Policy as [versioned] code – you're doing it wrong

hello how's everyone doing amazing I am very very happy to be here what a place in the world gorgeous it it truly means a lot uh to get to participate in the event shout out to James Jane the organization uh for bootstrapping and building Community around this very pressing set of topics and bringing people together in order to come up with better Solutions that was a very long intro thanks Jane I'm sorry for putting all those words in there um this is me I comment and multiple configurations of hair and beard that shift quite a bit it's all the same person uh I work at control plane uh that is a security consultancy focused primarily on highly regulated Industries

critical National infrastructure and financial services uh we do a lot of offensive Security in order to to help strengthen defense trying to apply combining red teaming to purple teaming also we do a lot of audit and assurance uh it has been almost a compulsion of mine and in recent years helping organizations rethink holistically about how to meet their compliance and Regulatory objectives through code and what what is compliance ultimately it's are are we doing what we said we will do but how many how many screenshots of spreadsheets can you provide to demonstrate that there's got to be a better way sure we've started to express policy as code and there's uh plenty of room to iterate

and be the best version of the organization help metabolize the consumption of platforms applications products in order to provide better services do so securely avoid getting reached some of the public works I've I've written uh I'd encourage you to to check out some of this references uh one is the supply chain best practices guide a lot of uh policy in there defining policy in order to protect the supply chain the software supply chain from incidents like the solarwinds breach of recent years and other high profiles profile attacks of that sort also complementary to that the software Factory reference architecture it's a opinionated approach to ensuring that supply chain controls are in place using best of breed the most

mature the most feature complete open source projects that are that are out out there uh also quite interesting to to the track if if you follow devops you might have seen the definitive book The Phoenix project uh recently gathered with another set of authors to do a sequel to the book so is it a novel a little business erotica may not be for for everyone but it's the story of a financial services organization receiving a matter requires attention from the office of controller of currency in the United States and what unfolds from there how do they react and how do they manage to bring the organization together different groups have been operating as silos uh

attempting to do deaf secops but also ensuring that compliance and audit get brought along the way as opposed to being a adversarial set of Gatekeepers ensuring that they can all fulfill their their compliance objectives uh real quick in the company once again I I talked about it glossed over it we're a security Specialists on cloud kubernetes containers and open source clients once again organizations and highly regulated Industries uh we're a relatively small company or 50 people we're headquartered in London and we have offices in New York and Oakland so uh the the author the author of The Talk I'm actually delivering this talk on behalf someone else gentlemen if by the name of Chris Nesbitt Smith Chris works

for the UK Crown prosecution service a lot of the art a lot of a lot of the slides you're going to see where uh produced by him and uh when when we got together and we're going over the material we landed at okay policy is actually quite a dolphin how do we make this compelling how do we make it interesting so I'll bear with me I'll try my best to to get your attention um Chris hired an artist uh for the following Act and this is Chris this is not me uh we have a little contention of whether call is a lift or an elevator yes we call them elevators not not left in in North America so Chris walks into

the elevator and people follow right behind him and he he thinks okay Chris this is your moment Now or Never as a door closes he positions himself at the door he's got a captive audience they're his he takes a breath he looks to the first person on his left that person's in a suit they look very important he gestures had them they look back to us to say sure Chris go on oh you must be the CIO the policy maker the one whose neck is on the Block what are the chances of finding you in my imaginary elevator today and Chris asks her so what's keeping you up at night and she says I don't know what teams are really doing

what volume of risk can I take and what should I show more interest on setting and changing policies is slow on hard to communicate people just go off do their own thing they think they know better and to be honest they often do but I'm left playing catch up with the rest they've signed me up to okay I'm not going to be a patronizing snake or salesman but I can help managing risk mostly opportunity risk the fear of missing out so getting features out the door avoid getting bogged down on everyone like looks back at the at the CIO as as she goes on bureaucracy that's the the sign to Slow Me Down okay great this this is your lucky day

he turns on to the to the next person they're dressed in overalls as a head part of town could be could be Brooklyn could be Posh pardon and and London shortage they could be the CTO he thinks before he addresses them they immediately turn to him and say hi I am the maintenance person here and Chris is like wait how come you're in my imagination right now hang tight I'll get back to you straight away his attention goes to the next person they're wearing hoodie got their headphones on around their neck and he's like right stereotypical developer I know you very well so he asks what code do do you write is it python and they go cool you got you got

