How Toil Can be Avoided with Policy-as-Code

Introduction

The trend for digitization is gathering pace as a business's consumption of information becomes ever more essential to remain competitive while meeting the challenges of planning complex supply chains in a time of prolonged and severe disruption.

Digitization initiatives require tremendous effort to plan and implement, placing enormous pressures on technical teams to implement and integrate solutions in complex cloud environments using intensive DevOps processes to meet demanding timelines.

Digitization comprises interrelated tasks with complex dependencies and prerequisites to satisfy. All these activities consume resources, which typically are overloaded with the day-to-day management of systems and services. This pressure acts as a barrier to operational excellence, hindering innovation and refinement. The solution is to reduce the baseline workload by identifying and eliminating toil.

What is Toil?

Toil is the term for manually intensive, repetitive, and unchallenging tasks. For example, typical process elements requiring prescription manual actions include responding to spurious security alerts or customer tickets for product bugs, configuring access controls for shared resources, or creating new user accounts. As systems scale, the volume of toil will increase correspondingly.

Manual processes are commonly seen in infrastructure management, security controls, access permissions, or environment configurations. The problem with manual actions is the operator performing them. Humans are incredibly error-prone when compared to computerized processes. Even the most diligent operator following a script will occasionally make a mistake. When the manual actions are implementing security-related controls, then the consequences can be severe.

Transposit’s State of DevOps Automation 2021 Report supports the importance of process automation for resolving complexity and reliability issues. The report revealed that manual toil was the top challenge respondents faced during security incidents' remediation - a lack of automation was seen as a barrier to a quick resolution. About 51.7% of respondents reported that toil is the top challenge during remediation. As a result, many are planning to increase automation.

What Creates Toil?

Originally policies were applied using command-line interfaces (CLI) that were non-intuitive command formats that were tricky to learn and challenging to review and spot errors. Then, service providers moved to graphical user interfaces (GUI) that were easier to understand but took away the ability to automate processes.

The manual process was more intuitive but required repetitive manual actions, creating toil. An additional consequence was that while testing policy decisions in non-production environments reduces risks; there was no guarantee that the operator would correctly enter the same policy in the production environment.

Checking processes typically require validation of policy commands after actioning, potentially too late if an incorrect command has serious consequences. The problem with toil is that it inherently increases the chances of human error due to the reduced operator engagement in the task. Where mistakes can have potentially catastrophic consequences for business-critical systems, introducing toil should be the last resort.

Dealing with Toil

The traditional approach to toil was an acceptance that it was an intrinsic part of the work processes needed to complete the process. The belief was that it was unavoidable where automation of processes wasn’t practical.

Repetitive manual tasks are error-prone and potentially insecure. They are also demoralizing and demotivating for the team tasked with performing them. If toil can be eliminated or significantly reduced, processes will become more resilient, easier to scale, and more reliable. The workforce will also have more time to concentrate on those more challenging cerebral tasks that create value for the businesses.

Automation as a Solution

Reducing toil is simple; automating tasks that create toil eliminates the problem in one fell swoop. In addition, the operations team that typically becomes responsible for the toil-rich activities frees up their time for more productive endeavors. It also means they are more responsive to operational issues, increasing product service levels and customer satisfaction.

Policy as Code

Policy as code is the principle of turning manual practices into a code format where policies can be managed and automated. Representing policies using a high-level programming language brings multiple benefits.

• Code follows formatting and content rules, eliminating ambiguities and misunderstandings that subjective text can introduce. This makes the policies easier to understand and more straightforward to check.
• Code can be automatically parsed and tested to quickly identify errors, eliminating the need for manual review and decreasing toil.
• Code can be built on the modular concept, creating building blocks for the overall infrastructure policies. For example, Kubernetes policy modules, container registry policy modules, and access control policy modules can be brought together in a policy build process to generate the complete policy package for the environment.
• Subject matter experts can concentrate on their specific policy modules, maximizing efficiencies and reducing the risk of introducing errors in unrelated policy codes.
• Automated test processes can verify and validate the package to ensure coherence and completeness, identifying errors, inconsistencies, and conflicts between policy statements across the entire policy ruleset. Another benefit is that it reduces the toil related to troubleshooting policy incompatibilities.
• Code can be placed under version control and managed using configuration control practices. This provides a transparent audit trail to support compliance and governance processes.
• Automatic deployment of code eliminates human error from policy implementation and diminishes the most significant toil-related activities.

Using policy as code to manage and maintain controls for resources to enforce good practices reduces security risks, including unauthorized access and disclosure and exposure to data breaches. Magalix’s Airtight Security as Code service will secure your environment with codified policies. It’s easy to get started, thanks to hundreds of built-in policies that you can use to support your custom policies.

Policy Lifecycle

Policy as code solutions allows the use of development processes to develop policies systematically to produce deterministic code. The following is a typical lifecycle for illustrative purposes:

1. Definition of policy blocks for specific compliance, infrastructure, security, access, and environment management requirements.

2. Codification of policy blocks using a high-level language.

3. Policy blocks are verified using automated test tools.

4. Policy blocks are versions and placed under configuration control.

5. Building a policy package for a specific environment using one or more blocks.

6. Validation of the policy package in a non-production environment.

7. Deployment of the policy package to the production environment.

8. Monitoring and audit of the production environment refine policy block definitions under formal change control processes.

Figure 1: Policy Lifecycle

Deploying Policy as Code

Policy as code solutions can test policies on non-production environments before application onto the production environment, in a process that guarantees the policy remains unchanged. This eliminates the problem of disruption to the production environment due to policy changes. However, it is still possible to experience disruption due to unrecognized differences between the non-production and production environments. However, the policy as code means that it is a simple task to roll back the changes by applying the previous version of the policy. Achieving this can be quick and effortless.

Policy as code can also allow simple adaptation to change to the cloud-based environments, whether that’s a simple parameter change by the hosting provider or the migration to a different provider. For users of multi-provider cloud environments, creating libraries of policy modules for each cloud type supports the automatic assembly of packages to match the configuration of any particular environment. This provides maximum flexibility and reduced dependencies on service providers.

For businesses with multiple environments, such as separate development, test, and production facilities, using simple to create tailored policies based on a standard maintained core set will ensure that they retain coherent controls.

Policy as Code Benefits

Intelligent policy as code solutions can include validation of services against the policy requirements as a pre-requisite for enabling that service. A non-compliant service can be disabled until corrective actions address the identified issues. This approach will ensure services are secure before they are permitted to go live. Once live, implementing a Continuous Compliance Assessment will prevent infrastructure drift by continuously monitoring and reporting violations. This will ensure live services will remain secure.

Policy as code has added benefits in demonstrating compliance and good governance in cloud-based environments. Governance is the ability to verify and enforce policies and standards based on a governance framework to minimize risk, manage costs, and drive efficiency, transparency, and accountability while staying agile and responsive as a business. Take a look at our Kubernetes Governance webinar to discover more: Kubernetes Governance 101, cloud-native governance.

Conclusion

Automation is the crucial weapon in the battle against toil, and bringing automation to policy management brings additional benefits to business efficiency, scalability, and flexibility. Policy as code solutions delivers the advantages of automation with enhanced security and compliance.

Enforcement of infrastructure and security policies will ensure compliance and aid the demonstration of good governance, for example, by locking down services and resources and optimizing resource usage using native toolsets available. This can reduce operating costs and maximize security while at the same time eliminating toil to improve workforce productivity and motivation.

Magalix empowers organizations to integrate policy-as-code into toil-free automated processes. This service allows businesses to enforce policies and reduce risks across their infrastructure.

To learn more about how we can support your business processes, please get in touch.