Policy-as-Code: Why We Should Care

It has now become commonplace in the enterprise world to hear colleagues, vendors, and industry pundits alike remarking on the many challenges of managing systems in a context of ever-increasing complexity. Just as common is the litany of reasons put forward for this development: the rise of cloud computing, the persistence (often in the same organization) of on-premise, legacy environments, and the need to succeed in maintaining the security and resilience of both. To these, one can quickly add the seeming impossibility of keeping up with the ever-advancing juggernaut of security threats – not to mention reckoning with the global shortage of engineers who are up to the task of defeating them.

With the above as background, it’s hardly surprising to see enterprises casting about for tools and frameworks that will allow them to get their arms more effectively around this body of management challenges. The tech industry has of course been more than happy to provide a broad range of tooling for enterprises to deploy accordingly. And yet as the numbers of tools in environments, large, small, and in-between. continue to proliferate (to over 100 on average in larger enterprises), it has become clear that operational effectiveness is not simply commensurate with the number or the cost or even the capabilities of the tools in one’s toolchest. How then to address the obvious pain being experienced by operations teams in this brave new world of global, Cloud and Hybrid computing? How to succeed at keeping one’s enterprise digital assets both available and safe while effectively and efficiently supporting business operations and imperatives?

No one answer will suffice here, just as we all might suspect. But increasingly over the past decade, as the lessons of the Agile and DevOps movements have taken hold, management frameworks have begun to emerge that combine the very best of modern software delivery with the benefits of innovating across enterprise teams to build better, more responsive, higher quality process vehicles. This is especially true as long-standing development practices such as maintaining different software versions in a version control system have become exposed to Cloud operations teams through such innovations as “Infrastructure-as-Code” (IaC), which allows for a vastly improved approach to maintaining consistency and standards across infrastructure systems, virtual and physical alike.

Now, what if we were to leverage this same sort of approach for all key business systems, ensuring that they were “coded” to behave a particular way and to achieve a specific result? In short, just as we might code a piece of application software in a prescribed fashion, or a piece of compute infrastructure via IaC, we would be applying that same conceptual approach to building and maintaining enterprise policies (effectively statements of management intent) that could be replicated in a consistent, reliable, manner, and tested like any other piece of code to prove they behaved as expected.

This was the context in which, during the summer of 2022, the ONUG Collaborative Steering Committee established a Working Group to focus specifically on exploring the opportunities potentially to be realized within the emerging technology management framework known as “Policy-as-Code” (PaC).  The goal was to develop an approach to realizing successful PaC implementations that offered a far more efficient, high-efficacy approach to policy management than was possible historically.

Traditionally, to state the obvious, business policies have been maintained in a manual fashion on paper-based systems. Because they were manually maintained, replicating such policies in part or in whole had the potential to be error prone and unreliable. However, when human-language policies are instead expressed as code, properly documented and stored in digital version control systems, such as Git, they are then able to be dealt with “as code.” Meaning: they can be replicated across multiple systems, revised as needed without losing track of the original policy statement, tested during a pipeline-based delivery system, checked and audited to ensure not only that the code yields the proper, expected operational result, but that it meets any number of specific security requirements. In short, the code can be tested for compliance. The organization can prove with a very high degree of certainty that it has achieved that particular outcome.

Even when put forth conceptually at this high level, and in the simplest of terms, it is plain that this modern “PaC” approach offers the possibility of better maintaining consistency, standards, and an expected level of quality, then would be the case with manually managed systems. The promise for streamlining and realizing efficiencies in time-to-market and scale are also apparent. Importantly, in the case of policies that do indeed need to be deployed across a broad framework of systems, or automated to respond in a certain way to specific inputs or scenarios, the possibility of meeting a higher degree of operational assurance also seems clear.

And yet, for all its seemingly obvious advantages, Policy-as-Code is a concept that is still very much in its infancy. As the ONUG Collaborative recognized a year ago, there is effectively no authoritative body of industry operational guidance or standards for enterprises to follow as companies and institutions look to develop more robust approaches to ensuring effective policy governance in their organization. By forming a Working Group of systems engineers and architects from within the ONUG Collaborative Community, the Steering Committee established a mechanism for exploring this nascent technology management idea in detail, in the process setting the stage for developing an approach to operationalizing PaC.

As the team articulated the PaC problem space at the outset of its efforts, it asked the following:

  • What would constitute an effective set of guidelines for translating high-level business requirements around risk into specific policies?
  • How might we ensure that those higher level policy articulations ramify through to lower-level architectures?
  • What policy languages should one employ? Indeed, what should be the criteria for language selection? Or, do we need to define a new, common language?
  • And for that matter, do we also need a common, broad-based, multi-tiered “Policy as Code reference architecture”?
  • How will the integrity, confidentiality, and availability of policies and policy state be verified?
  • How will policies be managed by identity authentication systems and domain-specific toolchains responsible for policy enforcement?
  • How can policy as code be used to reduce toil and improve transparency for second line functions?
  • Does the recent work of the CNCF in this area, namely their Open Policy Agent initiative, meet the needs of industry practitioners?
  • Once expressed in software, moreover, how does one proceed to manage the policy codebase so as to maintain consistency of intent and avoid the problems of “drift”?
  • Wouldn’t Policy as Code playbooks serve a useful purpose as enterprises pursue new policy governance strategies

The overarching challenge to be met, then, was clear: how best to move from an initial statement of policy intent to the verification of compliance, reliably and repeatedly? And from there: what are the nuts and bolts of the processes required to make this approach one that could be automated and repeated across both like and unlike systems environments?

Associates of the ONUG Collaborative member companies (Cigna, Cisco, Citi, Concourse Labs, EY, FedEx, Network to Code, Oracle Cloud, Tenable, and Verizon) began the project’s work effort in earnest by spending considerable effort on the matter of defining terms and develop a PaC  “taxonomy.” They have recently published the results of this first phase of the overall effort as “Enterprise Policy as Code: Glossary of Terms,” which is available for download from the ONUG.net website.

Currently, the team is involved in developing a number of reference examples and use cases from across their ranks and experience base to demonstrate how PaC has been, or can be, deployed in various scenarios – and to gauge its effectiveness as regards meeting the promise of significantly improved policy compliance and systems effectiveness.

Initial use cases such as employing PaC to establish FedRAMP compliance, micro segmentation to address security requirements, IAM policy and role validation, and “Golden Copy” implementation are all on the table for consideration at the ONUG Fall ’23 conference.

If Policy-as-Code is an area that seems rich with promise to you and your enterprise, please do attend the PaC Working Group’s Update Panel at the upcoming ONUG Fall 2023 conference in New York City on October 24-25.

Author's Bio

Michael Thomas Clark

ONUG Policy as Code Working Group