Policy
Policy is a planned system of rules and guidelines that directs users and automation to execute within purposeful boundaries. 1
The parts of a policy include: 1
- name: used to label the policy for future reference
- purpose: the reason this policy exists
- situation: the context in which the policy will be used
- rules: individual controls or prescribed behaviours;
- actions: action taken if a policy rule is violated
A policy is a statement that declares which principals are explicitly permitted, or explicitly forbidden, to perform an action on a resource. - 2
Policy Language
A policy language facilitates: 3
- the specification of composite policies, which in turn forms the basis of trust delegation.
- the static analysis of policies and system configuration.
Policy as Code (PaC)
These are policies that are written, stored, managed and interpreted as code artifacts.
A policy engine is a program or process that is able to ingest machine-readable policies and apply them to a particular problem domain to constrain the behaviour of network resources. 1
PaC policy engine characteristics: 1
- Ingeting machine-readable policies (PaC)
- Applying policies to specific problem domains (data)
- Constraining behaviors (outcomes)
----------
| Policy |--------- A
---------- | / \
V / \
-------- --------- / \ -------------- --------
| Data |------>| Input |--->< match >--->| Evaluation |--->( Outcom )
-------- --------- \ / -------------- --------
A \ /
--------- | \ /
| Query |---------- V
---------
Selection Criteria: 1
- Alignment
- Technical Capabilities of team.
- Internal strategy for how tools and applications are adopted/managed.
- Fits the need and internal standards driving the decision
- Primary use cases match our use cases
- Analytics
- logging
- metrics
- auditing
- Automation
- CI/CD Pipelines
- Automated Deployments
- Documentation
- Examples
- Patterns
- Understandable
- Adoption
- Who is using this?
- How much adoption has this project seen?
- Active?
- Project Maturity
- Support Model
- Intuitive
- Complexity
- Installation
- Deployment
- Configuration
- Operation Modes (server, library, CLI)
- Reporting
- Standard reporting tools e.g. OSCAL
- Security
- Risks, vulnerabilities
- Tools and processes for security issue discovery
- Extensibility
- Can custom code be written to extend the language.
Scorecard 1
| Selection Criteria | Casbin | Cedar | Rego |
|---|---|---|---|
| Alignment | |||
| Analytics | |||
| Adoption | |||
| Automation | |||
| Documentation | |||
| Complexity | |||
| Reporting | |||
| Security | |||
| Extensibility | |||
| Total |
Cedar
Rego
Rego is a declarative assertion language that provides reasoning. This is a DSL for applying reasoning and assertions to domain-agnostic, structured data.