June 19, 2023

EP126 What is Policy as Code and How Can It Help You Secure Your Cloud Environment?



Subscribe at Google Podcasts.

Subscribe at Spotify.

Subscribe at Apple Podcasts.

Topics covered:

  • What is a policy, is that the same as a control, or is there a difference? And what’s the gap between a policy and a guardrail? 
  • We have IaC, so what is this Policy as Code? Is this about security policy or all policies for cloud?
  • Who do I hire to write and update my policy as code? Do I need to be a coder to create policy now?
  • Who should own the implementation of Policy as Code? Is Policy as Code something that security needs to be driving? Is it the DevOps or Platform Engineering teams?
  • How do organizations grow into safely rolling out new policy as code code? 
  • You [Mondoo] say that "cnspec assesses your entire infrastructure's security and compliance"  and this problem has been unsolved for as long as the cloud existed. Will your toolset change this? 
  • There are other frameworks that exist for security testing like HashiCorp’s sentinel, Open Policy Agent, etc and you are proposing a new one with MQL. Why do we need another security framework?
  • What are some of the success metrics when adopting  Policy as Code? 

Do you have something cool to share? Some questions? Let us know:

View more episodes