Accelerating Secure Infrastructure Deployments with Policy as Code Authorization

5 min read

Introducing the broadest policy library and toolset for Kubernetes, Terraform and CloudFormation

TLDR

Styra is today introducing a better way for platform engineering teams to empower hundreds or thousands of developers and accelerate their infrastructure deployments, including the broadest policy library and infrastructure authorization toolset for Kubernetes, Terraform and CloudFormation. Here are some of the key details:

  • New and expanded compliance policies for NIST SP 800-190 Application Container Security, Kubernetes Pod Security and more
  • Hundreds of Styra validated AWS, Azure, GCP and Kubernetes policies for Terraform from leading open-source libraries
  • New and expanded support for Terraform and AWS CloudFormation

Register now for the Feb 16 webinar, Accelerating Secure Infrastructure Guardrails, for an in-depth review of these new features.

A better option for platform engineering and cloud infrastructure teams

Platform engineering teams, more critical than ever to the success and security of enterprise software development organizations, are under unprecedented pressure.

As enterprises build and run cloud-native applications and accelerate their time to market, platform engineering teams are responsible for empowering hundreds or even thousands of developers — for rapidly configuring the right infrastructure resources to build and support mission-critical applications with self-service platforms. In that effort, delivering secure, compliant and operationally sound infrastructure is the highest priority, given today’s expanding threat landscape, strict regulatory environment and the reality that developers can and often do inadvertently make mistakes with self-service infrastructure. As such, implementing policy guardrails around infrastructure that automatically enforce security and compliance best practices using policy as code authorization with Open Policy Agent (OPA) has become core to the role of platform engineering.

We think platform engineers should focus their time and resources on building better developer platforms, not on creating new guardrails from scratch. The reality is that building secure guardrails often involves significant manual, custom policy creation, policy management and undifferentiated heavy lifting that poses a major roadblock to delivering infrastructure and resources on time. This includes creating test coverage to ensure that authorization controls work as intended.

Introducing the broadest policy library, new NIST Special Publication (SP) 800-190 policies and expanded Styra DAS features

Now, enterprise platform engineering teams have access to an essential authorization toolset that features the broadest library of validated policies for Kubernetes, Terraform and CloudFormation (along with new and expanded features that make your lives much easier). This not only eliminates manual policy creation, but enables you to systematically reduce production risk with easy-to-deploy policy templates and editing tools, across platforms.

Here are the major points. With our new updates, Styra empowers platform teams managing infrastructure to:

  • Eliminate manual policy creation and systematically reduce production risks for infrastructure deployments with easy-to-deploy policy templates and editing tools.
  • Easily enforce best practices and compliance for Kubernetes clusters with NIST SP 800-190 Application Container Security Guide compliant policies from Styra, plus an expansive collection of Styra validated policies for PCI DSS, MITRE ATT&CK, CIS Benchmarks and Pod Security Compliance.
     
  • Deploy faster, compliant Terraform policies with hundreds of Styra validated AWS, Azure, GCP and Kubernetes policies for Terraform from leading open-source tools and libraries.
  • Enforce policy guardrails on CloudFormation stacks preventing AWS resource misconfiguration.

Expanded Terraform support, new CloudFormation guardrails and custom templates mirroring Gatekeeper

These new Styra additions dramatically expand the number of out-of-the-box policies available to Styra DAS users. We’re also making it easier for platform engineering teams to better leverage the cloud-native tools and cloud platforms they know and use alongside Styra DAS. That’s why two of our new additions revolve around some of the most popular infrastructure-as-code platforms, HashiCorp Terraform and AWS CloudFormation. Here are more details on these exciting updates. 

