Shift Security Left with Policy as Code

Rafael Battesti
DevOps Solutions Engineer

Across all organizations, IT departments have been delivering infrastructure to support the business, in one way or another. Initially, on-premise infrastructure was the rule and IT departments were stuck with hardware procurement, device and network maintenance, physical security of data centres, and the list goes on.

With the advent of the cloud, many businesses started their “Cloud Transformation” journey, migrating their workloads to data centres no longer owned by the company, but by the public cloud provider, who became responsible for absorbing all the above-mentioned infrastructure costs and responsibilities.

With the Cloud, Infrastructure as Code (IaC) slowly became the best practice for how IT Cloud Architects deploy and manage their infrastructure. As the opportunity to create hyper-scale infrastructures increases with automation, it also brings more challenges in terms of testing and asserting compliance with benchmarks such as ISO 27000 series, CIS, HIPPA, PCI, GDPR, among others. A misconfigured asset provisioned in bulk using automation propagates across fleets, significantly increasing the attack surface. While the public cloud providers deliver overall cost benefits, the overall security posture of the business can dramatically impact the ROI of moving to the cloud. Gartner states that 95 percent of all security breaches are due to misconfigurations, and those mistakes cost companies nearly $5 trillion between 2018 and 2019 alone.

Chief Information Security Officers (CISOs) responsible for the overall security posture of their organizations implement policies, track non-conformity and trigger actions for architects to apply fixes to address vulnerabilities. In many cases, there is a lot of custom tooling created for the purpose to support this workflow:

  • IT Cloud Architect/Developer answers a series of questions about their infrastructure.
  • Answers are assessed (automatically or not) by the CISO.
  • CISO initiates the remediation for nonconforming controls, based on the answers provided, which may or may not be the same as the infrastructure that’s been provisioned.
  • IT Cloud Architect tackles the remediation work and provides evidence of conformity back to the CISO for approval.

This manual process can be very lengthy, and cumbersome and more often than not, does not meet the business objectives at any level. We must bridge the gap between CISO and Product teams to ensure an organization’s software development and delivery processes are not negatively impacted.


On September 6th, Indellient’s Rafael Battesti discussed the role of Policy as Code (PaC) in the creation of Infrastructure as Code (IaC) with DevOps Toronto. You can watch that discussion here:

In this talk, they discussed the role of Policy as Code (PaC) in the creation of Infrastructure as Code (IaC), which is one way to shift security left and close the gap between the CISO and the Product teams. PaC best practices and tooling can bridge the gap by guaranteeing compliance with established control benchmarks such as CIS, or even custom internal policies, with continuous assessment of the infrastructure assets.


At Indellient, we invest heavily in our DevOps practice to create foundational cloud transformation for our clients. We believe the outcomes of DevOps: velocity, resilience, automation, compliance, and rapid changes contribute to a competitive advantage, which is why we architect and implement DevOps culture and best practices that leap our partners forward and enable a cloud operating model.


About The Author

As a hybrid IT professional, the scope of Rafael's work extends over the entire SDLC, from requirements specifications, design and development of software solutions for the enterprise data pipeline, data operations, and quality assurance. After experimenting Web Development by getting involved in small projects, his career in IT took a different direction as Software Test Technician, applying manual test techniques on Motorola Android© devices. Tests included functional, regression and exploratory. Studying for the ISTQB Certified Software Tester credential, achieved a few months later, provided him a good theoretical knowledge about testing and the importance of a good QA strategy to reduce costs, risks and time to market. Immigrating to Canada gave Rafael the unique opportunity to achieve a high honours diploma in Computer Systems Technology – Computer Programmer at Sheridan College, while working as a tutor and helping fellow students engage in good coding standards, computational thinking, debugging techniques, and acting as a Git evangelist.