How to ensure policy enforcement?

[humbertoc-silva]

Hello everyone,

Imagine the following scenario:

1. We determine that OPA is a great tool to decouple security policies from the services code, and in this way, the services teams will focus on business code, new business features, etc.

2. But now, the services teams need to do the policy enforcement, i.e write code or use tools to integrate with OPA, enforce OPA decisions, etc. to guarantee that all pieces are working correctly to achieve the security requirements established by the company. But if the team does ignore this and not enforce any decision?

Related to the second part, do you know tools, projects, patterns, or strategies that help with this problem?

I know that using a sidecar proxy, like Envoy, will help with this because the proxy will handle this transparently, but it will not always be possible to use this too.

Do we have some other options? How do you handle this problem?

Thank you!

[anderseknert]

Hi Humberto!

I do believe the proxy model is the common solution to this to problem, as it moves the enforcement point outside of the realm of the application team (or whoever else would be responsible). I agree though — to introduce something like Envoy or another service mesh technology into an environment solely for the purpose of enforicing policy seems like wielding a pretty broad hammer... so I'd probably write something simple myself. Go makes it easy to build proxies, and of course integrates directly with OPA, so at least getting something basic to work should not be too complex, I think. Would be a great open source project ;)

If you can't use a proxy model at all, there are basically two options that I can think of, and they aren't mutually exclusive:

1. Make it easy to integrate OPA by providing libraries, great docs, and support inside of the organization. If enabling enforcement only requires a few lines of code to be changed, people are likely more eager to make the change than if it entails a large number of steps.
2. Use decision logging to track which services aren't sending decisions, and notify teams of violations, with a request for change.

Ultimately, this sounds like an organizational problem. If you have "security requirements established by the company" which people are free to ignore, they aren't really... requirements :)

[humbertoc-silva]

Hi Anders,

We stay in sync. Thinking about this problem we visualize this two types of solutions:

• OPA proxy (in cases where Envoy is prohibitive).
• Integration libraries to accelerate the development (in cases where proxy strategy is prohibitive).

Related to the tracking, yes, decision logs are very useful.

And finally, the security requirements problem must be present in all big companies, where there are so many products and teams to manage, but I believe that it is possible to mitigate them with the technologies and techniques mentioned above.

Thank you for your point of view!