Cisco: Policy Management for Enterprise Software Developers and Administrators

“The Evolution of Policy Management must include requests
and their support frames
like Kubernetes
with public cloud, microservices and APIs.”

As drivers, we often take our driver’s license for granted – unless you’re one of my 16-year-old twin daughters!
In states and countries with reciprocal agreements, driver’s licenses allow the authority to use public highways and set privilege levels or endorsements, such as private automobile, motorcycle, truck business, etc. Imagine a world where this permission was not uniformly defined or enforced reciprocally – it would be very inconvenient to need to obtain new credentials every time we cross a state or country border!

Network infrastructure architects, developers, and administrators are likely familiar with policy management features in Cisco ACI, Cisco Identity Services Engine (ISE), and Cisco Policy Suite data center solutions. They enable Zero-Trust Security, SD-WAN and Mobility services. By extension, the evolution of policy management must include applications and their supporting frameworks, such as Kubernetes with public cloud, microservices, and APIs.

Combine the management policy of your network infrastructure with that of your applications

Cisco realized the need to combine the policy management of the network infrastructure with that of the applications flowing in the higher layers. The idea of ​​“if you are authenticated, you have carte blanche” is long gone. More secure and sophisticated environments must operate on the principle of least privilege. The transition to more controlled access can seem to stifle innovation and progress, but it is not necessary! A software developer can embrace agile software development principles, but that doesn’t exempt them from security best practices. Their users and customers expect a smooth experience, but security must be everywhere. Ideally, customer experience (CX) becomes a differentiator.

The advent of the Open Policy Agent (OPA)

Moving away from too broad and privileged access requires a different approach. The industry has recognized the inefficiency of having many bespoke authorization systems and the lack of standardization in the application of policy. The Open Policy Agent (OPA) was born as a general-purpose policy engine, decouple political decision-making from policy enforcement.

Out of mutual interest, Cisco and Styra started the OPA project in the summer of 2018. Styra donated OPA to the Cloud Native Computing Foundation (CNCF) (the governing body for all cloud native open source projects) in March 2018. In three years of open review by industry leaders, OPA became the 15th open-source project and the first permission-focused to achieve “graduate project” status.

Automated policy integrations in public clouds

With OPA, a developer-admin manages policy decisions for Kubernetes and microservices through automated policy integrations in public clouds through its single, unified policy language. Think of it as “policy as code,” as this image shows.

The outlook for developers, especially cross-domain ones, is very exciting as we glue these systems together! The network infrastructure with the application layer in policy harmony is a reality.

Takeover advantages

OPA was created for use by a policy administrator or software developer. It addresses the difficult areas of permission policy management:

  • How do you write and express the authorization policy?

  • How do I provide a policy engine that makes decisions using a policy file?

  • How do you debug strategy or check performance?

  • How do you integrate external software?

The above policy file defines services and permission settings in an easy-to-read and programmatically convenient YAML file format. These files can be created, modified, and exchanged through software programs that make the policy architecture more automated. From a maintenance perspective, policy files can be version controlled, checked in, and reviewed in a git repository. Operationally, the environment could be deployed in managed Docker containers with Kubernetes for extreme resiliency and performance.

Scaling policy and operations management

Once organizations realize the benefits of standardized permission policy management, the next logical consideration is to scale it. Styra has Declarative Authorization Service (DAS) to operationalize OPA for the enterprise without having to spend time and resources building from scratch. It provides native support for the most popular OPA integrations and keeps them updated to support new software releases. The list of integrations keeps growing and includes Kubernetes admission control, microservices, cloud configuration, and more.

This reduces your integration, application, performance, release management, and deployment efforts. By implementing Styra DAS, the policy framework and predefined rules are already included so you know what controls an integration provides. If you have other interests, try Styra’s DAS for free at

I hope you can imagine a glimpse of what the future holds as we merge network infrastructure authorization policy with application layer policy. This vision is why Cisco is partnering with Styra and is another example of “The Bridge to Possible.”

Cisco Developer Relations is committed to helping the developer community and we believe Styra is too.

We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social media!

LinkedIn | Twitter @CiscoDevNet | Facebook | Developer Video Channel