everything updated to work with uh perhaps if you do python python 3 that must be really hard they don't know it yet but he built reporter with them he's connected and they they say yeah like staying hard on on patching dependencies staying on top of it so we can always react to the next fire knowing what rules exist which ones can I bend which ones can I break what might cost me to lose my job it's it's a struggle to write consistent good quality code avoiding technical debt and the rest of my team to follow along and work cohesively as one so hey do you use any tools that I can help you with Chris asks and they say

yeah for sure lenters code quality test coverage tools the usual great I write code two let's be friends hand them a printed QR code with a public dpd keys so they know they can trust the communications and what Chris says and he he brings the focus back to the cleaner it's like okay I got it I know what you're doing here like you get told what to do and when it changes how does that happen oh we get a memo something stuck on the wall just like last week we got one saying that all white boards and all meeting rooms needed to be cleaned every night okay how does that work out well it's up to us to maintain the new

the new to-do list so we can onboard new people on the cleaning team does that ever go wrong yeah sometimes when we compile our operational manual we miss a memo or don't apply it in the right sequence and we get things wrong wrong so glassing over at the person who seems to be the product manager and the Clean Air goes on to say well like when we had an updated the guide that the meeting room on the third floor was being used as a dedicated war room and we wiped all the whiteboards getting back at the developer they seems to sound familiar to them so they're nodding like turns outward not all special snowflakes the way we go on

about things but not All Is Lost like good reason that the person has started whether they're the lift's starting to slow down almost arriving at its destination it's like okay I may have a silver bullet for for you all and the CIO looks back ready to buy whatever that Chris is selling and as the doors open is like but wait who are you and as he moves out to not stand in the way not not a obstructing people into into the office it's like well I'm really here just to fix the lift people have been complaining it only goes to the top floor no matter what bottom they push and it's actually pretty slow and they're all like what they storm out

it's Furious they head towards the stairs the door shots and he carries on goes back to his job so that act does that does that sound familiar to you in any way and if you can relate to any of them we may have some answers to you for you so what if I could say you could update policy easily even even releasing several versions not just in one year or a month what about 10 updates to the policy a day and seamlessly communicate what people need to consume without derailing them how to best operate safely how to attain that promise of the cloud of developer productivity operational efficiency without being bogged down by by audit

you could have visibility on all the compliance tools that the organization uses and that that policy would be readily consumable easy to parse you'd be able to demonstrate compliance make sense and not be bogged down about bureaucracy at time of change when it needs to be and not get in the way that same policy could be used by developers as a dependency and operate like a linter so you can run compliance checks locally in your continuous integration Pipeline on guard protection ultimately that multiple versions of that policy as dependencies are supported so when emergencies happen and you must update now because there's a security advisory of a new critical vulnerability think lock4j and everything must be updated it's not

a fire drill but that act of responding to the incident is now business as usual and it doesn't doesn't cost as much chaos like okay cool right on all of that sounds sounds quite promising so by show of hands who is with the set and like written or applied a policy before here in the room okay who of you have consciously sought exemption conspicuously bent broken circumvented ignored bypassed whatever that policy was with the best of intentions okay typically I take my phone out and snap a real picture real quick just to just erase the stakes we got your names on your badges we know who you work for we can send it to your

company so you fell for it thank you not going to use that actually and as you see I didn't take the picture so where do I see policy going wrong there's just just to agree on terminology because policy means different thanks to different people here's a commonly accepted definition a set of ideas or a plan of what to do in particular situations that has been agreed to officially by a group of people a business organization a government or a political party that policy usually comes down in two forms One Security like data at rest for your platforms has to be encrypted or all all traffic before it hits the wire must be encrypted at a application layer for

data and motion protection the other type is consistency such as code Style there are other types that that you could think of but broadly those two are intended to mitigate risk of some sort prevent something bad from happening in the case of cyber a breach and the case of um consistency it's all about people doing things repeatedly driving down cost not drifting too far off on their own way uh not not going on on uninformed Adventures although those two sets no matter intentions are typically emotionally LED and are not really rooted or anchored on controls and that opens the door to Case by case exemptions whatever policy exists it's hindering productivity and we often need to reach out to the

