Cloud Progress Advocates Policy-As-Code Approach For Sharper Secure IT Adrian Bridgwater Senior Contributor Opinions expressed by Forbes Contributors are their own. I track enterprise software application development & data management. Following New! Follow this author to stay notified about their latest stories.
Got it! Sep 13, 2022, 03:31pm EDT | New! Click on the conversation bubble to join the conversation Got it! Share to Facebook Share to Twitter Share to Linkedin Progress CEO Yogesh Gupta: A symbiotic union of Policy-as-Code with human cultural guidance is a . . .
[+] prudent approach. Terry-Lynn Foster Companies run on policies. A typical business might establish policies to help govern expenditure, employee behavior and conduct, investments and corporate gifts or bonuses, to name a few areas.
But if these are the more visible policies that help run a business, the IT department has its own lower-level policy system too. A technology policy works in much the same way as a more commercial business policy i. e.
it advocates processes relating to best practices, it helps stipulate actions in relation to legal and regulatory compliance requirements, plus it may also lay down guidance for which protocols and code structures are adopted. In a multi-cloud world with different programming languages, different software configuration techniques and, quite simply, different device form factors, policy is a useful thing to have. As one might expect, technology policies are fairly binary in terms of whether they are right or wrong.
If employee conduct policies are open to even a degree of personal interpretation, technology policies generally aren’t. They exist to govern live working software application ‘production’ environments to ensure that unapproved elements of code or other tooling are not introduced. Among the many other elements of system health they govern, technology policies also stipulate how connections to the central IT system are made, when they are allowed and who (or what) they are allowed to be made to.
Digitally enforced policies One of the keys to creating a functional IT policy is a mapping process where policies are taken from a state where they can be read and interpreted by humans, to a state where they can be digitally enforced through machine code. “In practical terms, C-suite directors should not think of IT Policy-as-Code as any great leap away from business policy, it’s a very natural extension for today’s digital data-driven businesses,” said Yogesh Gupta, CEO of infrastructure software company Progress. “What they should realize though, is that that there has always been a separation between what IT policy is – and what is actually implemented.
To move forwards successfully, technology policies must be both human-readable and machine-enforceable. ” MORE FOR YOU Western Digital’s Journey To Build Business Resiliency Through Cloud And ERP Transformation Amazon Climate Pledge: Two Years In And Going Strong Microsoft Takes First Steps To Finally Kill The Password Gupta provides some illustrative examples. He says that a business policy could be something straightforward, such as a set of actions specifying what a company does in the case of a flood.
At a more granular level, it could be the defining factors that go into providing a risk assessment for an insurance quote. Equally, an IT policy might delineate actions to be undertaken in the case of a security breach. Again at a more granular level, it could cover what type, grade or nature of software components are approved to go into which application, especially where composable cloud functions and API-based connetions are concerned.
In terms of use, the Progress Chef platform handles the automation of policy into its machine-executable state so that it is guaranteed to happen. “In working operation inside a business, Policy-as-Code enables all policy to become a higher-level business entity that all employees and stakeholders can interpret and understand. An IT policy instruction that is written by developers and only readable by the programmers that created it and the machines that run it is of less value, this is because the subject matter experts, business ‘product’ owner or domain specialists that need it to exist can not understand it,” explained Gupta.
“We can use policy to define our right and wrong — but we should still understand that human culture will determine what we think — so a symbiotic union of the two systems is very prudent. ” There is something of a progression happening here with Policy-as-Code i. e.
this is not just IT compliance and system provisioning being renamed and relabeled, this is more like an evolution of compliance and provisioning for the cloud-connected era of always-on continuous computing. As a GigaOm white paper has noted, “This space is evolving quickly and has heavy dependencies on exactly how infrastructure is provisioned and managed, along with how applications communicate. [Organizations should] consider their existing infrastructure and application development tooling roadmaps when seeking a Policy-as-Code solution to ensure it will be interoperable in the coming years.
” A policy-based portfolio Progress is one of a number of vendors who champion this space for its ability to help manage modern cloud-centric IT stacks. This year, the company released its Progress Chef Cloud Security solution to extend DevSecOps operations with compliance support for native cloud assets and end-to-end management of all on-premises, cloud and native cloud resources. If we understand DevSecOps to be the cultural workflow union of developers and IT system operations staff, but with the additional sandwiching of the security function throughout, then we can see why Progress describes itself as an organization with a ‘policy-based portfolio’ of solutions designed for life in mixed computing environments.
