In recent times, the quest for greater agility, faster releases, enhanced scalability, security and performance brought forth the advent of several automation tools, technologies and frameworks. Software development has evolved considerably over the years to mitigate these challenges.
Monoliths have been split into microservices for improved scalability, maintenance and faster releases. Since DevOps is adept at bridging the gap between development and operations teams, now these two teams can work together to improve productivity and speed up release cycles.
The Need for Compliance
One of the critical strategies for business success is to stay compliant since processes are always improving and evolving. Compliance ensures that your DevOps processes and practices are consistent and meet regulations or regulatory standards.
An organization with a compliance-driven DevOps culture can cut down on operational costs, improve efficiency and reduce risks considerably.
What is Declarative Compliance?
Declarative compliance is defined as the process of managing and enforcing compliance in which policies are defined using code, and the system’s desired state is declared rather than explicitly programmed. To enforce compliance policies, you don’t write scripts or programs; instead, you use a high-level language or configuration file.
Declarative Compliance provides several benefits:
- Increased efficiency
- Better managed compliance
- Minimized risk of human errors
- Enhanced security
- Faster deployment
- Better collaboration
With declarative compliance tools, the system’s state is defined as a set of policies, and the tool makes sure it matches the desired state. The tool will automatically fix anything out of compliance, bringing the system back into compliance if there’s a deviation.
Tools for Declarative Compliance
Some of the popular declarative compliance tools are:
- Open Policy Agent (OPA)
- Terraform
- Kubernetes Policy Controller
- Chef Compliance
- AWS Config
Declarative Compliance for Infrastructure and Application Deployment
Often, declarative compliance is used in infrastructure management and application deployment, where policies are written as code and enforced across multiple environments. In addition to managing compliance at scale, declarative compliance tools ensure that the system’s desired state stays consistent across multiple systems and applications over time.
With declarative compliance, organizations can manage compliance more efficiently, effectively and securely since they can define policies as code and enforce them automatically. In addition to reducing errors, downtime and security breaches, this approach enables organizations to stay compliant and maintain their system consistently.
Introduction to Policy-as-Code
A policy-as-code approach allows you to write programs that govern security, compliance and rules throughout your application’s life cycle. It entails defining and applying code to manage and automate policies. It shares the same ideas as infrastructure-as-code (IaC) and other DevOps practices like continuous integration and continuous delivery (CI/CD).
A policy enforces constraints and restrictions to prevent unauthorized access to resources such as databases, storage, services, etc. By codifying policies, you can enforce rules and constraints throughout the development life cycle to prevent non-conforming resources from being deployed by integrating these policies into the software development life cycle.
Figure 1: Policy-as-Code at work!
Why Policy-as-Code?
Typically, businesses have the required processes, tools and procedures to guarantee the deliverable’s quality. Performance, scalability, ease of use and accuracy are typical quantifiable quality metrics used to ascertain the quality.
You can examine the quality of your application using these metrics, but a manual procedure will take time and is prone to mistakes. A better alternative is to leverage policy-as-code.
The traditional policy enforcement processes have certain drawbacks. It is challenging to perceive that your policies would be entirely adhered to, i.e., they will not be broken. It is cumbersome to check against a list of policies manually.
Moreover, the traditional policy enforcement method cannot scale in today’s agile world, where organizations have been growing continuously with more and more employees, services and teams.
Here are the key benefits of policy-as-code at a glance:
- Faster and more efficient deployments
- Automated governance, approvals and policy enforcement
- More reliable and secure applications
- Centralized policy management
- Leverages version control
- Better visibility of policies
- Enhanced collaboration
How Does it Work?
Policy-as-code involves three key elements:
- The policy itself, which contains the required code to model the decision-making process
- The data and information about the environment, service or application
- The query that is responsible for triggering the decision-making process
Here’s how policy-as-code works:
- Policies are defined as code in a human-readable format
- These policies are then translated into machine-readable code using Rego or HCL
- The policies are integrated with the IaC pipeline
- A policy engine evaluates the infrastructure and the application resources against these policies
- The policy engine accepts the policies as input, processes them and then produces a query result
- The policy engine reports violations (if any) to the respective stakeholders, such as the development or security teams
- If violations are reported, the necessary remediation is performed automatically or manually
Types of Policies
- Security policies: Security is enforcing adequate technological controls to safeguard company assets.
- Compliance policies: Compliance policies are designed to help organizations adhere to governance standards. Typical examples include PCI DSS, GDPR, HIPPA, etc.
- Operational excellence: This encompasses policies pertaining to service degradation or interruption.
