GigaOm Radar for Security Policy as Codev2.0

1. Summary

In the early days of security, organizations did not have security policies in place. Instead, they had procedures and standards—books full of them—that were routinely not followed. Security tools were command-line driven, and firewall rules were entered in rudimentary UIs. Over the years, a few developments in particular have deepened the need for security policies to protect third-party applications.

• The increasing use of security tools and the integration of those tools with DevOps toolchains has resulted in a growing list of rules about what is acceptable and what is not when creating and deploying software.

• There’s been a rise of standards and compliance needs that have added to this expanding pool of rules. Organizations that serve only a single country or region still generally must support at least two compliance standards—in the US, PCI and any of a selection of government standards, for example.

• At the same time as the rules around application deployment and compliance were occurring, changes were happening in DevOps as well. Pivotal to the expansion of DevOps were infrastructure as code (IaC) and GitOps. IaC allowed the creation of rules that generate software infrastructure as text files—commonly referred to as code but seldom implemented as traditional programming languages. And GitOps allowed operations to be triggered by Git commands like “push.”

Policy as code builds on these movements to formalize the rules that an organization uses—whether for internal or external compliance—into text files that are easily parsed by both machines and humans.

After years of struggle to keep consistent policies enforced across a growing application landscape, the policy-as-code technology sector promises to finally get us there. By offering a standard repository and code format for policies to be managed in and integrating into DevOps toolchains, these products can make an organization’s deployments more secure, reliable, and repeatable—even where policies and guidelines are layered.

This GigaOm Radar report highlights key security-policy-as-code vendors and equips IT decision-makers with the information needed to select the best fit for their business and use case requirements. In the corresponding GigaOm report “Key Criteria for Evaluating Security-Policy-as-Code Solutions,” we describe in more detail the key features and metrics that are used to evaluate vendors in this market.

A Note on Inclusion Criteria
For this analysis, we focused on security policy as code and compliance. This is in keeping with most organizations, where security policy and compliance policy are implemented together. To be included in this report, solutions must meet the following table stakes (capabilities widely adopted and well implemented in the sector):

• Basic editing functionality
• Security controls
• Prebuilt policy bundles
• DevOps tool integration
• Git integrations
• Platform integrations

.We did not include policy-as-code solutions used for other purposes—technically, any of the Git solutions could be used to implement policy as code for any part of IT, but this analysis targets tools that make security policy as code easier.

Additionally, we differentiated between solutions sold with policy as code as the primary use case versus those that have policy-as-code features but are not available to the general public.

This bifurcation resulted in the exclusion of some products that can do the job well but are not aimed at the general market: Palo Alto Networks (Prisma Cloud) and HashiCorp in particular. While both vendors have implemented policy-as-code features in their products, these are aimed at supporting customers of their larger offering and are not available to the general public as a policy-as-code solution. So while not included in this report, Prisma Cloud customers should look first at Prisma’s policy-as-code capabilities, and HashiCorp customers should do likewise.

While Weaveworks shares some of the traits of the Prisma Cloud offering, it does sell a policy-as-code solution to the general market and as such is included in this report.