Master
Techniques

Security policy as code

NOT ON THE CURRENT EDITION
This blip is not on the current edition of the Radar. If it was on one of the last few editions it is likely that it is still relevant. If the blip is older it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the RadarUnderstand more
Published: Nov 20, 2019
Last Updated: Oct 28, 2020
Oct 2020
Adopt?

As the technology landscape is becoming more complex, concerns such as security need more automation and engineering practices. When building systems, we need to take into consideration security policies, which are rules and procedures to protect our systems from threats and disruption. For example, access control policies define and enforce who can access which services and resources under what circumstances; by contrast, network security policies can dynamically limit the traffic rate to a particular service.

Several of our teams have had a great experience treating security policy as code. When we say as code, we not only mean to write these security policies in a file but also to apply practices such as keeping the code under version control, introducing automatic validation in the pipeline, automatically deploying them in the environments and observing and monitoring their performance. Based on our experience and the maturity of the existing tools — including Open Policy Agent and platforms such as Istio which provide flexible policy definition and enforcement mechanisms that support the practice of security policy as code — we highly recommend using this technique in your environment.

May 2020
Trial?

Security policies are rules and procedures that protect our systems from threats and disruption. For example, access control policies define and enforce who can access which services and resources under what circumstances; or network security policies can dynamically limit the traffic rate to a particular service. The complexity of the technology landscape today demands treating security policy as code: define and keep policies under version control, automatically validate them, automatically deploy them and monitor their performance. Tools such as Open Policy Agent or platforms such as Istio provide flexible policy definition and enforcement mechanisms that support the practice of security policy as code.

Nov 2019
Trial?

Security policies are rules and procedures that protect our systems from threats and disruption. For example, access control policies define and enforce who can access which services and resources under what circumstances; or network security policies can dynamically limit the traffic rate to a particular service. The complexity of the technology landscape today demands treating security policy as code: define and keep policies under version control, automatically validate them, automatically deploy them and monitor their performance. Tools such as Open Policy Agent, or platforms such as Istio provide flexible policy definition and enforcement mechanisms that support the practice of security policy as code.