies)

If you couldn’t attend, or need a refresher, here’s your recap, including timestamps from the recording.

Policy As Code Defined

Policy as code formalizes business intent into code, creating intent-driven software that can be evaluated across multiple cloud providers and on-prem systems. 

Such code allows for enforcing policies across and within the infrastructure, providing appropriate compliance guidelines and guardrails. 

2:48 What is PAC and how will it support how enterprises gain control in multi-cloud? 

Policy as code is foundational to the design and delivery of an automated continuous control framework. Policy as code puts control directly in the hands of the business consumer versus the IT/Cloud Service Provider supplier.

As Yesim Akdeniz from Citibank explained, PAC is the start of the “virtual circle” that defines, via software, the network services and infrastructure that incorporates intelligence via telemetry, analytics, and other vital functions to support your IT, network services, and business policies.  

In addition, PAC is integral to improving programmability of networks, and is the next generation of policy management as a strategic direction (as is happening at Raytheon Technologies, per Kimberly Fields).  

Starting at 5:47 How many enterprises have PAC implemented?  

Many corporations have implemented some form of incorporating standards as code, even if they haven’t fully put PAC into place. Ruoh-Yann Huang described how Bank of America had already installed infrastructure as code and is in the process of placing a layer of PAC on top of it, to further automate regulatory enforcement (especially in such a regulated industry like finance).

As another example, Citi is using PAC to enhance vulnerability patching and thereby improve their cybersecurity efforts. By being proactive, an organization’s chance of suffering a major breach (all other things considered equal) decreases.

The Ultimate Goal of Policy As Code in the Enterprise

11:30 The ultimate goal of PAC 

Ultimately, PAC helps you go from the very top level of intent to the detailed, bottom-line implementation – something that can be difficult without a formalized and internalized system.

“At the end of the process, you’re going to measure compliance on a system,” said James Walker. Laws, rules, and regulations need to be translated into a specific set of technology standards, and those have to be translated into individual configurations – so that intent can be made into standards enforceable by your technology.

10:44 EY using PAC with investment projects 

How ONUG Is Facilitating Policy As Code in the Community

30:22 Who writes the rules and standards for PAC? Who owns it? How can the ONUG Community facilitate PAC?