What is GitOps? How can GitOps Help With Compliance?
GitOps is a subset or extension of DevOps encompassing a collection of practices that can simplify deployments using Git. It is an operating model for cloud-native applications that leverages Git as a single source of truth for declarative applications and infrastructure. Using GitOps, you can implement a standardized policy-as-code approach across your CI/CD and GitOps pipelines.
The key principles of GitOps are:
- The state of the system is captured and stored in a Git repository
- The entire system is configured declaratively
- Automated deployment
You can create policies in Git and store them in a particular repository, which is essential since Git offers sophisticated change management tools like version control. Only the compliance team would have admin access to the repository.
It’s easy to enforce policies with Git, and you can apply them to any execution engine, like CI or CD. With GitOps, you can audit and document every action that affects data consumption.
You can expose system changes, optimize deployment and use a version-controlled infrastructure. By managing compliance with GitOps, you can make sure that the changes are visible, verifiable and auditable.
Figure 2: GitOps at work!
Using GitOps as the Execution Engine in a GitOps Process
There are several benefits to using GitOps as a process execution engine, including:
- Increased automation: GitOps automates software delivery, reducing manual intervention and increasing deployment accuracy and speed.
- Better transparency: GitOps records all changes to the system in a transparent and auditable way so that you can track compliance easily.
- Maintaining consistency: GitOps keeps the system in the desired state defined in the Git repository, reducing non-compliance risk.
- Fosters collaboration: All changes to the system are made through the Git repository, so GitOps encourages collaboration across teams.
Using Policy-as-Code and GitOps: Policy-Based Compliance
By using GitOps and policy-as-code, teams can manage compliance-as-code in an auditable, declarative way and enforce it via GitOps, ensuring that the desired state is always maintained. This can help your teams to codify compliance requirements as code, store them in version control and automatically enforce them through GitOps.
Organizations can improve the consistency and reliability of their systems by defining and enforcing compliance requirements using policy-as-code and managing their deployment processes with GitOps. While this can minimize compliance violations, it can also maximize efficiency.
By following policy-based compliance declaratively, businesses can define policies as code and enforce them automatically and repeatedly. By adopting such an approach to compliance management, you can better manage compliance in complex systems in a consistent, scalable, agile, transparent and collaborative manner.
For example, you can leverage policy-as-code to define policies for infrastructure provisioning and configuration management to ensure that the infrastructure complies with organizational policies and industry standards. Typical examples are defining policies for network configuration, access control and resource allocation.
Use Cases: Using Policy-as-Code and GitOps in a Production Environment
Infrastructure Provisioning
Open Policy Agent (OPA) can define policies for infrastructure resources like AWS Elastic Compute Cloud (EC2) servers. You can use GitOps to manage the deployment of infrastructure resources by storing IaC files in a Git directory. When the IaC files are changed, GitOps is adept at automatically deploying the changes while OPA checks for policy compliance.
Deployment
You can use policy-as-code tools such as OPA to create application deployment policies requiring specific security settings, while GitOps manages the application deployment by storing manifests.
Manage Kubernetes Clusters
You can leverage policy-as-code to better manage your Kubernetes clusters. So, you can write your code to define policies to manage Kubernetes resources, such as nodes, pods, clusters, etc., declaratively.
Compliance Management
You can use policy-as-code to establish and implement rules and regulations, such as those pertaining to security, to help businesses ensure that their systems comply with industry regulations and standards.
OPA can be used to set compliance policies, like restricting access to sensitive data to authorized users only. You can use GitOps to manage the deployment of compliance policies seamlessly.
Trusted Delivery: Policy-as-Code Integrated With GitOps Workflows
Trusted application delivery is a software delivery approach emphasizing security and trust in the software supply chain. This ensures that any software delivered to the clients is devoid of security flaws, malicious code and other attacks.
This approach prioritizes security and trust at the development, testing, packaging and deployment stages and integrates security and compliance checks into the GitOps pipelines. This quality check reassures clients about the product’s quality and ensures that any modifications adhere to predetermined rules and principles.
Trusted application delivery allows for quick deployment while securing apps with automated guardrails. These guardrails are implemented using policy-as-code. By enforcing these guardrails, you encourage frequent deployments while ensuring that the reliability and security of the application are not compromised.
Conclusion
Declarative compliance with policy-as-code and GitOps is a best practice for achieving greater compliance, reliability and agility in software development and deployment processes. You can simplify defining and enforcing compliance policies using declarative configuration files and automation tools. Using Git as the single source of truth for all configuration changes, an organization can achieve greater efficiency, visibility and auditability in the compliance process.