The Progress Chef Cloud Security product itself is designed to coordinate security, development, testing and operations participation to make it easy to shift security checks to the left (i. e. make them happen earlier) applying policy checks at every stage of the DevOps pipeline with coded artifacts, automated tests and enterprise control and visibility via a Policy-as-Code approach.
“Over the past several years, Chef – now under the leadership of Progress – has placed significant focus on building out security and compliance capabilities to make the DevSecOps concept achievable for our customers,” said Sundar Subramanian, EVP & GM DevSecOps, Progress. Subramanian, who also carries the title of EVP & general manager for Chef Business at Progress, says that as enterprises now more visibly adopt a policy-as-code approach, he and his team are excited to see what customers will accomplish as they aspire to achieve a more end-to-end level of DevOps competency. A single as-code framework As a long-time proponent of Infrastructure-as-Code (IaC), Chef has applied the same principles to introduce a Policy-as-Code for security and compliance.
According to Progress, Chef now helps organizations achieve their goal of using a single ‘as code’ framework for their infrastructure, application, desktop, security and compliance concerns across their entire on-premises, cloud and edge device inventory. The complete set of Chef capabilities are available as part of the Progress Chef Enterprise Automation Stack (EAS), designed for scale to meet the demand of the largest global enterprises, which now includes these new features: As detailed in the above-linked GigaOm report, “With its roots in delivering IaC capabilities, it should be no surprise that everything in Chef can (and should) be stored as code inside Git [an open source developer code repository], which promotes collaboration among legal, compliance, developer and operations teams. ” The report suggests that as a configuration management solution, Chef is widely known to operate a [software] client on its managed systems to help report on state and enforce configuration or policy changes; in this way, Chef has always been able to detect and remediate configuration drift on its managed systems.
“But Chef can extend beyond traditionally managed infrastructure systems into cloud environments, integrating with cloud provider APIs in order to report on configuration status and compliance with policy using InSpec [Chef’s own compliance policy definition language and evaluation technology] regardless of the infrastructure provisioner,” notes the report. For completeness, the GigaOm market analysis identifies Progress Chef as a key player in the space, but it also makes note of HashiCorp, Palo Alto Networks, Snyk, Pulumi, Sysdig and Styra. Progress has called out the increased complexity that we are all witnessing across our IT networks.
It’s a reality brought on by the increasing number of services that stem from the major Cloud Services Providers (CSPs), the diversification of disparate computing resources now being brought together through the use of containers and other related technologies… and through the spiralling number of devices (sensors, smart machines and more) that exist at the ‘computing edge’ serving the Internet of Things (IoT). “We are entering a world where things are changing fast and that leads to complexity,” said Progress’ Subramanian. “When it comes to Policy-as-Code, having a common language shared among your teams is important.
That language is really the codification of security and compliance, where your stakeholders and folks who care directly about security and compliance can understand what’s been codified in order to certify compliance right. And managing security and compliance as code is the only way you will be able to enable an organization to achieve continuous compliance. ” Beyond the Word, Excel & PDFs To bring all these thoughts together then, let’s examine where we are now and where we need to get to.
As we stand today, we (arguably, in most enterprises) have too much policy (general operations policy… and IT policy) laid down in Word and Excel documents, with other elements of policy stipulation languishing around in unloved (and perhaps rarely viewed) PDF files. This reality happens because policy controls and other forms of corporate mandate need to be interpreted by humans before they can be enforced. If we move forwards to codified policies, organizations can better document their policies in an unambiguous, shareable, actionable way.
With the use of Policy-as-Code, we get to a point where policy is both human-readable and machine-enforceable… and that’s what Progress is bringing to bear with Chef for the current cloud environment we all exist in. As we move towards the wider use of as-code frameworks in the software-defined universe of cloud, some organizations may still find the approach something of an acquired taste – but regardless, we can see that Progress Chef wants to offer a recipe for success, just don’t ask for extra salt. Follow me on Twitter or LinkedIn .
Adrian Bridgwater Editorial Standards Print Reprints & Permissions.
From: forbes
URL: https://www.forbes.com/sites/adrianbridgwater/2022/09/13/progress-advocates-policy-as-code-approach-for-sharper-secure-it/