Using Policy-as-Code in a Zero Trust Architecture

Many people know about Policy-as-Code as a way to automate security policy in Infrastructure-as-Code solutions. However, some PaC tools are more generalized than that, and can be used in Zero Trust implementations as well. Here are some possibilities:

APIs

For externally facing APIs, Policy-as-Code tools can provide the Policy Decision Point implementations. Policy logic is more versatile than classic Role-Based access, which allows PaC solutions to support more complex challenges, such as location, time of day, value threshholds and other contingencies.

Microservices

Similar to the APIs, Microservices can delegate their policy decisions to Policy-as-Code tools. PaC logic can include rules managing the relationship between different services (can service X call service Y) and the relationship to back-end resources.

Legacy Access Overhaul

Adapting legacy applications that currently use RBAC or other strategies for access to a Zero Trust model can be a daunting task. In many cases, Policy-as-Code solutions can be “surgically” installed into the legacy application to replace the existing access strategy, without any other changes to the application. The Zero Trust implementation team can then make the required changes within the PaC rules, and the legacy application will generally not need significant additional changes.

Other Benefits

Once you start using Policy-as-Code tools as part of your Zero Trust implementation, you’ll gain some additional benefits:

Faster Changes

When the ZT policies need to change, it can be done by the Zero Trust team, instead of needing the development team to prioritize it in their existing schedule.

Consistent Implementations

When a single PaC solution supports multiple services and systems, the rules can be shared, which reduces the chances of misconfiguration.

Better Visibility

The decisions made by the PaC solution can be captured centrally, allowing audits and security reviews to happen faster and with a more comprehensive single presentation

Reduced Fragility

Some Zero Trust solutions are centralized, which can impact both performance (because of network latency) and robustness (because the Zero Trust solution becomes a single point of failure).

PaC solutions can be distributed out to reside with the systems they support, so they are both fast and robust.

Other Articles

How Policy-as-Code can save you Time and Money

John Brothers

·

October 3, 2023

For people familiar with Policy-as-Code, the benefits in terms of security compliance are well-known. What might be less obvious is that an architecture that includes PaC can also reduce the need for (expensive) IT/Developer time in support of security requirements, and potentially reduce licensing costs as well. Here are some ways that Policy-as-Code c…

Read full story

The Five Main Uses of Policy-as-Code (So far)

John Brothers

·

October 3, 2023

I was chatting with someone about Policy-as-Code, and what it was good for. I listed off three things, but then while I was talking to him, I realized that there were five that came to mind. Infrastructure-as-Code Hygiene Zero Trust Architecture Implementation

Read full story

Thanks

Thank you for reading this far. If you have any feedback, or interesting challenges you’d like to discuss, I’d love to hear about it. You can reach me at: johnbr@paclabs.io