Article

Automate Fine-Grained Access Controls with Policy-as-Code

Writing or modifying scripts, managing templates, or creating policy for cloud data access control platforms is historically a manual process. Assuming there is very little maintenance, doing this process once may be sufficient — but that assumption is never realistic. Complicating this further is the need to manually replicate this environment at scale to other regions, availability zones, and across test and development situations. And even testing can be fraught with a reasonable desire to run fully developed test setups in production — so-called “blue” environments — while keeping the current “green” environment running in parallel. This is especially for mission-critical data access control scenarios.

Vivek Rau, an engineer at Google, summed up this type of work as “toil”:

“Toil is the kind of work tied to running a production service that tends to be manual, repetitive, automatable, tactical, devoid of enduring value, and that scales linearly as a service grows.”

He goes on to point out how toil can cause career stagnation, low morale, confusion, process delays, negative precedents, attrition, and skepticism of overall processes.

Immuta’s Policy-as-Code replaces the toil of access control scripts, templates, and policy creation from scratch. This is done using a DevOps type of continuous integration and delivery (CI/CD) pipeline, complete with version control repositories, validation, consistency, testing, committing, trunks, branching, backporting, and so on. Additionally, this can also fit in with bigger DevOps processes and tooling around the building and maintenance of broader data stacks, powering a huge degree of automation.

Before Policy-as-Code, consistently managing critical policy on highly sensitive data with just the standard web interface GUI and no DevOps-style repository would be toil — a lot of toil. Correctly filtering records across different cloud availability zones and regions, production and non-production environments, geographies, and various cloud data platforms and services, against a growing set of rules for access control without a documentable, automated change management process, is both toilsome and error prone.

But, What Is Immuta?

Immuta is the universal cloud data access control platform that provides consistent and automated access control across heterogeneous compute platforms, including geographically diverse cloud data environments, and provides APIs to further automate and manage deployment of sensitive data.

Introducing the New Policy-as-Code Command Line Interface

With our new product release, we’ve enhanced Immuta’s Policy-as-Code capabilities with a new command line interface (CLI). This enables data engineering and operations teams to fully automate and scale sensitive data management into their build pipelines by codifying policy configuration, eliminating a huge amount of toil.

The Immuta CLI allows you to have all your policies, data sources, purposes, and projects defined in a git repository as a set of plain text, human readable, configuration YAML files. Existing change management systems, such as git workflows, can be used to request changes, track history, and get approvals for changes, DevOps style. The CLI can also be leveraged in your build pipeline to keep your Immuta instance in sync with your git repository after changes have been merged.

These capabilities allow for massive scalability, automation, and reliability. Now, you are able to use an existing starter policy — including auditing and tracking — to create similar, consistent policies across different AWS, GCP, or Azure zones, regions, or instances — without having to start from scratch. You can even manage and automate those edits with other configuration automation tools that build your data stack, such as Chef and Puppet.

With this feature, a baseline set of images for the data platform stack, with a set of baseline configurations, can now have a baseline set of access controls applied. The result is end-to-end stability and efficiency across multiple heterogeneous data platform stacks, including data lakehouses.

Without Immuta CLI:
Policy lacks portability and repeatability, with risk from drift, gaps, rework, and potential errors.

With Immuta CLI:
Centralized configuration(s) for multiple access control plane(s), providing consistent policy enforcement in differing regions, availability zones, and clouds.

Beauty Is in the Eye of the Beholder

For Data Owners, Line of Business Teams, and Security & Legal Stakeholders, UI is beautiful and includes an explainable policy builder.

For Data Engineers and Operations Teams, CLI is beautiful and automates the UI.

What Are the Key Features of the Immuta CLI?

The Immuta CLI allows data engineering and operations teams to:

  • Manage metadata and policies via declarative files that can be source, controlled, and change-managed
  • Push changes to Immuta using declarative files
  • Create policies using declarative configuration files, such as YAML
  • Test plans for configuration updates before provisioning policies

How Can You Use It in Your Workflows?

Data engineering and operations teams can programmatically integrate the world’s most powerful explainable policy builder, using easy-to-understand declarative files, into their DataOps tool chains. This allows you to:

  • Define data sources and policies in files that can be tracked in git and easily pushed to Immuta
  • Codify your access control policy configuration
  • Manage governance policies across availability zones, regions, and cloud data platforms
  • Create auditable, reproducible governance configurations, allowing change management, rollbacks, and blue and green testing

See It in Action

Immuta’s Policy-as-Code is a reliable, automated, low-error, highly scalable, and ultimately low-toil way of managing access control across many cloud platforms and geographies. The ability to industrialize data platform builds by hooking into other automation tools allows data engineering and operations teams to leverage best-of-breed technologies without additional manual processes and toil.

Check out this recorded demo showing the Immuta CLI in action, managing a cross-platform policy that segments and masks data by the user’s region.