Taking the
Next Step
To learn more, schedule a PlainID demo
Open Policy Agent, or OPA, is a tool for leveraging some of the benefits of policy-as-code. Although OPA is starting to be widely adopted, like many open source tools, OPA on its own doesn’t fully meet the needs of businesses. OPA provides a great framework for developers to write policies. But it lacks the administrative tooling necessary to align policies with business requirements, keep track of policies within complex IT environments and keep policies up-to-date as needs change.
To get the most out of OPA, then, businesses must pair it with a policy management solution like PlainID Policy Manager.
Open Policy Agent, which originated as a Cloud Native Computing Foundation (CNCF) project in 2019, is a policy-as-code framework that lets developers define policies using code, that are then used by the OPA decision engine at run-time. Policy files are written in a language called Rego, a declarative language that is designed for simplicity and flexibility.
Put another way, OPA is a tool that developers can use to create policies separately from their application logic, then use the OPA engine to apply those policies to whichever applications or services they deploy.
As an open source tool, OPA can be freely downloaded and used by anyone. It also integrates well with a variety of other cloud services and open source platforms.
OPA is not the first or only policy-as-code tool out there. But it has become a popular solution in recent years because it was built first and foremost for cloud-native, microservices-based architectures.
As an example of OPA at work, consider a vaccine scheduling application that needs to make decisions about whether to allow users to book appointments based on their eligibility.
A developer might choose to use OPA to define eligibility rules using policy-as-code by spelling out which characteristics a user needs to meet in order to be able to book an appointment. Developers might also use OPA to update the policy files as eligibility rules change, without having to touch the application itself, thus keeping decisions accurate as “business” needs (which, in this case, mean the eligibility requirements that govern vaccination scheduling) evolve.
While the OPA framework can be great for implementing policy enforcement as a code, it is subject to several shortcomings when used on its own.
OPA lacks a cohesive, centralized system for keeping track of which policies exist and which rules they contain. This lack of functionality is particularly problematic in cases where businesses’ IT estates span across multiple applications, services and infrastructures. It becomes very difficult to manage controls and other rules efficiently and securely when teams don’t know which rules impact which parts of their environment.
OPA is a tool created to serve the needs of developers first and foremost. It wasn’t designed to be business-centric or to align directly with business needs.
To write accurate policies using OPA, developers must understand business needs – which is not always a straightforward prospect in enterprises with numerous business units and ever-changing business requirements. OPA itself does nothing to help translate business requirements into policies, or to allow for non-developers to define policy rules.
What’s more, even if developers do fully understand business needs, there is no guarantee that they won’t make mistakes when writing policies that undercut the policies’ ability to serve business requirements. And because OPA on its own doesn’t allow for an approval process by the business, those errors may go undetected until they are being used to govern decision-making in production environments.
Policies are rarely a set-it-and-forget-it affair. Teams need to update them as business requirements change – as users come and go, user roles evolve, applications gain new features and so on.
OPA allows developers to change policies, but doesn’t provide any built-in functionality for tracking those changes. If a developer makes a mistake during an update and needs to roll back to an earlier version of the policy, OPA itself doesn’t make that easy to do. Likewise, if the business needs to audit its policies or demonstrate how they have changed over time, OPA on its own is insufficient.
PlainID fills in OPA’s critical functionality gaps to turn OPA into an enterprise-ready solution.
PlainID Policy Manager allows businesses to keep track of their policies centrally, while simultaneously providing the flexibility to deploy those policies across a distributed environment that consists of multiple applications, services and other assets. The PlainID Policy Decision Point allows the same policies to serve different resources, making it possible for businesses to centralize their rules in a single set of policies that can govern any and all assets within their IT estate.
And, because PlainID offers built-in policy version control, businesses can not only monitor new policies, but also track changes as policies evolve and revert to earlier versions easily if they need.
With PlainID, businesses are able not just to track their policies, but also to analyze and audit them systematically using a graphical UI that displays policies and map their impacts.
Importantly, this analytics functionality is available to any business stakeholder. You don’t need to be a developer or be able to read code written in a language like Rego to understand your business’s policies when you use PlainID. Anyone can view and approve policies based on their alignment with business needs.
PlainID helps businesses discover risks within their policies that could lead to security vulnerabilities, compliance violations and similar issues.
In this way, PlainID helps organizations catch oversights introduced by developers when they write policies. It also helps ensure that policy rules meet the business’s unique security and compliance requirements, even if the developers who write the policies don’t always understand every facet of those requirements.
While making policies more business-centric is one focus of PlainID, the platform also aims to help developers work faster and more effectively.
PlainID provides a testing environment for the OPA policies, enabling developers to simulate the request and policy response before deployment.
In addition, PlainID provides secure means to distribute the approved OPA policies across the technology stack. Developers are speared from handling the deployment process.
When businesses combine OPA with PlainID, they can master the full lifecycle that OPA policies undergo within the business:
PlainID helps businesses understand the risks they face and the policies they need to write to address them.
If policies meet business needs, they can be certified within Policy Manager and approved for use.
Developers or even the business people can use PlainID to write the policies they need efficiently using OPA.
Approved policies can be deployed to whichever components of the IT environment need them.
Using PlainID, businesses can analyze the impact of new policies prior to deployment in order to simulate how the policies will affect their environment.
Existing policies can be audited and analyzed to identify unanticipated risks, as well as to keep ahead of changing policy needs.
OPA is an excellent open source tool for the policy as a code approach. It’s easy to see why the OPA framework has become so popular over the past couple of years.
But when it comes to managing policies, OPA on its own comes up short. It does nothing to help businesses keep track of their policies, make sure policies align with business needs and keep policies up-to-date.
OPA alone may be sufficient for small teams that are building just a single app and deploying it in a simple hosting environment. But for businesses that operate on any level of scale, and whose IT environments and PBAC controls needs are not trivially simple, OPA on its own doesn’t deliver the manageability and business alignment that drive success.
PlainID solves these challenges by making it possible to plan, validate, deploy and monitor policies on an ongoing basis, while also updating them seamlessly whenever business needs change. With PlainID, your business can fully embrace OPA, without the risks and inefficiencies that come with relying on OPA in its raw form.
To learn more, schedule a PlainID demo