Название: Policy as Code: Improving Cloud Native Security
Автор: Jimmy Ray
Издательство: O’Reilly Media, Inc.
Год: 2024
Страниц: 638
Язык: английский
Формат: epub
Размер: 10.1 MB

In today's cloud native world, where we automate as much as possible, everything is code. With this practical guide, you'll learn how Policy as Code (PaC) provides the means to manage the policies, related data, and responses to events that occur within the systems we maintain—Kubernetes, cloud security, software supply chain security, infrastructure as code, and microservices authorization, among others.

Author Jimmy Ray provides a practical approach to integrating PaC solutions into your systems, with plenty of real-world examples and important hands-on guidance. DevOps and DevSecOps engineers, Kubernetes developers, and cloud engineers will understand how to choose and then implement the most appropriate solutions.

I started writing the controls using what I thought was the best tool in my toolbox, Java; I was a Java subject matter expert (SME), and the cloud service provider (CSP) offered a mature Java software development kit (SDK). The first and, as it turns out, last control I wrote in Java enforced encryption of data at rest on object storage. There are certain control types within cloud computing that I consider fundamental for secure computing, and encryption of data at rest and data in transit tops my list. I quickly realized that building and running individual programs or modules to implement controls for the vast collection of cloud computing services and their respective features was not scalable or easily supportable. Writing code to consume the SDK was too low level. I was moving too slow, and it was challenging for me to share my approach in a way that facilitated broad adoption. The standards and controls SMEs were not Java programmers, and I couldn’t expect them to learn Java just to build new controls or even support those already built.

C7n was developed by a colleague of mine, and over time, it has been broadly adopted by cloud computing users and providers. With c7n we deployed rules engines to our cloud environments and wrote policies using a controls-friendly YAML DSL. Moreover, the DSL did not require any knowledge of the underlying Python code used to build c7n. C7n was the first Policy as Code (PaC) tool I used.

Understand PaC theory, best practices, and use cases for security
Learn how to choose and use the correct PaC solution for your needs
Explore PaC tooling and deployment options for writing and managing PaC policies
Apply PaC to DevOps, IaC, Kubernetes, and AuthN/AuthZ
Examine how you can use PaC to implement security controls
Verify that your PaC solution is providing the desired result
Create auditable artifacts to satisfy internal and external regulatory requirements

Who Should Read This Book:
This book is for DevOps practitioners, Kubernetes cluster operators, security engineers, and anyone charged with ensuring secure operations in cloud native and everything-as-code environments. In this book, I introduce PaC concepts and use cases, and expose you to patterns and solutions to help you successfully use PaC for your security, compliance, and governance needs. I think this book can serve as a reference for those of you needing to understand PaC and choose the right solution for your use cases. You can also use this book to discover techniques and patterns that you can apply immediately. I think some of you will reread this book to gain a deeper understanding of the different aspects of PaC.

For the purposes of this book, I mean to cover PaC and PaC solutions that are, for the most part, vendor neutral and CSP agnostic. By the end of this book, you should better understand PaC theory and capabilities as well as use cases, patterns, and best practices for security, compliance, and governance controls. In Chapter 1, I introduce a process you can use to choose the correct PaC solution for your needs and capabilities. As you read this book, refer back to the process to better understand each solution and its potential fit for your needs.








[related-news] [/related-news]