Editor's Note - We hosted a webinar on PlainID's OPA integration. Watch it on-demand, here. https://www.brighttalk.com/webcast/18611/471827
Open Policy Agent, or OPA, is an open source solution that lets you take a policy-as-code approach to enforcing access controls across your technology stack.
In order to work well at scale, however, OPA policies need to be managed efficiently. Without a systematic process for deploying and monitoring OPA policies, teams run the risk of errors or delays that can undercut the benefits that OPA stands to deliver.
Fortunately, there’s a solution to OPA management challenges: PlainID. In this article, we take a look at why OPA management is important and how to streamline it using PlainID Policy Manager.
OPA has generated more than a little buzz since the Cloud Native Computing Foundation (CNCF) accepted it as an incubating project in 2019.
OPA owes its popularity not just to the fact that it’s open source, but also that its a general purpose policy engine that provides a way to decouple enforcement and decision.
With OPA, you can write policy files that define how a variety of resources -- from cloud access controls, to SSH and sudo privileges, to data management rules and beyond -- are configured and enforced. By allowing teams to use a declarative language and enforcement engine for policies, work that is otherwise embedded in code is offloaded from the code, and possibly even from the developer.
PlainID Policy Manager streamlines the management of policies across environments.
PlainID offers a centralized and secure hub for monitoring and analyzing all of the policies that teams use to drive their workflows. Whether the policies are configured via OPA or using a different framework, PlainID ensures that they can be managed from a central location. PlainID also provides a deep analytics engine that allows users to understand what their policies do and which resources they expose to which users.
In addition, because PlainID maintains industry-leading standards for security and compliance, it is able to manage policies in a way that protects against unauthorized access and adheres to the regulatory rules that may impact PlainID users.
Technically, you don’t need additional tools to use OPA. You can manage OPA policies by hand. Unless you are working with just a handful of policies, however, that approach quickly becomes infeasible.
PlainID Policy Manager offers an enterprise grade solution for managing policies across apps and platforms, that includes support of OPA.
With PlainID, you can manage and analyze all of your policies from a central administration UI. At the same time, however, you can deploy them in a distributed way that fits your environment.
In other words, PlainID provides the best of both worlds: A central location for policy management combined with a flexible deployment model that works with whichever type of architecture you are using, and whichever services you are configuring via OPA.
Because PlainID allows you to analyze and audit your policies, it makes it easy to find problems before deployment. That way, you can fix issues before your configurations go live.
This approach -- which aligns with the “shift left” thinking that is prevalent in DevOps circles -- is much more efficient than having to roll back a policy you’ve already deployed, which places you at risk of disrupting a live resource.
Writing dozens or hundreds of policy files by hand in a code editor is a tedious task. With PlainID, you can take advantage of graphical policy authoring, which makes the process faster, simpler and more intuitive. What’s more, PlainID can generate some policy content for you automatically, which reduces tedium even more.
OPA is designed to manage resources that live directly inside your environment, not external resources such as third-party APIs or services. Thus, with OPA, supporting external resources is a pain.
PlainID solves this issue by allowing users to construct policies based not just on internal resources but also on external data feeds. This is another way in which PlainID centralizes all aspects of policy management while simultaneously supporting a distributed architecture.
OPA is great, and it’s on track to enjoy massive adoption over the coming years. What many teams will realize when they deploy OPA, however, is that they lack the management features necessary to deploy and control OPA policies efficiently at scale.
PlainID provides a solution that enables the enterprise to adopt OPA in the way they are accustomed to. Providing an end-to-end solution for creating, deploying and managing the life cycles of policies as code, no matter which types of resources they are supporting or how their systems are designed.