When we started Styra, we set out to rethink authorization and policy for the cloud-native environment. We knew that new risks and challenges would emerge as companies embraced the cloud and began using a whole new host of technologies and architectures for building applications. The constant changes and dynamic runtime of the cloud-native environment complicated matters even more. That’s why we created Open Policy Agent (OPA), a common toolset and framework for expressing authorization policy, as the foundation of our vision of unified authorization across the stack.
But no work ends with a vision! Everything that the team at Styra continues to build brings us ever closer to achieving our plan—from developing Rego, to contributing OPA to the CNCF, to building Styra Declarative Authorization Service as our OPA control plane, to enhancing each with new features based on community learnings and best practices. And now, we’ve taken our next big step forward by “democratizing” policy authorization with the Rego Policy Builder. This empowers more policy stakeholders to collaborate, and better take advantage of the speed and security of policy-as-code, even for those stakeholders who aren’t coders themselves.
Decoupling Authorization with Open Policy Agent
Creating OPA was the way we decoupled authorization policies from the software needing authorization decisions. At its core, OPA is a policy engine that tells you, “what can do what and who can do what” and in so doing allows you to decouple policy decision making from policy enforcement.
OPA allows developers to accelerate time to market and focus on creating their apps and adding cool new features to it, instead of worrying about how they are going to write some bespoke policy to handle every authorization corner case on the planet. With OPA handling authorization decisions across the stack, each service, app or platform API just has to handle enforcement of OPA decisions. Decoupling policy in this way not only allows for a single, unified way to codify and enforce policy, but also makes it easier to deliver differentiated features faster, more reliably, and with less risk.
OPA is steadily becoming the de-facto standard for authorization in the cloud-native environment, and as such is moving into production app stacks in some of the largest cloud-native applications in the world. And, like every product or service in production, it needs to be managed, monitored and distributed. That’s why we built our OPA management plane—Styra DAS—in parallel with OPA.
Managing Open Policy Agent with Styra DAS
Styra DAS was purpose-built to serve as a unified control plane for operationalizing OPA in production. When companies move from experimentation to production, they end up with not one, but 10, 100, 1,000 different instances of OPA across their platforms and services. At that scale, they need a control plane, a management plane, a single pane of glass to help write policy, distribute policy, monitor policy, etc.
We don’t want to add more work for developers—we want to save them time to focus on their differentiated app work. Styra DAS allows them to do just that, at scale, by satisfying security, compliance and operational requirements for organizations at the same speed at which developers write and deploy code.
When we first announced Styra DAS in 2019, we offered support for Kubernetes policy because it was the most popular use case in the OPA community. Since then, we’ve expanded with support for microservices and extended context-based authorization to the service mesh. At each stage, we felt that we reached critical milestones on our journey to truly unify authorization across the cloud-native stack.
Simplifying and Accelerating Cloud-Native Policy
Now that organizations have the guardrails necessary to implement a consistent policy framework across the entire app development environment with OPA and Styra DAS, we next set out to simplify the creation of authz policy with a library of best practices and new features to further save developers time to focus on the crucial business problems that their applications were designed to solve.
Styra DAS ships with a built-in library of best practices and security policies sourced from real-world OPA use cases, making it easy to get guardrails up and running quickly. For example, Styra DAS provides a pre-build list of over 100 rules for the K8s use case that embody best practices from all kinds of OPA users. Moreover, by providing a Pod Security Policy Pack, Best Practices Policy Pack, and/or PCI DSS 3.2 Policy Pack, organizations can speed deployment by eliminating the need to research, identify and implement baseline guardrails/policies for Kubernetes clusters.
Styra DAS also offers impact analysis, allowing DevOps and Platform teams to pre-run policies to analyze their impact before deployment, so they can see where violations occur and analyze existing workloads for compliance across clusters (basically they can identify and stop policy-authoring mistakes before they happen). Styra DAS also keeps track of all policy decisions, as well as any compliance violations, so teams can easily monitor and manage their OPA clusters. Dashboards give immediate insights to security and DevOps teams, and data can be sent to external monitoring systems like Prometheus or SIEM tools.
Simplifying Authz for All: Rego Policy Builder
On July 28, we introduced Rego Policy Builder. Now, Styra DAS provides a simplified way to build, share and collaborate on authorization policy across multiple stakeholders. With this new feature, we provide four levels of policy authoring: code for power users, pre-built library of policy for admins, policy packs for compliance teams and policy builder for casual engineers.
Rego Policy Builder enables DevOps/Platform teams to more easily build authorization policy in Styra DAS, with a point-and-click interface that speeds development of new rules and provides a policy interface that’s easily readable—whether or not the reader is familiar with policy as code. With these new enhancements, teams can more closely collaborate, with developers focusing on building policy-as-code guardrails that ensure that apps work fast, and as intended, while security, compliance and line of business teams can also share their expertise on the threat mitigation and compliance aspects of app deployment. Rego Policy Builder enables teams to accelerate and secure cloud-native applications from within, without the need to learn custom coding.
We are going to continue to drive more innovation in this space, to further democratize policy, so that cloud-native policy creation and deployment can be shared across teams within our customer organizations. We’re always working to achieve unified authorization, and implementing policy everywhere is critical to that. And we will continue our work to not only unifying the authorization solution that can speed app development, but also unifying the policy stakeholders within organizations, to better mitigate risks across the cloud-native stack.