Regulated organisations express the objectives of their regulators by authoring, enforcing and maintaining policies across their technology estate. To name just a few, these policies can dictate how the organisation must approach data handling, security hardening, patching and access control.
In the traditional technology estate, it was possible for security, risk and compliance teams to author these policies whilst matching the cadence of change. For instance, a hardening document for “Windows Server” needed only to be updated bi-annually.
With cloud providers innovating at an extraordinary rate and the richness of the services they provide ever increasing, maintaining document matrices to enforce policy fails to scale. Furthermore, these documents are typically poor methods of expressing the technical configuration of a service within the cloud and instead rely on the implementation engineer to interpret the intention of the policy document.
OPA, a Cloud Native Computing Foundation incubating project, seeks to solve this problem by allowing security, risk and compliance teams to adopt a “DevOps” style methodology and express their desired policy outcomes as code. In the context of security, this allows us a practical means in which to realise concepts such as “DevSecOps”.
In this talk, Sourced consultants Ravi Nair and Drew Taylor introduce OPA and provide practical examples of how it can be used to ensure the policy objectives of your organisation can be met at scale, in code.
Cloudsec 2019 | OPA (Open Polcy Agent): Offering Flexibility and Security with Policy as Code