Modern Applications: Control with policy-governed practices
In our latest eBook, created in partnership with Microsoft, ‘Start in control and stay in control‘, we propose five key principles. During this series we are discussing each of these principles in depth, today ‘Control with policy-governed practices.’
Traditionally, there has always been a perceived conflict between innovation and agility on one hand and policies and processes on the other. Free-thinking innovators want to develop and create without any obstacles in their way, yet policymakers are keen to ensure governance structures are being adhered to.
While the opportunities that the cloud and other platforms offer can bring innovation to organizations of all sizes, policies ensuring security and compliance must be aligned with such technological evolution.
Secure enablement versus centralized governance
Governing an organization centrally was often the default option as it was - in many ways - the easiest approach. Yet this centralized approach is not fit for purpose for innovation-ready enterprises as it can potentially create bottlenecks which in turn, makes governance restrictive and burdensome.
What we propose is a model of secure enablement - on a team level - which aims to maintain security by prohibiting actions leading to threats while guiding teams on executable actions with unified objectives in mind.
These two aims need to be at the heart of policies collaboratively developed by IT and business. This will serve as a framework for decision-making on how teams work, and not a bottleneck which impedes innovation.
Forget a centralized approach: secure enablement leads to agility and good governance.
Define policies for different platforms
Before your governance structures are in place, organizations need to define their corporate policies. This means documenting business risks, which leads to converting risk decisions into policy statements, which in turn, establishes processes to monitor violations for each platform.
The first policy platform is the Cloud. The Microsoft Cloud Adoption Framework proposes five disciplines of cloud governance. They are:
- Cost management: Evaluate costs, limit IT spend, scale to meet need, and create cost accountability.
- Security baseline: Apply a security baseline to all adoption efforts.
- Resource consistency: Ensure consistency in resource configuration.
- Identify baseline: Ensure baseline for identity and access are enforced by consistently applying role definitions and assignments.
- Deployment acceleration: Accelerate deployment through centralization, consistency, and standardization across deployment templates.
The second policy platform is DevOps. Typically, policies will cover intellectual property with the usage of open and InnerSource within the enterprise. This will also be necessary for securing the software supply chain.
Lastly, there are policies for Low code. Broadly speaking, such policies should remove the risk of out-of-control usages, and establish security baselines and app consistency, among other policies.
Having policies for these three distinct platforms will allow an organization to make necessary choices for their projects and apps, but without compromising the organization or slowing down the teams within it.
One size does not fit all: different policies are required for different platforms.
Automate policies
As part of the design process of policies, automation must be built in. Automation can’t be an afterthought, it must be a central tenet.
Policies need to be designed so that the policy guardrail, validation, and countermeasures are automated as this will lead to frictionless enforcement. Only with frictionless enforcement will policies be adhered to without slowing down the technological ambitions of respective teams.
For example, several tools exist to make the life of DevOps teams easier when it comes to complying with cloud policies. Using PSRule from Microsoft, we can create rules that test the compliance of our infrastructure as code scripts prior to deploying, removing the frustration of having pipelines fail due to policy denials.
Avoid manual enforcement at all costs: automate your policies.
Proactive and reactive policies
It is often thought that policies lead to strict guardrails which create established lines that cannot be crossed. Yet with innovative organizations, lines are often flexible to allow for the possibility that their lines may need to be crossed. This leads to the creation of proactive and reaction policies.
A proactive control provides security and compliance boundaries by leveraging platform capabilities such as identity and access management.
For example, authorization in multi-role apps with dynamic roles should not be done ad-hoc within the process. Instead, standardization is vital to avoid security issues. Defining a policy that dictates a single source of ‘access truth’ with calls to the security engine, immediately at entry into the service, means that security management is easily located by auditors.
A reactive control allows for innovation while keeping insights and providing guidance when needed.
Compliance monitoring and Just-In-Time learning
Deploying compliance dashboards which are aided by automated policy review and evaluation ensures that a robust compliance practice is in place. This will give organizations the confidence that their policies are not only being adhered to, but their business goals are also on track.
When agile and innovative organizations adopt new technology quickly and securely, developers will have to acquire the skills needed to stay compliant. With Just-In-Time learning, teams will be able to keep up with current policies by receiving short, targeted learning experiences relevant to specific policies via a quick reference guide or interactive simulations.
Just-In-Time learning: Learn what you need, when you need it.
Take action
As technology evolves, corresponding policies and processes - and how they are designed and deployed – must evolve too. Without a policy framework which can support the swift and efficient deployment of innovative technologies, organizations will not be in a position to take timely advantage of such technology and will be at a serious competitive disadvantage.
Sogeti and Microsoft have been strategic partners for more than 25 years. Together to demonstrate the strength in our technical alignment we bring you the latest eBook: ‘Start in control and stay in control – five cloud native adoption principles for enterprises’.
- Pierre-Olivier PatinGlobal CTO Cloud & DevOps
Pierre-Olivier PatinGlobal CTO Cloud & DevOps