 Hello, well Okay, so elephant in the room policy is a dull thing It's kind of hard to make it sexy, but I'm gonna try and get your attention. So bear with me So to set the same I'm in a lift. Yes American friends We really do call them lifts for people walking. I think to myself Chris This is your moment now or never as the doors close I position myself in front of them a captive audience. They're mine I've got them. I hear the door seal shut behind me and I take a breath. I Looked the first person on my left. She's in a suit. She looks really important to gesture to her see She looks back at me as if to say yes go on I she nods Oh, ah perfect the CIO the policymaker the one whose neck is on the block What are the chances of finding you in my imaginary lift today? I Ask her well, what keeps you up at night and she tells me I don't know what teams are really doing the volume of risk and what I should then show more interest in Setting and changing policy is hard and and to communicate and people just go off and do their own thing They think they know better and to be honest often they do but I'm ultimately left playing catch-up with the risk that they've signed me up to Okay, I say try not to sound like a snake at patronizing snake or salesman. I can help I Turn my attention to the second person also in a suit, but they look slightly less important. I make a guess Let's face it. This is my imagination. It'd be weird if I was wrong product manager. I say They nod ah the whip cracker. I say well, what's important to you? So managing risk mostly opportunity risk the fear of missing out so getting features out the door avoiding getting bogged down with They glance to the CIO Bureaucracy that feels almost like it's designed to slow me down Awesome. I say this is your lucky day. I Turned to the next person dressed in overalls. I'm in a trendy part of town They could be the CTO before I asked they sent me staring at them Cleaner they say Well, how did you get in my mansion? Okay? Let me come back to you My attention goes to the last person hoodie headphones around the neck. Ah my stereotypical developer. Yes I know you well What code do you write? I ask it doesn't actually matter Python cool. I have have you got everything updated to work with I pause Python 3 they volunteer. Ah, yes, Python 3. That must be hard I add they don't know it, but I've actually just won a bit of their trust, which is as we know important Nearly they say cool. Okay. Well, what's important to you? Staying on top of patching dependencies so that we can react to the next fire Knowing what rules exist what ones I can bend break and what might cause me to lose my job Writing consistent good quality code and avoiding technical debt. So the rest of my team been able to work cohesively as one Do you have any tools to help you with that? I ask. Yeah, linter's code quality test coverage tools the usual Great. I say I write code to let's be friends and I hand them a printed QR code And say here's my public GPG key. So you know that you can trust what I say. I Return my focus to the cleaner. I've got it. How do you get told what to do and when it changes? Well, we get a memo or something gets stuck to the notice board So last week we got a memo saying that all the meeting room white balls needed to be cleaned every night Interesting. I say how does that work out? Well, it's up to us to then maintain the to-do list so that we can onboard new people Does it go wrong at all? Yeah, sometimes when we compile our operational manual We miss a memo or don't apply them maybe in sequence. We do get things wrong. They glance apologetically to the project manager Like when we hadn't updated the guide that the meeting room on the third floor was being used as a dedicated War room and we wiped all their boards down. I Looked the devs that sound familiar. I ask they nod turns out. We're not all special snowflakes Hey, ah, all is not lost. I knew there was a reason that I imagined you here today The lifts slowing I feel it coming to its destination great. I've got the silver bullet The CIO looks to me ready to buy whatever it is. I'm selling they ask me as the doors open Who are you and what team you in as I move out the way so to stop obstructing them? I answer Oh, I didn't work. I just here to fix the lift people have been complaining that it goes only goes to the top floor Reduct the matter what button they push and it's actually pretty slow My audience storms out furious heading towards the stairs the door shut and I get back to my job Okay, so if any of this sounds familiar and you can relate to my imaginary friends, then I've got the answers for you What if I said you could update policy easily even releasing say several version updates Not just in a year a month What about ten updates in a single day and seamlessly communicating? That's the people that need to consume it all without derailing them You could have visibility on compliance tools Maybe that you already use and that policy that could be readily consumable easy to pass Demonstrate compliance and make sense and not be bureaucratic to change when it needs to be and I'll be not getting the way That same policy could be treated as a dependency and operate like a linter so you can run compliance checks locally in CI and guard production ultimately That multiple versions of the policy can act like a dependency and are supported So emergencies like you must update now because there's now known Vulnerability type updates are in effect a business as usual activity