Developments in automation and orchestration of IT systems have been steadily changing in the past decade. There has been a shift from manual to automated management across several dimensions—including server configuration, networking, and even business processes. One key area where automation is playing an increasingly important role is compliance.
When it comes to policy and compliance, automation comes in the form of policy as code and compliance as code.
What is policy as code?
Policy as code represents policies in a machine-readable format, typically as a high-level declarative language in files you can manage alongside application code files. This approach enables policies to be centrally managed, versioned, reviewed and validated using the same tools and processes as for application code.
While a policy is a set of codified rules that define how you should conduct IT operations and processes, policy as code can take the form of security controls, code reviews, compliance cheques, deployment procedures, and so on.
Policy as code tools use three inputs:
- Policy: The code cheques whether a software release follows policy, regardless of what policy it is.
- Data: Information about a continuous integration and continuous delivery (CI/CD) tool, service, or Kubernetes configuration, for example.
- Query input: The input triggers the check, which uses the policy and data to confirm policy adherence.
Policy as code focuses primarily on security policies, ensuring code is clear of known vulnerabilities before hitting production. This approach presents a few advantages:
- It lets you enforce your policies without manual evaluation, ensuring that everyone in your organisation follows them and minimising delays.
- The automation can apply to earlier stages of software development, catching potential policy violations to fix early on.
- Policy as code also enables the uniform application of policy across disparate teams and processes.
Policy as code makes it easy to audit your policies since everything is already in a central place. However, it can be tricky to set up and maintain—especially if you have a lot of rules.
What is compliance as code?
Compliance as code takes the same approach one step further for its purpose. Instead of codifying policies directly, it relies on external tools and services to check for compliance with industry standards. Instead of humans manually verifying that systems comply with regulations (a process that is often error-prone and inefficient) or manually patching together multiple policies as code to reach compliance goals, this task is automated and uses tools and technologies that are already part of the DevOps toolchain. Compliance as code treats compliance requirements as code, which you can manage, version, and automate along with the rest of the software development process.
This enables compliance to be a first-class citizen in the overall DevOps process. You don't have to worry about maintaining the code yourself, and you maintain compliance from step one. You take all the advantages of policy as code and add the benefit of automatic updates to relevant external standards.
In exchange, you rely on external tools and services being up to date. Some of these include additional cloud solution-specific services, automated configuration management tools, and various others required for every phase of compliance as code. Additionally, compliance as code can be more expensive than policy as code since you often need to pay for licences or subscriptions for these external services. Alternatively, you can determine whether your cloud provider offers its own tool.
Similarities and differences between policy as code and compliance as code
There’s a lot of overlap between policy as code and compliance as code, but there are key differences—the most notable being that compliance as code focuses on enforcing regulatory requirements, while policy as code can enforce any type of organisational policy.
While often used to maintain compliance, policy as code differs from compliance as code in that it’s concerned with implementing guardrails to ensure adherence to individual policies. On the other hand, compliance as code takes the broader perspective of continuously monitoring for compliance and providing steps for automated remediation should issues arise.
Another distinction is that compliance requires auditing and reporting, while you don’t necessarily have to audit a policy or report on it for adherence to an external standard. Finally, compliance failures can result in fines or other penalties, while policy failures generally don’t come with such severe consequences.
You can really see the difference when these apply to an organisation. You can undoubtedly use policy as a code to enforce compliance by triggering queries to check if your code base complies with external standards. That requires, however, that you manually keep track of relevant external standards in the first place and then diligently configure your policy as code to match up-to-date standards every time there are changes. Compliance as code performs that missing step automatically—and that’s undoubtedly a boon for companies in highly regulated industries with strict compliance standards such as:
- General Data Protection Regulation (GDPR)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI-DSS)
- The framework for information security management systems (ISO 27001)
Tools for implementing policy as code and compliance as code
For policy as code, there’s the Open Policy Agent, which allows you to implement policy as code in any domain.
The Open Policy Agent or OPA (typically pronounced oh-pah) implements a general-purpose policy engine by writing policies as a collection of rules in a programming language called Rego. OPA is popular in distributed microservices architectures, but you can use it in practically any application. It also serves as a Kubernetes API admission controller, usually integrated using an OPA Gatekeeper. Instead of closely coupling policy validation into an application's codebase, you can delegate the task to OPA.
The Compliance as Code tool offers general-purpose security. Companies can leverage it as a foundation upon which they can collaborate and develop additional capabilities. The compliance as code tool traces its origins from a collaboration of commercial vendors and government agencies to improve the accessibility of the Security Content Automation Protocol (SCAP). Since its founding over a decade ago, the Compliance as Code tool has grown to include the Payment Card Industry (PCI), Data Security Standards (DSS), and the Centre for Internet Security (CIS) standards, amongst other commercial security profiles. It has also evolved to accommodate automation tooling.
Trend Cloud One – Conformity runs scans in real-time against numerous best-practise cheques, and its support for custom rules and filters helps organisations reach their risk and compliance goals in the cloud. It also scans infrastructure as code to ensure secure and compliant templates are deployed according to best practises. Integrated into your CI/CD pipeline with powerful APIs, Conformity alerts on configuration changes for immediate action.
Of course, several cloud providers offer their own compliance as code tools, such as AWS Config for Amazon Cloud Service, Azure Policy for Azure, Cloud Asset Inventory for Google Cloud, and HashiCorp Sentinel for Terraform.
Automating a policy and compliance as code implementation
You often see policy as code used in infrastructure provisioning (like infrastructure as code), auditing, and Kubernetes controls, where it automates policy cheques and enforces them in CI/CD pipelines.
Compliance as code performs many of the same compliance cheques that policy as code does, except it’s based on external standards like GDPR and HIPAA. It allows compliance to be first-class citizens of a DevOps process and enables the involvement of compliance cheques and audits early on in a CI/CD pipeline. It closes a considerable compliance knowledge gap through automated compliance checkers and lets audits become more agile.
Policy as code and compliance as code can work together in a two-pronged approach—you don't need to choose one over another. While functionally similar, the former enforces policies while the latter monitors and remediates compliance issues. For companies operating in highly regulated spaces, using both is ideal.
Policy as code is concerned with encoding policies in a matter that can be enforced by code. Whereas compliance as code takes a broader perspective of continuously monitoring for compliance and providing steps for automated remediation should issues arise.
Policy as code and compliance as code can work together to ensure effective compliance. This gives you a two-pronged approach to monitoring enforcing policies and enforcing them. It also gives you the ability to remediate any policy or compliance issues that might arise quickly.