What is policy-as-code and why should I care?

Matt Luckett   ·   Friday, November 3rd, 2023

Policy-as-code is an approach to managing policies where policies are written as code.

A common misconception around policy-as-code is that it has to be written by developers.

However, the policy-as-code that Axiomatics has written can be used by anyone because it is based on our abbreviated language for authorization (ALFA) policy language, which is like a pseudo-code.

This means that anybody with even basic development skills can come in and start building or maintaining policy-as-code.

Policy-as-code with ALFA

Policy-as-code can be written in Eclipse, Visual Studio or whatever you might be using.

Below is an example of policy-as-code with ALFA inside of Visual Studio, so you can see how easy it is to understand what the policy code is saying even if you aren’t a developer.

As you can see, the policy code is fairly clear and paints the picture of who can view records within an organization. Both managers and employees can view records, but managers can view all records, whereas employees can only view records in their department.

This makes it easy for new users to get up to speed in learning what has been done in the past or how to create their own policy-as-code.

This is possible because ALFA is a purpose-built, programming language that can be taught to anyone, whereas if you want to be a developer there are years of schooling and hours building java-based code, which is a complex language.

Why should enterprises care about policy-as-code?

There are a few different ways policy-as-code can help enterprises.

First, it can help developers with new applications. It often takes months and sometimes even years of development effort to get an application ready to go live to market.

Most often than not, the application is related to something the business specializes in as the organization is an expert in the field.

However, though authorization is still something that must be included in the application, it is usually not an area of expertise for developers or the business.

This is where Axiomatics can help as enterprises can leverage our best-of-breed technology to infuse authorization into the application from day one, greatly reducing authorization-related development efforts as well as the time to market for new applications.

This also gives application teams a more powerful approach to securing information for internal and external users.

Legacy applications

Legacy applications often lack granularity with security policies and rely on role-based access controls.

This leads to complex authorization policies that often give users too much or too little access to the information they need to effectively perform daily tasks.

Including attribute-based access controls with Axiomatics gives customers a much higher degree of confidence that the authorization policies granting users the right level of access to information at the right time.

Policy-as-code can also help with the ongoing maintenance of legacy or existing applications. When an application is already on the market and you bring in policy-as-code, it enables developers to have a shift-left mentality as they can infuse policy-as-code into the CI/CD pipeline.

This means developers can bring testing closer to the development effort, so that as new policies are created and changes are made, the team can get almost real-time feedback as to if these policies are having the desired impact.

The alternative would be if a developer creates an application with authorization, but there is a front end of the application where changes can be made as well.

If this application gets passed onto the administrator.

Now, the administrator can create any policy within the application, but what happens if that policy doesn’t work?

At that point, the organization would have to explore if the policy is wrong and get the administrator to fix it again.

Worst case, the application goes to market and a customer finds an issue with the application. When this happens, the application must go back to development to be fixed, which takes longer and effectively costs the organization more money.

Future-proofing through ALFA policy-as-code is a vital strategy for ensuring these systems remain secure, adaptable, and compliant in an ever-changing technological landscape.

By implementing ALFA policies, organizations can lay a foundation that enables legacy applications to evolve in sync with modern access control and security requirements.

This approach facilitates the integration of emerging technologies and supports dynamic policy updates, reducing the risk of legacy applications becoming obsolete or vulnerable to security threats.

Consistency and reusability between all applications

Policy-as-code is also more consistent and reusable compared to alternatives.

In an isolated authorization mindset, for every existing application policies are  created or added in a silo.

This makes it difficult to know what authorization policies are built into which applications, particularly if there are multiple applications within an organization.

With policy-as-code, policies that are created don’t have to be siloed. The policies can be leveraged across multiple applications and even reused for new applications as they are built. It is essentially copying and pasting policies across applications.

Not only is policy-as-code reusable, which can help reduce the time-to-market, but it allows consistency between applications in an enterprise.

For example, if an enterprise has two applications, one user can have different permissions between the two applications depending on who created the rules for each. This means that there is no consistency across applications – an issue that can be addressed through policy-as-code.

Take the next steps

Request a demo with one of our solution experts to see a demo of Axiomatics policy-as-code in action.

You can also download our white paper to learn more about policy-as-code and how our Orchestrated Authorization strategy helps address policy-as-code challenges.