policy as code

Guest:

• Rosemary Wang, Developer Advocate at HashiCorp

 Topics:

• Could you give us a 2 minute picture on what Terraform is, what stages of the cloud lifecycle it is relevant for, and how it intersects with security teams?

• How can Terraform be used for security automation? How should security teams work with DevOps teams to use it?

• What are some of the obvious and not so obvious security challenges of using Terraform?

• How can security best practices be applied to infrastructure instantiated via Terraform?

• What is the relationship between Terraform and policy as code (PaC)?

• How do you get started with all this?

• What do you tell the security teams who want to do cloud security the “old way” and not the cloud-native way?

 Resources:

• Video (LinkedIn, YouTube)

• “EP126 What is Policy as Code and How Can It Help You Secure Your Cloud Environment?”

• Policy as Code with HashiCorp Sentinel or Open Policy Agent (OPA) for Terraform

• “Terraform Cloud adds Vault-backed dynamic credentials” blog

• Google Cloud Provider for Terraform

• Security & Authentication Providers for Terraform

• “Sloth’s Guide to Mindfulness” book

Find out how to use platform engineering to scale your DevOps 🚀with this hands-on podcast with Sarah Polan, Field CTO at HashiCorp. Sarah is passionate about 2 things: DevSecOps 🔏 and automating everything 🔁 (she even automates aspects of her childcare :)). Which is why this podcast episode is all about scalability 📈 - from attrition-proof DevOps to automated audits. This is a must-listen podcast for both CTOs who are new to Platform Engineering as well as those who are troubleshooting from the trenches. Listen to find out: - Why do we need platform engineering?🤔 From financial benefits to DevEx. - Is DevOps dead? Why platform teams is the only scalable way to do DevOps - How to get your platform and application teams to work together 🪢? - How to balance 🤹 autonomy and innovation with centralisation? - How to decide what to build at a platform level? 🧩 🏗 Does it differ by industry? Listen here: https://alphalist.com/podcast/80-sarah-polan-field-cto-hashicorp?utm_source=feed&utm_medium=referral

Guests: 

• Dominik Richter, the founder and head of product at Mondoo

Cooked questions:

• What is a policy, is that the same as a control, or is there a difference? And what’s the gap between a policy and a guardrail? 

• We have IaC, so what is this Policy as Code? Is this about security policy or all policies for cloud?

• Who do I hire to write and update my policy as code? Do I need to be a coder to create policy now?

• Who should own the implementation of Policy as Code? Is Policy as Code something that security needs to be driving? Is it the DevOps or Platform Engineering teams?

• How do organizations grow into safely rolling out new policy as code code? 

• You [Mondoo] say that "cnspec assesses your entire infrastructure's security and compliance"  and this problem has been unsolved for as long as the cloud existed. Will your toolset change this? 

• There are other frameworks that exist for security testing like HashiCorp’s sentinel, Open Policy Agent, etc and you are proposing a new one with MQL. Why do we need another security framework?

• What are some of the success metrics when adopting  Policy as Code? 

Resources:

• Live video (LinkedIn, YouTube)
• “Why Infrastructure as Code Is Setting You up to Make Bad Things Faster” blog

We interview Tim Hinrichs, Co Founder and CTO at Styra (the creators and maintainers of Open Policy Agent (OPA)). Listen as Tim explains: 1. The problem enterprises face with policy mgmt. 2. What is the state of Policy as code today. 3. How the industry and Open Source solve problems for the Enterprise. 4 What is the role of OPA in problem solving. 5. What’s missing or what are the gaps in Policy management today? Learn more at www.onug.net