Policy Design in the Age of Digital Adoption

Policy Design in the Age of Digital Adoption

by Ricardo Ferreira
Released May 2022
Publisher(s): Packt Publishing
ISBN: 9781801811743

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

A proven methodology to build a PolicyOps function and public policy design frameworks for digital adoption, supporting your organization's journey into new paradigms and service models such as Cloud, SaaS, CaaS, FaaS, and DevOps

Key Features

  • Understand and define policies that can be consumed across the business
  • Leverage a framework to embed Policy as Code into the organization
  • Learn how to use Open Policy Agent and its powerful policy language, Rego

Book Description

Policy as Code (PaC) is a powerful paradigm that enables organizations to implement, validate, and measure policies at scale. Policy Design in the Age of Digital Adoption is a comprehensive guide to understanding policies, their design, and implementation for cloud environments using a DevOps-based framework. You'll discover how to create the necessary automation, its integration, and which stakeholders to involve.

Complete with essential concepts, practical examples, and self-assessment questions, this book will help you understand policies and how new technologies such as cloud, microservices, and serverless leverage Policy as Code. You'll work with a custom framework to implement PaC in the organization, and advance to integrating policies, guidelines, and regulations into code to enhance the security and resilience posture of the organization. You'll also examine existing tools, evaluate them, and learn a framework to implement PaC so that technical and business teams can collaborate more effectively.

By the end of this book, you'll have gained the confidence to design digital policies across your organizational environment.

What you will learn

  • Understand policies, guidelines, regulations and how they fit together in an organization
  • Discover policy-related current challenges brought by digital transformation regarding policies
  • Find out about Open Policy Engine (OPA) and other policy engines for different environments
  • Get to grips with the latest developments in PaC through a review of the literature, toolset, and usage
  • Explore the PaC framework to develop trust at scale, leveraging patterns and best practices
  • Become familiar with tool evaluation and selection using real-world examples

Who this book is for

From decision-makers, such as chief information officers (CIOs) and chief information security officers (CISOs) responsible for affecting change horizontally in an organization, to cloud and DevOps architects and engineers, this book will help professionals involved in designing, implementing, and measuring policies in their organizations. A basic understanding of concepts such as cloud-native technologies, Infrastructure as Code, DevOps, and automation is necessary to get started with this book.

