IT compliance-as-code tool makes Kubernetes security inroads

As Kubernetes security and compliance as code move to the top of IT priority lists, the company behind a popular open source project in that field is refining its SaaS product.

The company, Styra, offers IT compliance as code and technical support based on the Open Policy Agent (OPA), which caught the attention of Kubernetes security practitioners last year. The OPA is a declarative means to apply security and compliance policies to the container orchestration platform.

Styra's SaaS product, the Declarative Authorization Service (DAS), added refinements this month to boost its appeal to paying enterprise customers. Those features include a curated set of Kubernetes Pod security policies that may give enterprise IT shops a leg up with compliance as code in OPA's Rego programming language. The new release also adds a feature called mutating webhooks that can enforce policies as apps move into production by swapping out elements, such as container images, that don't pass IT compliance muster with ones that do.

Frontdoor Inc., a 5,000-employee spinoff of ServiceMaster that is the parent company to brands like American Home Shield, plans to use OPA and Styra DAS for Kubernetes security, as well as compliance as code for apps such as MongoDB. Compliance as code is considered a core component of the cloud-native architecture for the company going forward.

For us, it's about [enforcing] policies at runtime or the instantiation of a service. These are some of the features that should be incorporated into the [Styra] product, or you still have a problem you have to solve with other tools.

"We started out like a lot of companies -- many engineering teams want to adopt open source technologies and roll their own [services]," said Marlene Veum, director of security engineering at Frontdoor, based in Memphis, Tenn. "You get so far and say, 'That's great, but it would also be nice to have the support from and interaction with the people sponsoring it' … which gives us the ability to grow into support features with them as we roll out [OPA]."

The DAS mutating webhooks feature will be useful as Frontdoor's use of OPA and DAS grows, Veum predicted.

"Policy bundles are kind of a given -- for us, it's about [enforcing] policies at runtime or the instantiation of a service," she said. "These are some of the features that should be incorporated into the [Styra] product, or you still have a problem you have to solve with other tools."

Styra must turn open source momentum into revenue

Styra DAS is among a handful of vendor tools based on Rego that can extend policy-based security features to Kubernetes and other cloud-native platforms. Others include the Fugue Rego Toolkit and Palo Alto Networks' Prisma Cloud. Styra must also compete with other compliance-as-code tools, such as Chef InSpec and HashiCorp's Sentinel, which pairs with Terraform infrastructure as code.

Styra's co-founders, Teemu Koponen, Torin Sandall and Tim Hinrichs, created OPA and donated it to the Cloud Native Computing Foundation last summer, a few months before the company came out of stealth with DAS. OPA quickly rose to prominence in the Kubernetes security world, and formed the basis for the Kubernetes Gatekeeper admission controller project launched in August and maintained by Google, Microsoft, Red Hat and Styra.

Styra's early momentum in open source has been impressive, said Fernando Montenegro, an analyst at 451 Research, a division of S&P Global Market Intelligence. But that doesn't guarantee success as a business, especially as Styra faces the kind of open core business challenges that have stymied other vendors with strong open source momentum, such as Docker. Styra reports about 20 paying customers for its product so far, according to CEO Bill Mann.

"Policy as code is a great design pattern, but I question how exactly Styra the company is going to navigate based on the success of the open source project," Montenegro said. "The commercial product has more attractiveness to a security buyer, whereas the cloud engineering team might be happy with the open source OPA project itself and associated projects around it [such as] Gatekeeper."

As an early customer of Styra DAS, Frontdoor's Veum said she'd like to see the product make it easier for inexperienced compliance-as-code writers to write policies in Rego. A feature that translates regular expressions from other languages and frameworks into Rego, which can be tricky for newcomers, would be ideal, she said.

"Rego is the policy engine, but abstracting that with some overlay tool where you can put in a policy in more layman's terms that could get rendered into the Rego is one of the features our team is working on," Veum said.