The State of Policy as Code report from Styra, based on a survey of 285 U.S. developers and technical decision-makers, highlighted that 97% of respondents believe policy as code is crucial for efficient software building in cloud environments. The report's key findings highlight policy as the code's role in enhancing development efficiency, security, and simplicity.
While 95% of respondents believe that custom-built authorization systems offer great customization potential, about two-thirds of them also recognize substantial deficiencies in these systems, particularly in efficiency, security, and application performance. The report also noted the widespread adoption challenges, with 86% facing issues in authorization implementation.
The majority of respondents (88%) utilize policy as code for cloud-native applications, with a notable 67% using it for cloud infrastructure. In application authorization, 55% secure API gateways, 52% implement role-based access control (RBAC), and 46% use attribute-based access controls with policy as code. For infrastructure authorization, two-thirds employ policy as code for AWS CloudFormation configuration checks, 60% for HashiCorp Terraform checks, and 45% for infrastructure compliance monitoring. This indicates diverse applications of policy as code in both application and infrastructure contexts.
According to the report, the primary motivators for adopting policy as code in organizations include identity and access management (IAM) at 32%, and equally, zero-trust architecture and continuous authentication and access, each at 28%. This highlights the critical role of policy as code in enhancing security and access management within modern organizations.
Source: 2023 State of Policy as Code Report - Styra
These findings go in line with the recent OWASP Top 10 API Security Risks Report, which emphasizes that the foremost API security concerns are Broken Object Level Authorization and Broken Authentication. These issues, related to access control, stand out as primary challenges in API security.
From that, AWS's decision to open-source Cedar, a policy-based access control language, was met with enthusiasm in the tech community. This release was seen as a key step in addressing the long-standing need for more robust application authorization solutions.
The State of Policy as Code report also included barriers to adoption, like complexity and organizational resistance, and underscored the critical role of policy as code in cloud infrastructure security. The report further suggests that overcoming these barriers is crucial for maximizing the benefits of policy as code in modern software development.
Source: 2023 State of Policy as Code Report - Styra
Companies with revenues up to $500 million typically implement policy as code in production environments, though mainly for non-critical systems. In contrast, organizations earning over $501 million are more inclined to extensively use policy as code across both non-critical and mission-critical systems, indicating a broader and more integral application in larger enterprises.
For further insights, interested readers can download the report from Styra’s website.