policy stakeholders to approve an exception for us every time there's there's a situation the policy hadn't contemplated a time that it was written as a lot like laws of the land with like case laws make very complex very broad Rule books for attorneys to navigate and it's really hard to measure compliance in court it often looks like a thin wedge as you see in the picture where a precedent which may have been an uncomfortable appeal to swallow the first time becomes very dangerous with others as they start to expand the scope of that new precedent which puts us in a place of asking as the Cure actually worse than the disease are these policy changes and exemptions

and the way that we reason about it are actually something that gets us into splitting hairs that gets us frustrated that make us have a lot of unnecessary conversations rather than the way that we described and defined the policy in in the first place but if you map that to how developer teams work this is not how software gets built at least not typically like the the way that people go from Gathering requirements turning those client requirements to a functional spec and to a set of engineering tasks to execute against it's very different to how we've described about policy changes getting made so why don't we take some of the best elements of agile devops

pick your modern software and development methodology and framework how about we marry those two a little bit we've codified everything else up to date already so if that isn't the answer of expressing policies code then what would it be so in part it is the point of the talk that we started to do that somewhat but perhaps the best approach is Cargo coating a lot of the thinking of of policy and we may be doing it wrong you can thank your favorite product name Scream it at me as the solution and yes there's there's a lot of tooling out there that can help the organization start to solve the problem to certain degree and like you're not wrong but the

devil is in the details here throwing some curly braces around the statement doesn't inherently fix things just making the policy code is not is not the Silver Bullet if it is a security control that we're defining as often ideal to keep that policy we just wrote as a secret exposing it or sharing it is something that could get in the hands of a competitor or Worse an adversary that can turn around use it against you and we talk we hear a lot in recent times around shifting security left but it doesn't it doesn't really support that Ed results and developers who are having to already think about performance availability they now need to be Security Experts and policy

experts at the time and they look at a policy and they do their their best at reverse engineering that to map it to security to the engineering requirements and they they bang their heads of like it wouldn't take a lot of imagination to find in that scenario of deploying an application and finding Midway that one of the resources you need it one of the resources is specified by the policy is non-compliant so as you're rolling out this new application whatever organization you work with be and it's the first time it's going to Market or it's an update if that deploy of that rollout of that application one of the criteria of the policy is not mad

it blocks the deployment which leaves things in an overall state of inconsistency halfway which will result in downtime which will result on the graded experience and is it better to be compliant or is it better to be not operational sure we can abide by the policy we ensure if if this had certain number of vulnerabilities it doesn't reach production but wouldn't it have been better for it to reach production and some somehow gets sandboxed or guard railed understanding that exemption as it was actively patched so Engineers are are quite clever and they're always going to find a way around they're gonna above through through the side every time that a computer says no you cannot come through this way

and that's further exasperated when updates to policy are desired like maybe you're getting a penetration testing and something goes wrong and you form this new policy and could be Amazon web services all your S3 buckets need to be encrypted and that could be considered a breaking change and you could say well sure why did we just provide warnings at least like a heads up instead of gating it at least for the less important issues or new emerging policies as those changes happen but that it will only work if everyone actually looks at it it's not just writing the document but if folks just are on about their job every day we go back to the elevator situation how

do they keep that rule book updated how they even like load it and their heads is almost a full-time job of keeping up with this set of warnings so if you've adopted devops and chances are if you're on that Journey you may have heard the term get Ops or at least like continuous integration and continuous delivery is anyone actually looking at the warnings who studies the results of of the logs every time they're so deploy or every time there's a build anyone not really if you are you could be missing the point of CI CD which is being able to trust the status and the activity but not here to throw stones today like going back to

to the promises to the imaginary friends of what the promised land may look like EC would mean visible it has to be communicated it has to be easily consumable testable updatable and measurable nothing really new Under the Sun but someone has unwittingly solved this problems elsewhere we just need to remind them and connect the different domains the first thing to start off if you're doing policies code is putting it in Version Control get or get help and then from there making that visible to everyone so the term inner source how do we bring that institutional knowledge and capture it and operationalize it and allowing anyone within the organization's World Gardens employees suppliers to see that

