Capturing security policies — such as data access — as code, which can then be tested and automated across the software delivery lifecycle.
The purpose of treating these policies as code is not just to capture policies in as software and data, but to automate security for consistent application across the enterprise and apply software engineering practices to them — for instance, keeping the code under version control, and observing and monitoring policy operation.
This enables enterprises to automate their security policies, increasing their protection against disruption and threats.
What is it?
As the technology landscape becomes more complex, automation and engineering practices can help keep the enterprise secure. Security policy as code codifies the security policies in place, for instance access control, so that the policies can be treated as tests.
That means as your software teams write code, they can uses these policy as code tests to verify their code is secure — and can take steps to rectify this if not. Following this approach, your teams can be confident that any code put into production follows your security policies.
And because your security policies are treated as code, you should apply engineering practices to them — for instance version control, and observing and monitoring their performance.
What’s in for you?
Security policy as code improves your ability to remain secure in an increasingly complex and fast moving environment. You can ensure that policy requirements, for things like access controls for all production systems, are robust and up to date.
Additionally, as you are able to automate more security testing, your highly trained security experts are able to concentrate on identifying and remediating hard to find edge cases.
What are the trade offs?
Making security part of the development process is a sea-change for many teams and organizations — it brings with it cultural changes that can be hard for those enterprises accustomed to working in silos. Use of red, blue, purple security teams and structure can help alleviate these tradeoffs.