NEW Expanded Compliance. This includes a Compliance Pack to instantly adhere to the NIST SP 800-190 Application Container Security Guide, as well as expanded policies for 1) Kubernetes Pod Security that align to new baseline pod security standards and 2) expanded CIS benchmarks. Moreover, we have an expansive collection of Styra validated policies for PCI DSS and MITRE ATT&CK. Note: customers will be able to apply and monitor v2 of our Pod Security Compliance Pack while retaining previous policies in v1 (in other words, monitoring compliance without affecting system decisions and then enforcing new policies when you’re ready). 

Total Kubernetes policies: over 130

NEW Expanded Terraform library for AWS, Azure and GCP. This includes 500 new rules imported from the fantastic KICS project (we love you KICS!), which allows you to house all of your best-practice policies under one roof. This functionality is also available in the Repo Scan System Type to determine compliance in your existing repositories. Note: With our commitment to supporting open-source projects using OPA and Rego, we’re excited to work with the KICS library and contribute back new policy improvements for others to enjoy. 

NEW  Flexible Decision Outputs with Terraform. We’re thrilled to also introduce the Styra DAS Terraform System Type v2 Beta for select Enterprise customers, which provides additional metadata context for policy violations within Terraform, while at the same time allowing users to implement rule exceptions for the first time with Terraform in DAS. This gives users greater control over their Terraform guardrails, with expanded intelligence around policy decisions. Look for our next blog post in early February announcing general availability to all Styra DAS users for the new Terraform System Type version. Note: Styra built-in rules are now compatible with the newest AWS, Azure and GCP provider versions, which provides customers with more robust resource controls and better extensibility across any cloud deployment. 

Total Terraform policies: nearly 600

NEW Expanded support for Terraform Enterprise. In addition, users of Styra DAS Terraform Enterprise run tasks will now be able to leverage the Styra Relay Client for Styra DAS to communicate with network-isolated Terraform Enterprise environments. For enterprises with self-hosted operations, this is a much-needed update that enables full-featured support of those environments.

NEW AWS CloudFormation Policy Guardrails. With a new Styra DAS CloudFormation System Type (in Beta), users can now enforce policy guardrails on Cloudformation stacks at AWS resource creation, updates and deletion — preventing AWS resource misconfigurations before any resource changes occur. This is the first general-purpose, third-party CloudFormation Hook on the market, and is available in all AWS regions for Enterprise customers. Moreover, the Beta System Type includes nearly 250 pre-built policies for a wide range of AWS CloudFormation resources.

Total AWS CloudFormation policies: roughly 250

REMINDER — Custom Snippets Match Gatekeeper Constraint Templates. Since many OPA users have asked, the answer is absolutely yes: Styra DAS fully matches the functionality of Gatekeeper CRDs with our Custom Snippets feature. Many OPA users leverage Gatekeeper, a great OSS addition from the brilliant OPA community, for Kubernetes Admission Control. We feel that Gatekeeper makes sense and works well for small deployments (one to few clusters). However, as enterprise users scale (managing different policies across tens, hundreds or even thousands of clusters) they typically recognize the extensive DIY engineering investments and maintenance required to create basic feature sets for mature deployments (like auditing, multi-cluster or multi-cloud policy management, much less reporting or impact analysis). They also typically have concerns about a lack of enterprise guidance and support with DIY. Hence, a few common questions: can you get set up quickly, like with Gatekeeper? Can you support me from Day 0 to Day 2 with equivalent functionality? Do you create a path to scale? For all, the answer remains yes. 

Get Started with Secure Infrastructure Guardrails

Platform engineering teams form the backbone of enterprise software development organizations today. Leveraging automated policy as code infrastructure guardrails, they can not only ensure the security, compliance and operational health of their deployments, but build better, more efficient developer platforms that unleash the power of their developers.

Have questions about infrastructure guardrails with Styra or want to get your hands on the product? Book a demo with a Styra team today!

Cloud native
Authorization

Entitlement Explosion Repair

Join Styra and PACLabs on April 11 for a webinar exploring how organizations are using Policy as Code for smarter Access Control.

Speak with an Engineer

Request time with our team to talk about how you can modernize your access management.