Policies-as-Code will transform your organization, if you tackle these three key challenges

During the first weeks of the Corona Lockdowns I wrote an article called “Policy-as-Code deserves your full attention, and here's why”. At the time I was captivated by the possibilities and promises of Policy-as-Code (PaC). I remember that finding data and information was quite hard. The concept was very innovative and not much was published yet.

Fast forward two years to the present day, and much has happened. Not only did we beat Corona, PaC is now a concept that has gotten a lot of attention. A simple Google search now suffices to get a lot of information to get educated on the concept, for example in articles like:

• WTF is Policy-as-Code?
• What is Policy-as-Code? A complete guide
• The importance of Policy as Code in Your Compliance Strategy

And recently even a book was published: Policy Design in the Age of Digital Adoption: Explore how PolicyOps can drive Policy as Code adoption in an organization's digital transformation.

It’s not just on the internet you see the interest in PaC growing. Our team at PwC FSTech currently supports hands-on clients that aim to adopt the PaC concept enterprise wide. From this practical experience we see some key challenges organisations face, which I would like to share with you.

Challenge 1: Enterprise wide adoption of Infrastructure-as-Code

To fully benefit from the PaC concept, your organisation requires an enterprise wide adoption of Infrastructure-as-Code (IaC). At the very core of the PaC concept is the notion that all provisioning of infrastructure is done using IaC. 

First, this requires you to transform your infrastructure provisioning process: From a largely  manual provisioning process by specialised and highly skilled central infrastructure teams, to automated provisioning by less skilled decentralised application teams, using IaC. 

This requires you to rethink your Life Cycle Management (LCM) of provisioning as well: With PwC FSTech, we see a lively debate at clients between proponents of a centralised approach, where central teams provide LCM of IaC, and proponents of a decentralised, open-source-like model.

Next, a Solution Architecture for the IaC Technology platform must be widely aligned. The key decision is whether to use a generic platform, supporting a multicloud strategy, or to use a Cloud Service provider native platform. Both scenarios have its benefits and downsides. It's important to note that the choice for a platform impacts the use of PaC. Bluntly put: Every IaC platform has its own syntax, and thus requires its own Policies-as-Code.

In the IaC realm multiple technology platforms are available to support the provisioning of infrastructure using IaC. Terraform is possibly the most well-known, but both Azure, AWS and GCP offer cloud native platforms as well. The article: Infrastructure as Code (IaC): Comparing the Tools gives a nice rundown of possible platforms.

Challenge 2: Enterprise wide adoption of Policy-as-Code

The adoption of PaC requires Life Cycle Management on a lot of new code. Therefore, your organisation needs to set-up a Policy-as-Code factory: A new delivery organisation trained to write and maintain valid PaC. As PwC FSTech we see a fierce debate in organisations whether to use centralised or decentralised patterns. With centralised patterns, organisations feel they have more control. With decentralised patterns, there is the advantage of more flexibility.

Next, like with IaC, a Solution Architecture for the PaC Technology Platform must be aligned. Multiple PaC Technology Platforms are available, each with its pros and cons.

Challenge 3: Enterprise Wide Adoption of Cloud Native Policy Governance

It’s not enough that a PaC Factory creates and maintains Policy-as-Code. This PaC continuously must be fully aligned with the organisation's risk objectives, the changes in current architectures and the outcomes of continuous testing.

This requires a significant reshaping of the current policy governance framework into a Cloud Native Policy Governance Framework.

This starts with Awareness and Acceptance. Many Risk, Compliance & Governance stakeholders are not aware and/or have not fully accepted that a transformation to a Cloud Native policy governance is a viable step forward.

In addition, new governance processes need to be designed and implemented, with new roles and responsibilities for all involved policy makers. Policy makers have to learn for example to participate with PaC teams to clarify policy requirements, to support the preparation of testing and to accept PaC based on test outcomes. 

Finally, it’s essential that the policies captured in PaC are linked to the Risk Objectives and Legal Frameworks within the organisation. If the organisation changes its strategy, and with that, its Risk Objectives, the impact on the current PaC should be clear and processed by the PaC Factory. The same is true for a change in the Legal Framework. The impact of new regulation should be quickly assessed and addressed by the PaC Factory. This mapping of PaC to current frameworks for Risk Objectives and Legal Frameworks is quite challenging and time consuming, requiring the alignment with many stakeholders. 

Contact

I'm looking forward to hearing your insights and experiences with Policy as Code. Feel free to drop any question I might be able to answer.