TechTarget.com/searchitoperations

https://www.techtarget.com/searchitoperations/tip/Apply-policy-as-code-best-practices-to-reap-benefits

Apply policy-as-code best practices to reap benefits

By Kurt Marko

Infrastructure as code is an increasingly popular way to codify and automate system configurations and installations.

Systematizing the many parameters necessary to instantiate a cloud computing environment is critical to manage thousands of virtual resources across multiple providers and regions. IaC translates configuration policies into a readable format IT admins easily edit, audit and reproduce. Policy as code (PaC) is the application of this principle to security, software development and IT operations rules and processes.

Policy as code documents rules, controls and best practices, and automates enforcement and implementation through software known as a policy engine. A policy engine, like a software compiler, translates structured code into implementations, whether for network security configuration or Kubernetes cluster parameters. Much like IaC systems and software compilers, PaC engines check automatically for logical inconsistencies, syntax errors and missing dependencies to minimize or -- ideally -- eliminate errors in policy enforcement and implementation. PaC's roots go back 30 years to Donald Knuth's concept of literate programming, which combined software code and documentation into a single file. Literate programming is a further generalization of policy as code because it combines narrative descriptions and logical, structured algorithms. Knuth wrote, "Programming is best regarded as the process of creating works of literature, which are meant to be read." In essence: Code is a language, and the premise of a language is to be understood by humans -- therefore, code should also be human-readable.

PaC combines these same ideals, namely:

Portable is the operative word because, like a software compiler, PaC instructions enable a policy compiler to implement policies on many different types of hardware and environments. The policy should be literate and understandable by those tasked to implement, update and audit it.

When using Knuth's paradigm mentioned above, there is a strong binding between the controls, the rules -- which represent the human-readable intent -- and the code.

Policy-as-code benefits, best practices

PaC is gaining adherents for the same reasons that drive the adoption of IaC:

The following best practices maximize the benefits of policy as code and improve policy consistency, coverage, security and accuracy.

Policy-as-code examples

PaC defines and enforces security policies, such as firewall rules; application, resource or data access controls; data encryption rules; and code provenance restrictions. It links to infrastructure-as-code systems to apply policies for infrastructure deployment, such as restrictions on container cluster and workload placement. PaC is also used for network security configurations and temporal restrictions on application or resource use.

But policy as code is still a relatively new idea, with few software tools available that target cloud environments. These include:

25 Jan 2022

All Rights Reserved, Copyright 2016 - 2025, TechTarget | Read our Privacy Statement