Armory Introduces Spinnaker Policy Engine to Enable Developer Guardrails Across the SDLC

Note: This news was announced here as a press release on 11/12/2019.

Armory’s newly released Open Policy Agent (OPA)-based Policy Engine for SDLC gives enterprises fine-grained control of the software delivery process by providing the hooks necessary to perform extensive verification of pipelines, processes, and policies in Spinnaker.

The new Policy Engine for SDLC unleashes the full power of Spinnaker with automation to harness the promise of multicloud delivery environments. Armory scales and automates policies across the entire SDLC, putting you in control no matter how complex your delivery infrastructure or regulatory environment.

With the Armory Policy Engine for SDLC, you can set guardrails and controls per-application, per-pipeline or per-project to manage and enforce security, regulatory, compliance or business policies using granular role-based entitlement. Unlike other proprietary policy engines, Armory’s OPA-based Policy Engine for SDLC deeply integrates with many enterprise systems of record. It provides a trusted, single pane of glass for management and control as part of a rigorous, intelligent platform that lets you “set-and-forget.”

Unleashing the Power and Automation of Spinnaker, With Guardrails

You want to move fast and innovate but can’t sacrifice compliance with regulations, internal policies, and security best practices. Companies with complex security policies or in highly regulated industries with multiple compliance standards — FedRAMP, SOC 2, NIST, or ISO, for example — find this problem especially painful. Armory’s Policy Engine for SDLC enables automatic adherence to these requirements.

Your company likely struggles with the bottleneck many organizations face as they adopt automation in delivery and service ownership: hesitation to hand over full control to DevOps until compliance guarantees are in place. Policy requirements and context are fragmented across systems of record, and security teams must review changes for compliance. The Armory Policy Engine for SDLC is context-aware across the SDLC and connects to systems of record within the enterprise. It automatically infers context to confidently craft policies, from code commit to the point at which a service or feature ends up in customer’s hands. Now, your teams can deploy a single policy engine across the SDLC instead of enforcing siloed policies or creating home-grown policy engines. The result? Break down silos and bottlenecks to accelerate delivery while maintaining the guardrails required by your internal or industry policies.

The process of identifying compliance gaps and updating policies across your SDLC as regulations change requires manual work that slows software delivery. Armory’s Policy Engine for SDLC centralizes the creation, application, and continuous updating of policies for a trusted set-and-forget policy model. You can instantly identify compliance gaps and set policies to bring your organization into compliance. You can also create custom policies. For example, set ISO 27000 compliance policies with Policy Engine for SDLC, and it will continuously update policy definitions while monitoring for compliance — removing the burden of manual updates.

Armory Makes Your SDLC Standardized, Streamlined, Compliant and Cost-Effective

Armory Spinnaker is cloud-neutral, cloud-agnostic and vendor-lock-in-free, allowing you to streamline and standardize your SDLC. With Policy Engine for SDLC, you can manage policies across your entire SDLC with context and fine-grained controls. These include regulatory, compliance, operational, security, and business policies, including a focus on enterprise ROI.

Armory’s single pane of glass view across Spinnaker and the SDLC gives the policy engine insight and context for automated decisions on optimizing ROI for cloud delivery decisions, so you can avoid costly mistakes, security failures and compliance violations.

Business, Cost, and Continuity Policies

Drive automated ROI optimization and maximize delivery performance.

• Harness multi-cloud delivery targets with confident, automatic policies that put your company’s best interests first.
• Automate application routing based on company policies for cost/performance ratios.
• Enforce cost allocation for cloud providers.

Guardrail and RBAC Policies

Leverage automation to strike a balance between DevOps empowerment and guardrails.

• Ensure operational and security hygiene for pipeline management.
• Implement least-privilege policies based on RBAC.
• Combine policy enforcement with granular, role-based entitlement.

Operational Policies

Implement automated policies at every stage based on your DevOps and delivery requirements.

• Conform to best practices by requiring certain stages and attributes (eg: require a security stage). See demo here.
• Evaluate conditions at pipeline runtime, including: Who hit the button in the checkpoint step? Does the stage cause the system to go out of spec?
• Ensure manual judgements in pipelines. See demo here.

Security Policies

Achieve service ownership while adhering to required security policies.

• Prevent the exposure of unprotected resources (e.g.: s3, load balancers).
• Enforce built-in policy enforcement before deploys, instead of after.
• Validate that the results of a certain run are compliant.

Regulatory and Compliance Policies

Automate compliance with existing and emerging regulations across your SDLC.

• Ensure that a given stage in your pipeline is executed successfully and meets compliance criteria before deployments.
• Apply best practice policies for FedRAMP, ISO2700, SOC 2, and PCI DSS compliance across groups of applications.
• Enforce mandatory compliance checks to ensure compliance with requirements.

Armory Policy Engine for SDLC: Product and Implementation Details

The Armory Policy Engine for SDLC is based on the trusted OPA framework. The selection of OPA is aligned with our philosophy of providing a cloud-agnostic, neutral framework that does not create vendor lock-in. OPA provides a high-level declarative language that lets you specify policy-as-code, and simple APIs to offload policy decision-making. Implementation of the policy agent uses OPA-style policy documents to perform validation of pipelines during creation and updates via the familiar ‘input’ variable. See a demo here.

You can apply policies on a per-application, per-pipeline, per-pipeline-stage, or per-project basis, and policies can be applied to stages as they are dynamically generated. Future versions of the Policy Engine for SDLC will ship with predefined policies.

See demos of Armory’s Policy Engine for SDLC here and here. Additional product information and documentation for can be found here.

Interested in learning more about Armory Policy Engine for SDLC or Armory Spinnaker? Reach out to us here or on Spinnaker Slack — we’d love to chat!