to communicate Interesting. Okay Hang around let's crack on Now I've hopefully got your attention. It's time to introduce myself and start explaining things. My name is Chris Nesbit Smith I'm currently an instructor for learn kits and also a control plane a consultant to the crown prosecution service in the UK Government and a tinkerer of open source things I've spent a fair amount of my professional career now working in UK gov and large organizations where problems like these are right I've been will have time at the end for questions and heckles so please Kind of leave questions in the comments so While this is not live or in person where I might be able to ask you to say raise your hands We can still try some audience participation So if you could leave a comment of a policymaker if you're with my CEO and have set Written or applied policy before I'll give you a few seconds to do that Just if you've written policy, just leave a comment a policymaker Okay, next round if you have ever sought exemption or maybe consciously bent broken circumvented ignored bypassed Whatever a policy with at least good intentions. Could you leave a comment of policy breaker? So if you've bent broken circumvented ignored bypassed the policy Hopefully with some good intentions or not Leave a comment a policy breaker Well, hopefully some of you at least fell for it. So we've got all of your names and employers details. So Can I lend me your ears the stakes just got raised? So where do I see policy as code going wrong? Well before we dig into that, what do I mean by policy? So it usually comes in one of two forms So security enforcing like data at rest being encrypted for example or Maybe perhaps consistency enforcing such as code style tabs being two or four space indentation. Maybe Or maybe you can think of some others, but in any case, it's hopefully intended to mitigate a risk of some sort However, with the best of intentions, there are often emotionally led rather than being grounded in proportion at control, which is Ultimately the open door to a case-by-case exemptions then being required when you come against a situation that you weren't anticipating So this is not fundamentally unlike how the laws the land are created with case law Making for a complex to navigate rulebook and harder still to measure for compliance It often looks like the thin end of a wedge where the precedent which may have been an uncomfortable pill to swallow the first time Round becomes dangerous with others ultimately looking to expand upon its scope Which can lead us to wonder sometimes if the cure was actually worse than the disease But that's not how we at least typically develop software. So why does this have to be so hard? There surely must be a better answer Well, we've codified everything else. So isn't that the answer? Well, yes in part But my point of this talk is that we do it wrong Maybe some of you are screaming your favorite product name at me in your heads as the solution and you're not wholly wrong But the devil's in the detail just throwing some curly braces at something doesn't inherently fix things though So if it's a security control, it's often tempting to keep the policy a secret Exposing it could maybe be used against you by an adversary However, that does not support a shifting left at all it results in devs effectively reverse engineering What the policy is by finding out when we smash our heads up against it? It doesn't therefore take much imagination to see that in the scenario of an application deploy midway through Finding one resources non-compliant and rejected would have the overall deploy in an inconsistent halfway state Likely resulting in downtime which begs the question. What's the policy better than the downtime and the impact? Especially if it leads your engineers who are all Hopefully at all plenty smart at finding inventive should we will say weighs around the computer says no response that they've got This is further exasperated when updates to the policy of desired So maybe you get a pen test or something goes wrong So you form that case law in effect that you maybe need to apply a new policy So for example, maybe all s3 buckets now needs to be encrypted a change that could be considered a breaking one Sure, you might say we provide warnings on at least the less important issues or new emerging policy, which is great So long as someone sees them But if you've adopted githops or at least CICD is anyone seeing those warnings? Who studies the results of a successful build log every time? anyone every time Well, if you are I politely suggest you're probably missing the point of CICD you should ultimately be able to trust your job status Okay, well, I'm not just here to throw stones So remember my implied promises to my four imaginary friends of what that future promised land might look like Well, there's nothing new under the sun here. We've actually already unwittingly solved these problems elsewhere We just need to remind ourselves and join the dots together Well, the first is something you're doing policy as code You're probably already doing by putting it in version control. The thing you might not be doing though is making that then visible So at least in a source this by which I mean allow everyone within your walled guard of employees Supplies subcontractors so on to see the policy I'm not saying you give all your threat monitoring rules and intel away You can probably keep that to yourself But I'd argue visible policy and the gaps therein is often better