Policy-as-Code in the new cloud matrix

As we now build the cloud-native era of virtualised and abstracted architectures that run from datacentres to desktops and through the middle-ground network mesh of interconnectivity that joins every node and endpoint together, we can control cloud infrastructure and system health through policy-as-code.


In cloud, we build with code, of code and as-code. That truism obviously holds outside of cloud computing and predates any notion of cloud datacentre virtualisation. Software application development has always relied upon a core construction process where code is built, tested and deployed, but the way we talk about various digital entities as-code has evolved in cloud. This is largely as a result of the move to abstract every working element of the new IT stack as a software-based device, driver or dataset.

Figuring out misconfigurations

If there is a buzzword surrounding the global cloud advocate and evangelist community right now, then it is either hyperautomation or misconfiguration. Leaving the much-hyped area of hyperautomation aside for now, let’s think more practically about cloud misconfiguration.

Analyst house IDC estimates that some 67% of breaches in the cloud are caused by misconfigured applications or infrastructure. Clearly this means that while security remains a core concern for companies adopting cloud-native technologies, the need to control clouds in a more policy-enforced fashion is critical.

Thankfully, the as-code suffix convention doesn’t let us down on this front. Policy-as-code has emerged to be one of the key drivers locking down cloud security and solidity in the modern era.

What is policy-as-code?

Using software tools such as Terraform or Nomad, organisations can stipulate that software application mechanics and behaviour must adhere to policy rulings that denote an application or data services status and stance in relation to compliance, operational excellence and security as a whole.

By building software code capable of creating system alerts and flags that inform when a policy breach has occurred, policy-as-code is able to enforce compliance to external standards which could include Sarbanes-Oxley, GDPR or perhaps the Payment Card Industry Data Security Standard (PCI DSS).

Operational excellence policy might cover aspects of system operation health that can service outages or degradation. Core security policy-as-code stipulations could be constructed to ensure when and where a defined app (or set of applications) can be exposed to specific ports and connections on the internet.

Who is implementing policy-as-code?

In terms of real-world implementation, policy-as-code is playing a key role in GitOps. As we know, GitOps a set of practices to manage IT infrastructure and application configurations using Git, an open-source version control system. Aiming to put policy-as-code front and centre into the Git universe if GitOps specialist Weaveworks with its January acquisition of Magalix, a cloud-native security specialist with key security and compliance policy-as-code know-how.

By bringing Magalix’s policy-as-code to Weave GitOps, Weaveworks says it will further its vision of automating Kubernetes application and infrastructure operations. Secure GitOps pipelines throughout the entire software life cycle are imperative for resilient cloud-native service delivery that accelerates innovation, speed and agility.

“Enterprise customers have made it clear that trusted application delivery is critical to the success of their increasingly complex cloud-native platforms,” said Alexis Richardson, CEO of Weaveworks. “With the acquisition of Magalix, Weaveworks introduces customisable policies, compliance capabilities and comprehensive risk visibility into GitOps workflows, ensuring only authorised applications are deployed and there are no nefarious activities.”

Magalix was founded in 2017, focusing on security-as-code for teams running cloud-native applications. Magalix says it specialises in applying the DevOps mindset with codified security through policy lifecycle management, enforcement and actionable insights. With Magalix’s security capabilities organisations can control and enforce policies, using the same declarative approach as Kubernetes, to scale their applications while maintaining regulatory requirements and security best practices.

“We are seeing an increase in customers who run a zero-trust security model turning to GitOps to bring DevOps to cloud-native application development and IT operations,” said Mohamed Ahmed, founder, and CEO of Magalix. “Similar to how DevOps disrupted infrastructure management, we believe that integrating security into GitOps pipelines brings considerable agility and speed, preventing errors and protecting against attacks that could shut down the entire platform.”

Let’s make beautiful yu-zak together

Weaveworks intends to fully integrate Magalix into its Weave GitOps Enterprise brand. This it hopes will deliver end-to-end Kubernetes security, enhanced visibility and resilience across the entire cloud-native life cycle in hybrid cloud, multi-cloud and edge environments.

We can certainly see that the drive to build the next age of cloud around everything-as-code (typically written as XaC rather than EaC) architectures is the way the entire industry is heading. What comes next may be user eXperience–as-code as we start to look more carefully at how users rate the functionalities of the cloud services we now build.

user eXperience–as-code

With XaC already taken, we’ll have to opt for UXAC, which sounds horrible spoken out loud unless we pronounce it ‘yu-zak’... you can imagine the promotional vendor t-shirts already.