policy in that Repository and is not giving visibility of all the threat monitoring rules or the intelligence away to them you can keep those to yourself but making the policy visible as code and artifacts are and Version Control and what gaps are there is often better than the downtime the reverse engineering walkarounds or the opaque Legacy solutions that look like a spaghetti soup if you're really Brave you may want to share it with the outside world you will find that it finds the ability to work well with prospective suppliers and new business relationships without incurring in ndas and whatnot uh widely distributed sick secrets are ultimately very expensive to maintain difficult to handle and only stay secret

for so long so policy is visible with get Ops uh and then get so it's visible to those that need to see it then uh we started looking at something like semantic versioning that no doubt you're using but a quick recap on it semantic versioning the first segment and semantics versioning we see the one is indicating major versions perhaps conflicting changes and if we apply that to the context of policy it could be a policy that expresses that all resources require a department level like who's the owner and that would help with things like cross charging who knows like an increment to that uh field could be something that requires to be from a predetermined list rather than free text

so we're expanding this notion of policy then the second segment indicates thinks like minor changes things that are easy to update and are not going to break anyone an increment from there will look like you're correcting a spelling mistake that was done in the policy or a department name change the third segment and Decay indicates path changes so that'd be like fairly easy like a no-brainer to to keep up with an increment and and this field would be like adding more departments to the available options so great the policy is visible it's in a repository now it's versioned so people understand when changes have occurred uh we can tack release notes every time there's an update in the versioning and

uh all the expectations are managed along that semantic versioning so in software we're used to handling dependencies so what if this policy was just another dependency of the code you might be unwittingly doing this to some degree staking something like a dependency on your JavaScript package perhaps like eslint so we talk visible communicable and consumable like software and then we we go on to unit testing and testing is somewhat of a dirty word but in order to make this an asset everyone can depend on and also provide good examples tests are essential to give fire alarm

all right good to know no Panic I was I was once in Hawaii at a ultra marathon Race and everyone's phone blurred up for a incoming missile yeah and coming missile and it was a it was a test from the Department of Defense dad gone out to everyone so yeah the policy the policy wasn't honored in that instance or the policiest code was not enforceable and it was it was quite the situation within five minutes we did get hey false alarm no missiles nothing to do uh great okay so so back to policy and keeping on on making at EC everyone's confidence and the stability and the potential side effects of of everyone involved all

the stakeholders are trying to to be like better grasped so the consumers of the policy need to be able to test themselves talking about unit testing against the policy going back to that shift shifting left it shortens the feedback loop so as a bonus you're finding your consumers able to rely on the artifact you're sharing with them so taking on the home stretch is a dependency so updating it's not different to anything else in software you can use some magic like githubs the panda bot or meant to renovate and do that for you think like automatic pull requests if you heard about those tests even automatic merging I did say policy is doll so if it's not

the most energizing start of the day you can tell me like a recent event that cost everyone in every industry what version of a certain logging Java doohickey where was everyone potentially running literally in every in every state lock 4J you guys heard about that that one so all presentations and 2022 2023 are contractually required to have some reference to log4j give given what that cost even if it's almost entirely out of context so I'm being I'm being compliant there and including some memes about it hopefully mid-year we can start to remove these and just to point as a broadly scary look of a list of vulnerabilities in order of like commanding Behavior through fear uh you see a lot of scores

10 9 and above it's if you cyber and policy it's all about ultimately like and the reference to lock 4J as situational awareness of your software supply chain is something your company's probably started to do to avoid being on the headlines on media and the News having the negative press cyclists pick up so if policies are dependency it's not a new problem like if and the software supply chain context you might have started hearing about software bills bills and materials the promise of having like list of ingredients so that can help us measure compliance of like what packages are in there so lots of ground there hopefully some of it sounds convincing is not some

