Cloud Native / Cloud Services / Security

Styra Extends Open Policy Agent Security to Public Clouds

22 Jul 2021 8:07am, by

Once upon a time, we tried to code policy positions into our programs. It didn’t — it really didn’t — work well. Then in 2016, some developers at a company they called Styra came up with Open Policy Agent (OPA, pronounced “oh-pa”) for cloud native environments. With OPA, policy enforcement in code became much more practical. Styra recently commercialized OPA into a three-tier offering called Declarative Authorization Service (DAS). Now, Styra has taken another step forward with it by using HashiCorp‘s Terraform to extend DAS guardrails to public cloud storage, network, and compute resource configuration in Styra DAS for Terraform.

With this offering, you can deploy DAS on AWS, Google Cloud Platform, and Azure. Additionally, Styra DAS will now provide a unified policy-as-code solution, built on OPA, to ensure cloud infrastructure, Kubernetes, and service mesh deployments are secure and compliant. I like this idea. I like this idea a lot.

If you’re new to OPA, you should know it’s an open source, general-purpose policy engine that unifies policy enforcement across the cloud stack. You write your policies in its high-level declarative language, Rego. This is based on the old Prolog-based Datalog query language. With Rego, you can specify policy as code and create simple APIs to offload policy decision-making from your software. You can then use OPA to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more.

What exactly are we talking about with a policy engine? Torin Sandall, Styra Software Engineer and OPA Technical Lead, explained, “policy means different things to different people in different contexts. In the context of software systems, policies are the rules that govern how the system behaves.”

So, for instance, is “Joe User” allowed to change a service’s configuration? Is this VM allowed to accept TCP connections from that VM? Which host can these containers be deployed on? And so on. Using Rego policies, the OPA policy engine takes “policy and data as input and produces answers to policy questions as output.”

This is very powerful. Chances are, now, for example, you make security policy decisions using general rules and ad hoc tools. That’s a lot of work. Can your IT team really continue to do their work and secure their systems in the ever more complex world of cloud native computing? I doubt it.

Sure your engineers and security teams could manage and secure a dozen or so systems, but hundreds or even thousands of disparate components in a modern cloud application? No, your people need help.

That’s where Styra DAS to Terraform cloud infrastructure control plane comes in. With it, your teams can:

  • Eliminate ongoing management of custom tooling and speed deployment with a single policy framework for cloud infrastructure authorization.
  • Manage the entire lifecycle of the cloud platform from design to deployment.
  • Eliminate policy silos with a single platform for cross-team collaboration.
  • Automate configuration validation, deploy platform security based on proven standards, and prove compliance.
  • Get started quickly with a library of security policies built by OPA’s founders.

Want to give it a try?  You can sign up for a Styra DAS Free trial and see if it works for you. I bet you’ll be glad you did.

A newsletter digest of the week’s most important stories & analyses.