EP126 What is Policy as Code and How Can It Help You Secure Your Cloud Environment?

Guests: 

• Dominik Richter, the founder and head of product at Mondoo

Cooked questions:

• What is a policy, is that the same as a control, or is there a difference? And what’s the gap between a policy and a guardrail? 

• We have IaC, so what is this Policy as Code? Is this about security policy or all policies for cloud?

• Who do I hire to write and update my policy as code? Do I need to be a coder to create policy now?

• Who should own the implementation of Policy as Code? Is Policy as Code something that security needs to be driving? Is it the DevOps or Platform Engineering teams?

• How do organizations grow into safely rolling out new policy as code code? 

• You [Mondoo] say that "cnspec assesses your entire infrastructure's security and compliance"  and this problem has been unsolved for as long as the cloud existed. Will your toolset change this? 

• There are other frameworks that exist for security testing like HashiCorp’s sentinel, Open Policy Agent, etc and you are proposing a new one with MQL. Why do we need another security framework?

• What are some of the success metrics when adopting  Policy as Code? 

Resources:

• Live video (LinkedIn, YouTube)
• “Why Infrastructure as Code Is Setting You up to Make Bad Things Faster” blog