A look into Policy as Code: why now and how can it help?

How often do we see a news story about a data breach or system outage caused by human error or some type of exploit by an external entity? If you work in IT for the affected company, the direct and indirect impacts can be significant, and this level of impact  is echoed across the IT industry. Let’s consider a few data points: Splunk’s 2023 state of security report indicates that the sophistication of attacks is the top challenge facing 38% of the survey’s respondents, and 28% are trapped in a reactive response mode due to high workload demands. IBM’s 2023 cost of a security breach report finds that the average cost of a data breach is 4.45 million USD, representing a 15% increase over 3 years. Statistics such as these indicate that sophistication and volume of attacks, as well as reported vulnerabilities, are continuing to increase. Along with this comes an increased risk of breaches and financial impacts. The answer here is not slowing down – it is working smarter. 

Most companies have spent the past decade modernising and moving business applications and services to the hybrid cloud so they could move faster and be more agile, because today’s demands are greater than ever. Adding to this, nearly every customer I speak to is grappling with the complexity of their environments, with no end in sight as more technologies such as edge, AI and others are added.  

What does this mean for your enterprise-wide AI workloads? Now you are processing massive volumes of data on yet more hybrid infrastructure and you are running, or want to run, AI-based applications that are highly demanding on your technology infrastructure. This is a very challenging scenario if you have not automated the management of the solution, where manual processes can bring progress on AI solutions and innovations to a crawl.

Meet compliance needs and inspire operational consistency for mission-critical workloads 

Across this complex environment that now includes AI, you still need to align to internal and external policies to control cost, reduce risk and maintain consistency as you try to stay agile. Internal and external governance, risk and compliance (GRC) management is needed – but automating it is a much smarter approach that will also help you stay agile.

Often, your mission-critical systems either generate revenue for your organization, enhance productivity or help you control processes are the ones most affected by internal and external compliance directives. They must remain secure, performant and auditable, with few violations and good remediation processes. All of this takes time and additional work cycles so every required mandate gets addressed. Auditors and assessors also need information, and this takes even more time away from the process of building and running critical applications. The end result is frustration for each role on your team and lack of speed and efficiency from development to test to production.  

When it comes to internal and external GRC processes, what if you could:

• Replace cumbersome and slow manual validation processes with automated and seamless checks that occur before an action is taken.
• Scale compliance through fast, efficient automated processes.
• Employ a streamlined experience for your whole team to help them focus on their key responsibilities and improve their overall satisfaction with the process.

Automating with Policy as Code is the best practice that can help you stay in compliance as you also manage complexity, reduce risk and stand up demanding AI and other applications with the speed and agility business stakeholders have come to expect from your teams. With automated Policy as Code, you are better positioned to maintain the strides you have made in hybrid cloud computing while improving your overall GRC posture.

When you have a predictable and seamless capability to apply policies, you will gain more confidence in your technology stack because you are operating more consistently. Skills gaps will be less impactful on your operation and you can help to reduce human error, which often are where breaches and issues originate. Automating Policy as Code can help you address the productivity drains your teams face.

Automate Policy as Code across the lifecycle

Automating Policy as Code offers a better way when, by design, you can make validation and compliance policy checks seamless. Red Hat Ansible Automation Platform is a common automation platform that customers use to automate within and across IT processes for speed, efficiency, agility and of course ROI. It is a highly flexible solution that can automate nearly any IT process you can think of – and this includes automating Policy as Code. Your team can use automated Policy as Code to:

• Create: Automatically check policy enforcement during the development cycle to make it seamless for developers to create compliant development and test platforms and build compliance from the start into production environments and code. Make sure your team can apply all applicable policies without time-consuming meetings and manual double-checking.  
   
• Manage: Integrate policy enforcement as needed, for example discretionary or mandatory policy checks that are included before or after an automation job runs. Receive alerts when a technology in your stack goes out of compliance and/or automatically respond to the need. Make sure that cloud and other technology instances meet your configuration specs so you can control costs and ensure a consistent, trusted operating environment. Easily identify the inventory which may be impacted by a policy change, then apply the change automatically.
   
• Scale: Automate reporting and output to audit-related systems, alleviating the overall team burden associated with reporting.

You can automate Policy as Code today when you include policies in your Ansible Playbooks. These can execute manually or through automation controller. When you add Event-Driven Ansible (part of Ansible Automation Platform), you can automate end-to-end response, for example when a policy drifts and your observability or monitoring tool flags this drift and/or fixes it at your discretion. 

Preparing for full automated Policy as Code

This all sounds great, but how do you get there at scale and across your organizations? Here are a few ways you can prepare:

• Expand your use of automation. How many of your teams (network, cloud, infrastructure, security, application development, SRE, etc.) are using a single, consistent automation platform? When you have expanded enterprise use of automation, you can automate within and across domains so that the policies are aligned across the full technology stack. The idea is that you have expanded automation on which you can implement automated Policy as Code for mission-critical workloads or applications. 
• Modularize and centralize automation in an “ as Code” model. Can your policies be written in a vendor-agnostic way so they can be centralized then applied to specific vendor solutions or included in Ansible Playbooks or Ansible Rulebooks? Identify a central repository for storing the standard configuration files, playbooks and other automation assets you wish to use consistently. This is an Infrastructure as Code and/or Configuration as Code model and it gives you more organization from which to then add Policy as Code automation.
• Assess your automated compliance needs and align your team. Identify critical compliance and security requirements you must meet, then set a roadmap that includes key milestones and objectives. Gather your team and create a shared understanding of objectives, benefits, roles and responsibilities. Prepare for operations, for example, all policies are implemented and tested before they are used in a deployment workflow.
• Think ahead to monitoring and enforcement. Once your critical applications and workloads are live, determine how you will monitor and respond to violations of policies. One option is to use event-driven automation to respond immediately and without manual intervention to a security risk or a changed configuration that results in a risk. 
• Appoint an automation community of practice leader. Red Hat has recommended this approach for many years to grow and expand the use of automation. This leader can address automation in general and also help you get automation up and running for automated Policy as Code. The Automation Architect’s Handbook will give you some ideas to help you organize your internal community. 

Getting started with Policy as Code: a start small, think big approach.

No matter where you are on your journey, automated Policy as Code can help with GRC. Since compliance requires you to cover the full technology stack that supports your application, think about expanding automation and getting to the point where you are automating from a single source of truth. If you are not to this point, you can still automate policies, but they are likely to be more internal in nature (e.g., a specific version of Linux must have specific security policies applied in order to run in your environment). 

The overall Red Hat approach is to start with simple use cases and grow in scope and sophistication from there. Policy as Code can be implemented in this way. For example, your use cases may be:

• Gathering an inventory report on systems that are not in alignment to a specific policy.
• Applying a runtime policy such as “ a firewall can only be opened on a specific port”
• Creating a cloud instance no bigger than a specific size to control cloud costs
• Automating a change on a given server cannot be done unless the server is in a maintenance window

Once you are able to implement simple use cases around Policy as Code, you can extend to a higher number and more sophisticated ones.  

Now that you have learned the Red Hat viewpoint on automated Policy as Code, I hope you give some consideration to this area and how you can use it to ease tedious and time-consuming processes. I will close by reminding you that Ansible Automation Platform is highly flexible. Once you know what you would like to implement, this platform excels at taking the actions you desire, including when it comes to Policy as Code. The best is yet to come in making Policy as Code a simpler and smarter way to work across your lifecycle.