Table of contents

  1. Policy Design in the Age of Digital Adoption
  2. Contributors
  3. About the author
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Share your thoughts
  6. Section 1: Foundation
  7. Chapter 1: Introduction to Policy Design
    1. The why, what, and how of policies
      1. Why policies
      2. What is a policy?
      3. The how of policies
    2. From design theory to policy implementation
      1. Design thinking theory
      2. Design thinking process
      3. Persuasive system design
      4. An overlay framework for designing policies
    3. Policy design – key issues, tools, designs over time, and effectiveness
      1. Suasion tools
      2. Authority tools
      3. Financial tools
      4. Conflict management
      5. Understanding the three Cs for effective policy design
    4. The business value of digital policies
      1. Effective digital programs
      2. Governance agility
    5. Summary
  8. Chapter 2: Operationalizing Policy for Highly Regulated Industries
    1. Highly regulated industries and their policy needs
      1. Financial Services Industry (FSI)
      2. Healthcare
    2. Policy through catalog controls
      1. National Institute of Standards and Technology
    3. Access controls for enforcing policies
      1. Security principles
      2. Access controls
    4. Summary
  9. Chapter 3: Policy as Code a Business Enabler
    1. Policies at speed – Policy as Code
      1. Speed as a business enabler
      2. The rise of DevOps
      3. Everything as code
    2. Governance agility – automating policies
      1. The challenges of digital governance
      2. The Cloud Center of Excellence
    3. Business benefits of PaC
    4. Summary
  10. Section 2: Framework
  11. Chapter 4: Framework for Digital Policies
    1. Framework components
      1. Framework overview
      2. Challenge identification
      3. Policy design
      4. Policy implementation
      5. Evaluation
    2. Exploring the framework stages
      1. Real-world examples
    3. Summary
  12. Chapter 5: Policy for Cloud-Native Environments
    1. Technical requirements
    2. Cloud-native environments
      1. Containers
      2. Serverless computing
      3. CaaS versus FaaS
      4. Event-driven architecture
    3. Native policy constructs for FaaS
      1. Components
    4. Native policy constructs for CaaS
      1. Components
      2. Resource policies
    5. Examples of cloud-native policies
    6. Summary
    7. Further reading
  13. Chapter 6: Policy Design for Hybrid Environments
    1. Technical requirements
    2. The challenges of hybrid environments
      1. Hybrid environments
      2. The challenges within hybrid environments
    3. Policy as Code in hybrid environments
      1. Zero trust
    4. Automation, segregation, and enforcement
      1. Detective controls
      2. Preventative controls
      3. Governance
      4. DevSecOps
      5. IAM
    5. An example of a policy spanning hybrid environments
    6. Summary
  14. Chapter 7: Building a Culture of PolicyOps
    1. Technical requirements
    2. PolicyOps – designing, embedding, and managing policies
      1. PolicyOps as an augmentation to DevOps
      2. The benefits of PolicyOps
    3. Policy DLC – coherence, congruence, and consistency
      1. The three Cs
      2. The policy life cycle
    4. Agile policy design
      1. Speed as a key tenet
      2. Policy design in practice
    5. Summary
  15. Section 3: Tooling
  16. Chapter 8: Policy Engines
    1. Technical requirements
    2. Policy engines
      1. What is a policy engine?
    3. Pod Security Policies
      1. Pod Security Admission
    4. Kyverno
      1. Kyverno policies
      2. Architecture
      3. Kyverno main benefits
    5. Sentinel
      1. Sentinel policies
      2. Architecture
      3. Benefits
    6. Open Security Controls Assessment Language
      1. Architecture
      2. OSCAL document properties
    7. K-Rail
      1. K-Rail architecture
      2. K-Rail policies
    8. jsPolicy
      1. jsPolicy architecture
      2. jsPolicy policies
    9. Summary
  17. Chapter 9: A Primer on Open Policy Agent
    1. Technical requirements
    2. Open Policy Agent
      1. Introduction
      2. Architecture
      3. Getting started
      4. Use cases
    3. Rego
      1. Introduction
      2. Examples in the Rego Playground
    4. Open Policy Agent extension and integration
      1. API integration
      2. Extending OPA
    5. Summary
  18. Chapter 10: Policy as Code Tool Evaluation
    1. Technical requirements
    2. Cloud-native open source ecosystems
      1. Cloud Custodian
      2. SPIFFE
      3. Parliament
    3. Vendor ecosystems
      1. HashiCorp
      2. Styra
      3. RegScale
      4. OKTA
    4. CSP-native capabilities
      1. AWS
      2. Microsoft Azure
      3. GCP
    5. The evaluation framework
      1. The main pillars
      2. Evaluation
      3. CMMI
    6. Summary
  19. Chapter 11: Cloud Providers Policy Constructs
    1. Technical requirements
    2. Types of CSP policies
      1. Adoption
      2. Regulations
      3. CSP-specific
    3. AWS native policy offerings
      1. Service control policies (SCPs)
      2. AWS Organizations
      3. AWS Control Tower
    4. Azure native policy offerings
      1. Azure management groups
      2. Azure Policy
      3. Azure Blueprints
    5. Google Cloud native policy offerings
      1. Organizational policies
      2. Google Cloud Foundation
      3. Policy Analyzer
    6. Summary
  20. Chapter 12: Integrating Policy as Code with Enterprise Workflows
    1. Technical requirements
    2. Integration with existing enterprise workflow software
      1. Enterprise frameworks
      2. Vendor ITSM
    3. Policy as Code automated life cycle
      1. CI/CD
      2. Policy testing
    4. Designing for automated policy enforcement across the enterprise
    5. Summary
  21. Chapter 13: Real-World Scenarios and Architectures
    1. Technical requirements
    2. A cost policy scenario
      1. Framework analysis
    3. An authorization policy scenario
      1. Framework analysis
    4. A service migration policy scenario
      1. Framework analysis
    5. A compliance enforcement scenario
      1. Framework analysis
    6. Summary
    7. Why subscribe?
  22. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share your thoughts

Product information

  • Title: Policy Design in the Age of Digital Adoption
  • Author(s): Ricardo Ferreira
  • Release date: May 2022
  • Publisher(s): Packt Publishing
  • ISBN: 9781801811743