[ad_1]
Why business policy and IT policy are like the next crossroads in ERP
Moving commercial business policy forward into the digital age requires a deeper reliance on cloud-based automation control from the IT function. For this to happen effectively, we need to form a new intersection between traditional business policy and a new type of IT policy controls.
This is the birth of Policy-as-Code at the technology infrastructure level, a systems operations approach designed to enable IT services to function properly, even when under great pressure to adapt, or in the face of cyber security threats.
One of those IT industry terms without a definitive definition, Policy-as-Code, is as confusing at first as serverless computing, but actually comes from the same concept of system virtualization.
In serverless computing, there are many servers located in the data center of our chosen cloud service provider. We use the term to denote an application whose server allocation is decided only when it is actually needed. Through virtualized server provisioning we can (at least in theory) save resources and increase efficiency.
A defined set of network mechanics
Policy-as-Code derives from the same kind of virtualized system-level control that enabled us to go serverless. It allows us to specify a defined set of network mechanics in the form of policy rules that govern how data services, applications, and their associated components and connections operate with respect to compliance, operational excellence, and security.
In the most basic terms, politics-as-code boils down to the systemic level of ‘if, then, else’ evolution. For example: if a security warning appears, apply this patch or raise this warning, otherwise (otherwise) if it is already installed, take no further action.
Why is there a need for Policy-as-Code at all? Because as great as it looks on the surface, real-world application of cloud computing has never been a perfect science. Analyst house IDC estimates that just over two-thirds (67 percent) of cloud breaches are the result of misconfigured applications or instances of clunky misconfigured infrastructure.
In the modern infrastructure-as-code (IaC) era, one would hope for greater harmony given that IaC also relies heavily on security best practices, but even in cloud automation, the entire process starts with a human in the loop or has administration and management involved at some stage.
“Whether for regulatory purposes or internal business requirements, policy enforcement is now an integral part of the responsibility of many operations teams,” says Deepak Giridharagopal, CTO at Doll. “However, if compliance depends on human effort, it is impossible to keep up with the rapid pace of change that is inevitable in modern IT infrastructure.” This is why we need constant compliance, which is best achieved through Policy-as-Code and the application of the principles of control loops.”
If compliance depends on human effort, it is impossible to keep up with the rapid pace of change that is inevitable in modern IT infrastructure – Deepak Giridharagopal, Doll
What can policy-as-code control?
The question is how far can policy-as-code go and what level of control should it be able to exercise over an organization’s IT systems? In a world of distributed IT teams working across a range of multi-cloud services using different programming languages with different configuration protocols and techniques, all embracing different workflow methodologies, the penetration of Policy-as-Code probably needs to match both the diversity and the security attitude of the environment on which is actually applied.
By adopting Policy-as-Code, an organization is able to put controls in place that will translate directly into system-level operational decisions. Always fairly binary in nature – there’s a right and wrong way, no middle ground – Policy-as-Code lays down the law for IT decision-making.
These decisions can be used to determine where and when (or indeed, if) applications and services can be exposed to external connection points via application programming interfaces. They can also determine which software protocols and code structures are allowed, or can be used to adjust system behavior to keep the IT stack compliant with legal and regulatory requirements.
Achieving continuous compliance
Giridharagopal explains how codifying technology policies as code makes them subject to revision, testing, sharing, reuse and peer review. This, he suggests, means that software code can be fed into intelligent systems that can apply those rules across the fleet, not just when the systems are first provisioned, but continuously throughout their lifetime in service.
“This allows us to progress to the point where people can focus on the policies themselves, while the software focuses on implementing them and fixing any anomalies it encounters in the process.” “For all the reasons that infrastructure-as-code is an indispensable part of modern system administration, so too should policy-as-code be a modern foundation,” he says.
He reminds us that given the point of advancement we are at today with automation, the more we can automate, the more time, cost and risk we can reduce. So, CTO Puppet surmises, the latest generation of continuous compliance systems can also include automatic fixes for detected policy issues, such as reconfiguring the affected system.
Policy-as-Code mapping
Implementing a real-world Policy-as-Code application into a functional IT deployment involves what we can call a mapping process. Starting with human interpretation of system rules, best practices, and compliance requirements, the operational conditions these guidelines predict are codified and then mapped into a state where they can be digitally interpreted and ultimately enforced.
Explaining Policy-as-Code as what he calls a “very natural extension” beyond corporate business policy, the CEO of the infrastructure software company ProgressYogesh Gupta advocates this approach as a means to finally implement traditional IT policy guidelines.
“For too long there has been an unfortunate gap between what IT policy actually represents, characterizes and contains in any organization and conversely, what is physically implemented,” says Gupta. “When we operate in a Policy-as-Code world, technology policies must be both machine-readable and machine-enforceable.
When operating in a Policy-as-Code world, technology policies must be both machine-readable and machine-enforceable – Yogesh Gupta, Progress
Looking at the reality of organizations moving towards the benefits of Policy-as-Code, Gupta is realistic yet optimistic about the challenges that firms will face across business verticals. He says that an IT policy manual written by software engineers that can only be interpreted by machines and other employees in the technology department is good, but not good enough. He insists that a broader instructional format is needed so that it can be understood by subject matter experts, domain experts, and business managers.
According to a GigaOm white paper, ‘The [Policy-as-Code] the space is rapidly evolving and depends heavily on how the infrastructure is provisioned and managed, along with how applications communicate. [Enterprise organisations] they should consider their existing infrastructure and application development tool plans when looking for a Policy-as-Code solution to ensure it will be interoperable for years to come.’
Effect as code
Given the penetration of cloud computing with all its layers of virtualized and abstracted entities, this entire discussion is consistent with current approaches to automation with artificial intelligence and IT systems now benefiting from a level of autonomous management.
From applications to databases to complete computer structures, the effect as code permeates every level. Logically, the higher level policy coding process should also fall into place.
Where businesses already have a customer service policy, an investment policy and a workplace conduct policy, they can now have an IT policy that contains a deeper level of automated internal digital governance in the form of Policy-as-Code.
Can we go deeper than Policy-as-Code, or is this the innermost shell of the IT functions of our planet as we stand today? The answer for now is no, this is the base layer. But let’s not foreclose the broader possibility that the code-like approach could evolve to apply to something even more granular, cerebral or perhaps human.
Inevitably, we may expect You-As-Code at some stage, so make sure you stay readable and machine-implementable.
[ad_2]
Source link