than the downtime reversed engineers work around an opaque legacy Exemption spaghetti soup So if you're brave, you might even open source it You'll find it unlocks the ability to work well with prospective suppliers without NDAs and whatnot and ultimately Why the distributive secrets are expensive to maintain difficult to handle and often only stay secret for so long after all Okay, well, we're off to a good start a policy is visible now to those that need to see it So many of you no doubt are used as semantic versioning, but a quick recap The first segment is used to indicate a breaking perhaps conflicting change So in the context of policy, let's say it's requiring resources to have said department label Maybe that will help with some internal cross-charging. Who knows I'm not judging I Increment to that might look like requiring that to be a predetermined list rather than just free text The next segment is to indicate minor changes that shouldn't really break anyone So an increments that might look like correcting a spelling mistake on one of the department names The third segment is to indicate patch changes. So these should be a no-brainer to keep up to date with So an increments that might look like adding a department to the available options Okay, so our policy is visible in a repository now it's version so we can easily communicate the policy We can tack on release notes and expectations are managed by our semantic versioning In software we used to handling dependencies. So What if your policy was just another dependency? So you might unwittingly already be doing this for example if you use say ES lint as a dependency in your JavaScript package So our policy is visible in a repository its version so that we can easily communicate the policy and we can tack on release notes And expectations are all managed by SEM for It's beginning to look a bit more like software. Okay, so I know testing is a dirty word But in order to make this an asset that everyone can depend on and also provide good examples tests are essential To give everyone the confidence and the stability and surface potential side effects before they ultimately hurt everyone involved Consumers of this policy need to be able to test themselves against the policy locally and in CI CD Thus shortening the feedback and better informing things. So as a bonus We should be able to find our consumers able to rely on the artifact that we're sharing with them Well, we're well and truly on the home stretch. It's a dependency. So updating it should be no different to any other We can even use some magic like say github dependable or men's now white sources renovate to do that for us So think automatic pull request tests even also merging if you like Okay, so to check you're all still with me Can anyone leave a comment below and tell me a recent event that caused everyone to want to know what version of a potentially Logging do Hickey we were potentially running everywhere in the estate Yep, as you know all presentations this year are contractually required to reference log 4j even if it's almost entirely out of context and Include some memes in just a few short months I'll be able to remove these and hopefully just point broadly at a set of scary-looking CVEs in order to continue commanding your behavior through fear What I'm getting at here though is that situational awareness piece around software supply chain Is something the organization is hopefully already thinking about if not perhaps addressing so if our policy is a dependency This is at least not a new problem software bill of materials for the win, right? Which then can allow us to measure the compliance across the state of the estate So I've just covered a lot of ground and hopefully sounded convincing Well, it's a little bit and it's not just a fictional utopia that's painted in PowerPoint it's time to look at how you might be actually able to do this and I know you really came here wanting to be able to see just a million words on a slide Not just the odd emoji or two that you've seen so far So we've reached the point of the show where I get to show you some code. Hooray So to maintain scope I'm going to limit things to talking about two things to prove that it's not just one tech or one tool I've arbitrarily picked terraform and kubernetes But I could have probably picked anything Naturally, I'm going to need some tools to do this. I'm too lazy to really invent anything here myself So likewise, I'm going to pick two tools But again, I could choose any or even all of them probably so check off is going to be doing my Terraform and Canaveral will be doing my kubernetes So if you want to browse along with me, I've created an example github organization here So I'm not expecting you to kind of read or grok the code off the video So don't worry about it too much. I'm showing it here just to prove that this is a real thing But github.com slash policy dash as dash version dash code So let's kick off. So the policy is stored here in the policy repository So here's where my policy starts at version 1.00 I've got policy that require that requires a department label on all resources In effect, so long as it's set doesn't matter what it is, but it needs to be defined I've written tests for this so note how the parsing test cases are usable as a great example of what good and bad looks like We've pushed a tag in git we've added release notes and I can sign it to provide further assurance if my heart so desires It does obviously but moving on Version 2.00 