Why Policy-as-Code is the Best Way to Streamline Authorization
Automating essential but tedious tasks is one of the most significant benefits of cloud computing. There have been many attempts to automate authorization processes over the years, but finally, it appears one burgeoning effort is beginning to gain traction.
According to a survey released by cloud-native authorization provider Styra, Inc., 94% of those respondents who currently manage authorization and compliance within their organization agreed that policy-as-code is vital for their organization’s preventative security and compliance objectives.
Essentially, policy-as-code is a way to codify policies so that they can be programmed and automated. Typically, there is a policy engine that holds created policies and processes them on demand. Policy-as-code can be used for everything from automated software security testing, controlling mesh architectures, managing authorization in a cloud-native stack and more.
Authorization Challenges
In Styra’s survey of 285 developers and technical decision-makers, more than two-thirds of respondents reported “major flaws” in their current homegrown authorization methods, including trouble with efficiency, security and application performance. A full 83% said they planned to increase their investments in policy-as-code to improve their situation.
“The biggest challenge, by far, is auditing access,” Chris Hendrix, Styra director of product management, told Security Boulevard. Additional challenges, according to respondents to Styra’s survey, included a lack of alignment between teams (34%), a lack of visibility into authorization (31%), and a lack of consistent or centralized policy development (29%).
While most respondents suffered no single authorization challenge, challenges implementing authorization do abound, especially for developers. At 34%, the “lack of alignment” between development teams was the most common challenge cited. Other significant challenges were a lack of visibility into authorization implementation, enforcement, monitoring and reporting among 31% of respondents. Also, a lack of consistent or centralized policy development and management life cycle (29%), difficulty meeting security, compliance, and auditability requirements (29%) and difficulty managing policies at greater scale or complexity.
Policy-as-Code on the Rise
While the survey strongly supported policy-as-code, its actual adoption is just getting off the ground. Fifty-one percent of respondents currently using policy-as-code said they have only adopted it in the last two years. And only 30% of those who use policy-as-code are doing so significantly. Finally, as with manual authorization challenges, implementing policy remains challenging; 52% of those who have implemented policy-as-code said they had difficulty writing efficient policies as code.
The benefits of policy-as-code were almost universally accepted, with 95% of respondents who said that policy-as-code was a valuable way to streamline authorization, 96% that it speeds up time-to-market and 91% who agreed that policy-as-code makes work easier for developers.
Still, policy-as-code takes time to adopt correctly. “You have to learn completely new best practices, new tools and new patterns,” Hendrix said.
However, over time, there’s a payoff, Hendrix contended. “Policy-as-code allows you to standardize the mechanism by which you ingest data and write policy and authorization rules. And one of the beautiful things with policy as code is that the same code language for infrastructure works with applications and organizations can share their policies across the organization,” Hendrix said.