Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity

    How Open Policy Agent Works to Secure Cloud-Native Workloads

    By
    Sean Michael Kerner
    -
    December 7, 2018
    Share
    Facebook
    Twitter
    Linkedin
      OPA DockerCon Europe 2018

      A core element of IT security is having proper policies in place that define what is and what isn’t allowed for a given process or entity.

      In the cloud-native world, where there are multiple distributed elements that can live in different deployment modalities, the challenge of defining and implementing policy is nontrivial, but that’s the challenge that the Open Policy Agent (OPA) project is looking to solve. In a session at the DockerCon Europe 2018 event in Barcelona, Spain, this week, Torin Sandall, software engineer at Strya, and Justin Cormack, software engineer at Docker, outlined how OPA can help to create and enforce security. 

      “Apart from the very long list of policies there are, we have to deal with the fact that we’re dealing with lots of different complicated systems, written in different languages and protocols, and the systems are changing really fast,” Cormack said.

      The OPA project got started in 2016 and became part of the Cloud Native Computing Foundation (CNCF) on March 29. It provides mechanisms to help define and deploy policies. Sandall explained that OPA is an open-source, general-purpose policy engine.

      “What that means is that you can basically take OPA and you can apply it to pretty much any service in any system [and] any layer of the stack to help enforce policies,” Sandall said. “The goal of OPA is to provide a tool or a library or a component that allows you to unify policy enforcement across a wide range of technology.”

      Sandall said OPA has seen adoption by some big-name companies, including Netflix, which uses the technology to enforce a wide range of authorization policies over internal resources. Plus, configuration management vendor Chef is embedding OPA in its products to provide end users with policy-based control. Experience management vendor Medallia is also using OPA, to help to codify and enforce risk management policies over their infrastructure.

      “There are dozens of companies using OPA today in their Kubernetes clusters to enforce admission control policies on the workloads that are being deployed on top of those systems,” he said.

      How It Works

      With OPA, policy decisions can be decoupled from policy enforcement, according to Sandall. As such, instead of taking policies that are specific, such as HIPAA (Health Insurance Portability and Accountability Act) or PCI-DSS (Payment Card Industry Data Security Standard) compliance, writing down wikis or putting them in spreadsheets and taking the policies and hard coding them into services, the OPA approach offloads the policy to a dedicated component. 

      “For example, if we were going to build a service that exposes an API that serves traffic requests, the way this would work is that whenever the service receives a request, it would execute the query against an OPA policy,” he said. “The query will ask a question like, ‘Should this request to be allowed?’”

      After the query is made to OPA, it takes that query and evaluates it against a number of policies and data that it has access to. Sandall said that the outcome of that evaluation process is a decision; it’s an answer to the question of whether the requesting user be allowed to see the data or perform this operation, or deploy this container, and so on. The OPA decision is then sent back to the service to be enforced.

      “The service could be an internal microservice that is built as part of a larger application, or it can be the company’s API server, or it could be a gateway, or it could be a Message Broker or a database where you’re trying to protect access to sensitive data. It doesn’t really matter,” Sandall said. “And this is why we call it general purpose, because you can take and apply it to a wide range of software.”

      Policy Language

      Sandall said that OPA provides a high-level declarative language for codifying answers to questions like, Can this user access this resource and perform this operation on this resource? The policy language itself is called Rego, and it has a very simple syntax.

      “With Rego, because it’s just pure logic, and just pure data that we’re operating on, it’s very easy to just ask ad hoc questions of it,” he said. “This is powerful because not only can you use this in enforcement, but it’s also useful for things like audit and dry run.” 

      Policy today is often done in organizations with different mechanisms including access controls lists (ACLs), Identity and Access Management (IAM) and Role Based Access Control (RBAC) types of systems. Sandall said organizations can actually implement RBAC, ACL or IAM style-models inside Rego policies.

      He added that RBAC, ACLs and IAM systems can be somewhat limited and restricted and don’t always cover all possible use cases. For example, if an organization needs to enforce the policy based on time of day, or based on the geographic region that the clients connecting from are based on, it can be challenging to express those things inside of an ACL or in an RBAC system easily.

      “So that’s what Rego addresses. It actually lets you express those kinds of policies and compose them,” Sandall said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×