fictional Utopia on PowerPoint it's time to look at like how you might actually implement this and like you didn't come in here to start the day wanting to see a million words on the slide you're an emoji or two so at this point I can show you some Co code maintain scope uh we're gonna talk about two things to prove it's not just technology or or one Tool uh We've arbitrarily picked terraform it's a quite popular configuration management system provisioning tool it's open source and then kubernetes which has become like the infrastructure interface that most modern applications get get built on but you could you could pick anything naturally like I just we needed some tools but we're somewhat

lazy to invent new things here so picking picking two other things that exist in open source check off we'll do that terraform part and caverna will do the kubernetes so if you could if you wanted to browse here's an example GitHub organization like I don't want you to like read the whole thing or like try to grok the code on screen uh it's just there to prove it's a real thing uh that's been prototyped uh that you can check out that you can consume expand share with the organization so this is a a sample view of the repository the policies stored there and here's a view of that policy that starts at version 1.0.0 and this policy requires a

department label on all resources as long as that said it doesn't matter what that is we've written some tests for it so the passing test cases are usable as a great example of what good and what bat looks like we push the tag and get we've added release notes we can sign it cryptographically to verify assurance so Chris signed it there version two of the policy looks very similar but now that department field has to be a predetermined list like like before the test exists release notes are written 2-1 is where we notice and correct the spelling mistake for one of the options in the list of departments two on one we've added a new Department to the list

app one and then for one in the system depend on on version one of the policy are not compliant with version two but how can we how can we infer that we've configured this to renovate automatically and code so there's a new version of the policy it's super obvious to update the dependency and uh recent against it clear feedback of where and where not your compliant you can see the pull requests uh all the merges all the mergers from uh the stakeholders so you can measure the compliance of the policy so if you're moving from app2 and infra to they they have that dependency you could merge the open pull requests all the way to uh 2-1-1 and finally app

three and in for three are dependent and on two what one and that gets a gold star from the CIO there's a little bit of magic there all of it's not not pretty it's like written bash no judgment there but uh it's not the worst code it's probably worse uh it does allow to test for my developer machine and into my pipeline my code against a particular version of policy so uh yeah that's that's an interesting bit um the last piece of the Apostle is managing the life cycle of the policy and allowing multiple policies to be accepted and evaluated with a single runtime a little bit of cheating because kubernetes gives you something called

admission controls so it's not easy to get the same policy evaluation you would have in the cloud although it has its own uh policy code and and kubernetes and uh we're making some changes there you may have noticed that the policy is decide and distributed it lends itself to be reused in multiple clusters and multiple platforms which brings cluster one cluster two um all the automation we use separate tooling and then all you have captured in code is like compliant it's the policy is all versioned the CIO has visibility and context that has the awareness of what's going on it's great like the one more thing that would be awesome if the policy carried a story of why it exists

what is it not what it ought to be like it's reason of existence after all your agile teams if they're effective they will reject anything they perceive as friction they're slowing them down if they don't see value for it so they need to understand the why so it helps them understand if they're compliant if they want to do something outside what the policy permits they don't need any any sort of exemption granted for this they they can have a well recent and informed debate defensible arguments with the rationale once it has that story so if you're going through States reversions and then the risk informs the mitigations that's expressed there maintained all in the code so when the

rest landscape changes as it continues to evolve your policies can can evolve with it new regulation comes in or your latest marketing strategy has changed and spaying off and you acquire more data as a result so the policy that was good before that that exists is no longer that great like the risk and the appetite stands still with it so liking it to over provisioning that's where like the real culture change is needed and the execution of that is probably like an entire series of talk but this is really all to you now like you can tell if it's something that resonates with you um a lot would love to chat more but yeah uh check out the code uh talk to

people making like more than getting developers on board and like pull requests on like helping us grow and have traction if this is a movement we really like to like find design Partnerships understand your use cases and desired outcomes of how can we do this policy as code and function of you and start to swap this imaginary people for real people you and the audience the the most important thing from from our time together is precisely that the the relationships we establish and thinking of it as a social technical system if you invest if you're going through a transformation and you're invest solely and Technology you only get so far if you think it's keep a people problem

and you invest in training and upskill them but don't do do so with modern tooling you also only get so far so you have to do this too in conjunction because change is hard so the one thing just like the if you could retain one thing at all is like purposeless policy is the same as a pointless policy it's it's just words on a document so get bringing the story and that policy and to life letting it burst into a life of its own and being something that we can all see we can all understand we can express we can resend as is what gets us to a better place uh here's once again the repository to

