Using Policy-as-Code in a Zero Trust Architecture
Many people know about Policy-as-Code as a way to automate security policy in Infrastructure-as-Code solutions. However, some PaC tools are more generalized than that, and can be used in Zero Trust implementations as well. Here are some possibilities:
APIs
For externally facing APIs, Policy-as-Code tools can provide the Policy Decision Point implementations. Policy logic is more versatile than classic Role-Based access, which allows PaC solutions to support more complex challenges, such as location, time of day, value threshholds and other contingencies.
Microservices
Similar to the APIs, Microservices can delegate their policy decisions to Policy-as-Code tools. PaC logic can include rules managing the relationship between different services (can service X call service Y) and the relationship to back-end resources.
Legacy Access Overhaul
Adapting legacy applications that currently use RBAC or other strategies for access to a Zero Trust model can be a daunting task. In many cases, Policy-as-Code solutions can be “surgically” installed into the legacy application to replace the existing access strategy, without any other changes to the application. The Zero Trust implementation team can then make the required changes within the PaC rules, and the legacy application will generally not need significant additional changes.
Other Benefits
Once you start using Policy-as-Code tools as part of your Zero Trust implementation, you’ll gain some additional benefits:
Faster Changes
When the ZT policies need to change, it can be done by the Zero Trust team, instead of needing the development team to prioritize it in their existing schedule.
Consistent Implementations
When a single PaC solution supports multiple services and systems, the rules can be shared, which reduces the chances of misconfiguration.
Better Visibility
The decisions made by the PaC solution can be captured centrally, allowing audits and security reviews to happen faster and with a more comprehensive single presentation
Reduced Fragility
Some Zero Trust solutions are centralized, which can impact both performance (because of network latency) and robustness (because the Zero Trust solution becomes a single point of failure).
PaC solutions can be distributed out to reside with the systems they support, so they are both fast and robust.
Other Articles
Thanks
Thank you for reading this far. If you have any feedback, or interesting challenges you’d like to discuss, I’d love to hear about it. You can reach me at: johnbr@paclabs.io