Policy as Code
Policy as Code
First a definition; we define Policy as Code as being : "The use of common code or a Domain Specific Language (DSL) to define, implement, monitor and enforce the application of controls on a technology asset." Although we accept this is perhaps a very broad definition, but with this we are trying to introduce the notion that, if implemented in its entirety, Policy as Code can go a long way to bridging the often sizable gap between a formal policy document and the implementation of the controls designed to protect your physical, virtual or data assets.
The background ...
In many organisations (particularly large ones) there is often a huge amount of resources assigned to tasks associated with the creation, enforcement and monitoring of controls on physical or virtual assets (particularly data). Typicially this starts with a large Policy document that is closely aligned to governing regulatory requirements and typically includes a number of directive controls intended to advise on expected behaviour around protecting assets. Following policy documents come an even larger suite of documents covering various types of controls (preventative, detective, corrective and recovery) that go into the specifics of how assets should be protected.
... and the problem.
A significant challenge exists to implement all the various controls in a consistent, repeatable and all-encompassing manner. Whilst regular audits and spot checks attempt to verify if the controls have been implemented as intended they are often playing catchup with the current situation. There is often a frequently manual process between the writing of a particular policy and the implementation and monitoring of control directives intended to enfoce the policy. This 'automation gap' takes considerable resources to fill. Even with the best intentions and most diligent of staff this represents a fragile link in the path to regulatory compliance.
An opportunity exists ...
There exists the opportunity to bridge the divide between a formal policy document and the implementation of accompanying controls. Applying a Policy as Code approach (perhaps alongside a dedicated Policy Management System) would allow the policies to be created in a way that both fulfil the overarching regulatory and operational requirements but also directly map to the implementation of the various controls needed to protect assets. If policies can be written in this way, then the accompanying controls can be queried in real-time as cloud assets and services are requested. Requests that violate the control can be automatically blocked from proceeding.
... when combined with automation with IaC
If you are leveraging Infrastructure as Code for the creation and management of your cloud assets then at provision time, the scripts being executed can be queried to ensure compliance with applicable controls. For example, if a policy says that a particular team is only able to provision virtual machines in a controlled development environment (eg a particular subnet) then, before the infrastructure code is applied it is interrogated to ensure the requested subnet is accessible to the user making the request. Infrastructure as Code plus Policy as Code enables organisations to take a major step towards improving their risk posture.
If you would like to add an increased level of assurance around the cloud based controls attached to your cloud assets then please get in touch at
Anglowide GmbH was founded in 2010 to offer software development and consultancy services to (initially) the financial and insurance sectors. Since inception we have also offered solutions and advice to the maritime and SME sectors. Please see our About page for more information.
Anglowide GmbH, 8572 Berg, Switzerland
+41 (0) 44 586 54 07