the code uh again like risk risk has to be or security has to be to measure it to the to the risk that exists uh so does your investments in in cyber security um but yeah that's that's the talk uh hopefully you have found this informational uh entertaining um I'm I may not have all the answers uh I'll take I'll take questions but I do think we're a time but yeah more than more than answers uh I'm here to have conversations and then exchange and learn from each other so thank you very much once again a great pleasure to be here beautiful place in the world and uh looking forward to spending today and tomorrow

with you thank you

a couple questions yeah man come on up let's take some questions please

are the exceptions I get right in the yeah all right so I have a very deep voice and great vocal range oh there we go yes so I get uh writing the policy um as you know whatever happens normally and you have the throws and exceptions for edge cases things that might happen that are that are unusual uh but what I was kind of esteemed still didn't quite get clear in terms of um thinking of of dependencies and inheritances uh going back to my my student days as kind of like uh oop object oriented programming um how do you do that in in terms of in terms of policy because it seems kind of hard to to express that as code

I mean could you expand like how you make that readable for for not us as people who said who said policies but kind of Translating that what we want to communicate to develop the teams to to other technical people that's that's a great question an analogous to object oriented programming you have classes and you have objects that are instances of of those classes like manifestations right so being being just like playing if it was if it was not object oriented if your policy becomes code and that is just like putting the curly braces around it you're not instantiated you're not instant shading like the multiple variances of of that policy in existence so turning it turning it into a class

and having having that called out and saying okay a hierarchy of policies and that composition where a later semantic version of like 2-1-1 you could have a dependency on like the Baseline as 1.0 so that's what we mean by like establishing like that relationship as a dependency of like you can have a Baseline and then the multiple variances that fork from there would at least need to depend on on wano does that conceptually make sense like a polymorphism yes sorry uh so what you're describing is a kind of a polymorphism where you can have several inputs several different kinds of inputs into one in into one policy depending on dependent on condition of what actually is passed

into correctly correct okay it's an interesting concept I don't know unless you are a regulator or somebody in in there who has a technical background I still understand like yes that all of us went to see a school and so forth but I definitely um would like to have some like resources and so forth that I could pass on so people can get it because I I kind of get it because I have a CS background but I know I know a lot of people wouldn't yeah and it's a steep learning curve because it is bringing a lot of like heavy computer science and to and to a domain that has been probably more lawyerly and more uh

prosaic uh but yeah just like another form of analogous to describing that without like talking about object oriented programming or polymerism is thinking of input lists right like you're you're building software and you're making the policy a dependency as all all the list of libraries and packages you're putting in there and being able to call it out when you're assembling at build time uh saying like we're depending on this policy for this particular release thank you great question um I just have a quick question um please more on a Consulting side but um with chat gbt and the risks of employees sharing or verifying code um what's your recommendations on how best to tackle this in terms of

businesses adopting this to their corporate policy as well as cyber security wow that's that's quite the question see if I can do it justice and lots of thoughts um still forming an opinion and I think it's nascent it's it's growing so fast and we're seeing it like people relying Less on Google and uh opting for like having a chat DPT window open all day if if it's the place people are seeking information and the organization doesn't allow it people are going to attempt to circumvent that right like they're gonna open it up on their phone and they're not going to access it from the from the company Network they're gonna access it on the over the 5G and and seek

information there it's important to have segmentation and isolation if it's if it's used as a as a tool for again information gathering um and Chad GPT unless like the company has decided to like wrap around it and say like Hey we're gonna we're going to have chat DPT for all our knowledge basis and half crawled that that data uh if that's the path like having segmentation and say zero trust like really like a hard mapping of what the guard rails of the system is so there's no informational leakage but probably probably timely to start Gathering the people together and having the conversation of like which way do we want to utilize and rely as opposed to to oppose it uh before it

proliferates and it's something that people just I mean it becomes their day to day thank you um sorry at this time we need to move forward so he is going to be around please meet with Andres and ask him more questions if you'd like love the focus that you did during our alert thank you very much