Who

• Engineers

• Business Functions

Why

Deep in the heart of the security department are many tombs of wisdom. On the front covers of these tombs are inscribed the hallowed phrases “ISO 27001,” “NIST,” and other well-recognized and revered phrases. However, you wouldn’t be remiss if you overlooked these tombs, which are under a thick layer of dust that is disturbed only when the security department is called on to “assess your risk,” or worse, under the inspection of a regulator. Often in such cases, the interrogating party inflicts the will of policy on the accused (engineering department), demanding “proof of execution,” “sample evidence to spot-check,” and all “exceptions.”

It shouldn’t be like this. There has often been a vast separation between the intent of policies as expressed in prose and how distributed systems operate. Long gone are the days in which a spot check of a system’s controls can be considered indicative of the system’s current state. With many enterprises leveraging hyperscale technologies using consistent control planes like Google Anthos, we have an opportunity to codify prose into software-based controls at build and runtime. In doing so, we can make security policies fit-for-purpose.

How

The most effective security policies are developed hierarchically and have traceability from their lowest levels of technical implementation to their highest levels ...