Key Criteria for Evaluating Security-Policy-as-Code Solutionsv2.0

1. Summary

Security policies are designed to protect an organization’s IT assets by formulating security requirements into a set of rules that IT staff follows. They cover the spectrum of IT activity, from defining required input to checking for development to determining which ports need to be kept closed on deployment. With automation increasing throughout the overall architectural environment, the ability to apply policy through that automation becomes appealing. Historically, security policy has not been well enforced, but with automation and specialized tools, more can be done today to secure not just applications but the entire IT footprint more effectively.

The tools that can help hold collections of policies—implemented by both the vendor and the IT staff—can be applied individually or in groups to a target. The target can be an application or an environment, though this report will focus more on the environment because the tools in the development security technology space already cover development needs. This report looks at security policy management and enforcement. The tools in this sector also feed into the governance, risk, and compliance space in many organizations but use different technology, focusing on the creation and enforcement of actual policies required to achieve compliance.

Policy-as-code solutions help organizations mitigate risk by creating, managing, and enforcing policies to maintain security and operational best practices. The policies these tools manage can be about anything; our focus here is on security and its specific needs. This includes compliance, which is really an extension of security policy mandated by an external authority.

The key to security-policy-as-code tools is that they automate what was already a prescriptive set of steps to achieve security. By adding the ability to install collections of policies for specific needs, like compliance policies for a given set of requirements such as HIPAA or GDPR, the tools become even more useful by freeing up staff from having to implement those policies, such as external standards for compliance, from scratch.

A growing number of products in this space and nearby spaces are utilizing Open Policy Agent (OPA) as the worker for their policy infrastructure. This provides a baseline of functionality with which to judge other implementations and an integration to evaluate for those using OPA. As the use of OPA grows, we expect it will become the standard method that all policy engines use to implement the enforcement aspect of policy and possibly use for distribution and management as well, leaving tools in this market to implement policy management, development, reporting, and integration points for OPA-based deployment.

Overall, policy-as-code tools speed compliance, reduce staff investments in security, and assist with compliance auditing for outside standards. These tools make IT safer, time investments smaller, and proving standards easier to adhere to.

The GigaOm Key Criteria and Radar reports provide an overview of the security-policy-as-code market, identify capabilities (table stakes, key criteria, and emerging technologies) and non-functional requirements (evaluation metrics) for selecting a solution, and detail vendors and products that excel. These reports give prospective buyers an overview of the top vendors in this sector and help decision-makers evaluate solutions and decide where to invest.