looks similar only now that the department field has to be one from a predetermined list like before Tests exists release notes are written tags assigned 2.1.0 is where we notice a and correct spelling mistake of one of the options in that list of departments 2.11 and I've now added a new department to the list Okay, so some other repositories that are in that org app one and info one Well, they depend on version 1.00 of the policy. It's not compliant with version two or greater. But how do I know that? Well, I've configured renovate to automatically make me a pull request So when there's a new version of the policy It's super obvious if I can update my dependency and I can see Clear feedback about where and why I'm not compliant I can also see all the pull requests over the organization so I can measure the compliance of my policy as a whole Moving on from that app to an info to depend on version 2.00 of the policy However, we could actually merge that open pull request all the way up to 2.11 Finally app 3 and info 3 are dependent on 2.11 and they get a gold star from the CIO There is I'll admit a small touch of magic and it's not pretty right now I've written some bash Don't judge me even though I probably Definitely written worse though So what this does is it allows me from my dev laptop or in ci to evaluate my code against the version of the policy That's defined in the resources Ideally, this might be less cumbersome, but it is what it is for now pull requests and collaboration on this are very welcome And the last piece of the puzzle is managing the life cycle of apology policies and allowing multiple policies To be accepted and evaluated within a single runtime I've cheated a bit here Kubernetes gives you admission controllers. It's not so easy to get the same policy evaluation. I found so far in cloud Ultimately the cloud vendors have got their own policy code And I've not figured out how to be able to evaluate that policy locally again Pull requests contribution collaboration from the community are all very welcome and I'm really appreciated So you may have noticed that the way the policy is designed and distributes itself lends well to coexist in a kubernetes cluster Which brings us to cluster one which describes a cluster that accepts all the versions that we've described so far Likewise cluster two only accepts version 2.00 and greater We can automate this with kind for ci to deploy the applications too And there we have it a full org all done all compliant policy all versions for ci all aware of what's going on So this is great, right? But just one more thing wouldn't it be awesome if the policy Maybe carried a story a narrative of why it exists in the first place After all if your agile team is even half effective it will reject anything That it perceives as friction if it doesn't see the value in it It could actually allow our developers and engineers to know why they're compliant And if they want to do something outside of what the policy permits They don't need any source of exemption granted per se They can have then a well-reasoned and informed debate with rationale behind a pull request to the policy So imagine if you will this going through the stage of versions with risks that inform the mitigations Manifested as policy all maintained as one. So when the risk landscape changes your policies can then move with it So when some new privacy Regulation comes out or your latest marketing strategy pays off and you acquire more data, for example Even if your policy was perfect at one time the risks and the appetite for that stand still for no one So we can liken this to perhaps over over provisioning that we might be familiar with from elsewhere Where lead times are long changes hard and there is a significant pressure in just nailing it the first time Which can lead us to To hedging our bets against what some future state might look like rather than proportionate mitigation to the risks that are more tangibly real in the now And that's where the real culture changes needed and the execution of that is likely a long series of talks in of itself So this is now really over to you Honestly, the best thing you could do right now Tell me this is madness already done irrelevant. Otherwise unachievable Something so far my esteemed echo chamber appears yet to do So beyond making pull requests and developing the theory more I'd really like to start building a case study with a willing organization allow me to swap out my imaginary friends for some real ones But the most important thing I want you to remember from our time together is that and feel free to say this out loud with me Purposeless policy is potentially practically pointless policy And I've been practicing saying that far too many times So I've been christened bit Smith. Thanks so much for your time Uh, you're now free to drop off if you wish. I'm sure you I will try and destroy the evidence of your guilt admissions earlier I'll try Like subscribe whatever the kids do these days on linkedin github Whatever you can be assured that they'll be near on no spam because i'm Or much content really at all since i'm pretty bad and awful at self promotion on social media cns.me ultimately just points to my linkedin talks.cns.me Contains this and other talks and they're all open source as well on github Uh questions are very welcome on this or anything else I'll be hanging around in the comments section or ping me a message Probably on linkedin. Uh, and I'll come back to you. Um, thanks so much for joining me