Jun 19, 2023
Guests:
-
Dominik Richter, the founder and head of product at Mondoo
Cooked questions:
-
What is a policy, is that the same as a control, or is there a difference? And what’s the gap between a policy and a guardrail?
-
We have IaC, so what is this Policy as Code? Is this about security policy or all policies for cloud?
-
Who do I hire to write and update my policy as code? Do I need to be a coder to create policy now?
-
Who should own the implementation of Policy as Code? Is Policy as Code something that security needs to be driving? Is it the DevOps or Platform Engineering teams?
-
How do organizations grow into safely rolling out new policy as code code?
-
You [Mondoo] say that "cnspec assesses your entire infrastructure's security and compliance" and this problem has been unsolved for as long as the cloud existed. Will your toolset change this?
-
There are other frameworks that exist for security testing like HashiCorp’s sentinel, Open Policy Agent, etc and you are proposing a new one with MQL. Why do we need another security framework?
-
What are some of the success metrics when adopting Policy as Code?
Resources: