Definition

policy engine

Robert Sheldon

By

Robert Sheldon

What is a policy engine?

A policy engine is a software component that allows an organization to create, monitor and enforce rules about how network resources and the organization's data can be accessed.

The policy engine relies on a combination of network analytics and programmed rules to grant role-based permissions that take into account multiple factors, such as device type, workload label or hierarchy of need. For example, an organization might permit individuals in a user group to access specific network resources. When a user in the group tries to log onto the network, the policy engine authorizes the individual to connect to the network and access the permitted resources but denies access to anything else.

A policy engine can control various types of access behavior. For example, it might allow or exclude a range of IP addresses, specify the ports and protocols that network traffic can use, or apply rules that are specific to inbound or outbound traffic.

The criteria that the policy engine uses when evaluating access requests depends on how the network policies have been defined. Policy definitions are based on the organization's specific circumstances, constraints and resource types. However, the policy engine might also consider other information, such as threat intelligence or analytics performed from historical data.

How does a policy engine work?

A policy engine is implemented in conjunction with other components to provide a coordinated approach to protecting network resources. The exact topology depends on the type of network and its design. That said, a policy-based network commonly includes certain basic components in addition to the policy engine.

First, the network incorporates a mechanism at each access point that enforces the policies. The network might also include local storage for policy-related data or provide access to external data sources that support the policy engine. Some systems also incorporate a trust engine or comparable technology for evaluating access risks. The following figure provides an example of what such a topology might look like.

diagram illustrating policy engine network topology example — Example of a policy engine network topology.

Policy enforcement occurs at the point where an outside system first attempts to access a policy-protected network. For example, an employee on a laptop might try to access a resource on the company's network. The point of entry is typically a network component such as a firewall or load balancer, which serves as the policy enforcer. The enforcer determines whether to allow or deny access based on input from the policy engine.

The policy engine lies at the heart of this topology, making all decisions about whether to permit or deny access to the network. When a request for access comes in from a network entry point, the policy engine compares that request to the defined network policies. The policy engine might also use other sources of data to determine whether to permit access, such as a trust engine or a security information and event management (SIEM) system.

When evaluating an access request, the policy engine takes into account a variety factors, such as the user requesting access, the user's device, the device's IP address, the network protocol or the target resource. From all this information, the policy engine determines whether to grant network access to that user for the specific resource.

A policy engine often incorporates an administrative component that communicates directly with the policy enforcer, executing the engine's access decisions and handling session information. In some networks, the policy administrator is a separate component from the policy engine, acting as an interface between the policy engine and policy enforcer. Like other aspects of a policy-based network, the exact topology depends on the specific implementation.

The policy engine also relies on one or more data sources to provide the information it needs to determine when to allow access to network resources. The data might be stored locally or remotely and can include a wide range of information. Not only does this include a copy of the policies themselves, but it also includes resources such as system logs, SIEM data, inventory data about users and devices, historical data for performing risk analysis, threat intelligence data, and much more.

Some networks also incorporate a trust engine or similar component for evaluating risk. The trust engine analyzes the available data and determines the riskiness of a particular connection. Some trust engines incorporate AI and other technologies to perform advanced analytics on the available data. For this reason, a trust engine must be able to access the necessary data sources to carry out its evaluations. The trust engine must also be able to communicate directly with the policy engine.

Learn about the top 3 network analytics use cases and how to reap the benefits of applying policy-as-code best practices.

This was last updated in August 2023

Continue Reading About policy engine

AI threat intelligence is the future, and the future is now

What it means to do 'everything as code' in IT operations

How cloud security posture management protects multi-cloud

How a backup data retention policy combats growing storage needs

Dig Deeper on Systems automation and orchestration

Search Software Quality

New GitHub Copilot agent edges into DevOps
The GitHub Copilot coding agent can take on toilsome tasks such as bug fixes and code reviews with its own GitHub Actions pull ...
3 software testing sample test cases, with templates
A good test case is easy to trace, reusable and relevant to user needs. Learn how to write an effective test case with these ...
Verification vs. validation in software testing
Verification and validation are at the heart of all software testing efforts. Together, they check that software fulfills both ...

Search App Architecture

4 pseudocode examples: Python, Java, JavaScript and C++
Successful pseudocode conversion goes beyond simply making the code work. It's about creating implementations that respect each ...
Using AI and machine learning for APM
Discover how organizations can streamline operations and improve operational analytics by using AI and machine learning in their ...
My first attempt at vibe coding
Can you teach an old programming dog a new trick?

Search Cloud Computing

Get started with Amazon Q Developer
Amazon Q Developer is a versatile tool for software development, offering code generation, optimization recommendations and ...
HPE adds Morpheus Data to KVM hypervisor for enterprises
A KVM hypervisor by Hewlett-Packard Enterprise evolves with technology and capabilities from Morpheus Data, an HPE acquisition, ...
Gain insights with Enhanced Monitoring in Amazon RDS
RDS Enhanced Monitoring provides teams with additional data visibility to improve database scalability, performance, availability...

Search AWS

Compare Datadog vs. New Relic for IT monitoring in 2024
Compare Datadog vs. New Relic capabilities including alerts, log management, incident management and more. Learn which tool is ...
AWS Control Tower aims to simplify multi-account management
Many organizations struggle to manage their vast collection of AWS accounts, but Control Tower can help. The service automates ...
Break down the Amazon EKS pricing model
There are several important variables within the Amazon EKS pricing model. Dig into the numbers to ensure you deploy the service ...

TheServerSide.com

Learn how to use concurrency in Go with this tutorial
The Go language is designed for simplicity, including its approach to concurrency. In this tutorial, learn to perform multiple ...
How to build an AI agent tutorial with example
How do AI agents work? Are they like cron jobs? This walkthrough explains what AI agents can do, the basic principles that apply,...
The state and future of Java desktop application development
In today's world of web application development and SaaS, what does the future hold for Java desktop applications? It's brighter ...

Search Data Center

Dell Technologies pitches its hardware for AI data centers
Servers, networking and storage hardware take center stage at Dell Technologies World 2025, as well as a tightly integrated ...
Single-tenant vs. multi-tenant cloud architecture
Single-tenant and multi-tenant cloud architecture offer unique advantages and disadvantages. Understanding both is crucial for ...
Nutanix platform may benefit from VMware customer unrest
Nutanix's Next 2025 conference attendees are jumping ship to the platform after Broadcom's VMware buy, as Nutanix executives plan...

Close