Laptop Displaying the GigaOm Research Portal

Get your Free GigaOm account today.

Access complimentary GigaOm content by signing up for a FREE GigaOm account today — or upgrade to premium for full access to the GigaOm research catalog. Join now and uncover what you’ve been missing!

Key Criteria for Evaluating Policy as Code Solutionsv1.0

An Evaluation Guide for Technology Decision Makers

Table of Contents

  1. Summary
  2. Policy as Code Primer
  3. Report Methodology
  4. Decision Criteria Analysis
  5. Evaluation Metrics
  6. Key Criteria: Impact Analysis
  7. Analyst’s Take

1. Summary

Organizations create, manage, update, and remove policies that provide guidance on how people should behave or perform their jobs. These policies can be derived from industry or regulatory standards or from learned behavior, or be set by senior executives who wish for the organization to act or behave in a certain way. However, policies that are difficult to find are difficult to enforce, and policies that are difficult to enforce ultimately increase risk.

Consider, for example, a simple policy that states that office visitors must park in designated visitor parking spaces. If there’s no sign in the parking lot that indicates this, visitors will be unaware of the policy and may not notice or find the designated spots. Thus, a sign that documents the policy and is easy to find can help with enforcement, though if visitors don’t notice the sign, they may still park in the wrong space. If, instead, the company places a fence around the parking spaces visitors shouldn’t use, they will have no choice but to park in a designated parking space, whether they have read the policy or not.

When it comes to developing IT infrastructure or software components, the same challenges exist in organizations. Policies need to exist, be visible, and have some method of enforcement. Without these capabilities, organizations may release software or IT infrastructure components that don’t adhere to standards, best practices, or security guidelines and expose themselves to immense risk. Furthermore, organizations that are in regulated industries or need to adhere to specific compliance standards must be able to demonstrate that specific controls are in place, and must do so on a regular basis.

To address these needs, organizations can leverage policy as code solutions to create a centralized repository that contains industry regulatory policies, IT standards, best practices, and other custom organizational policies. These policies can dictate exactly how something should be configured or which types of systems may interact with each other. By enforcing policies, rules, and best practices across the software development lifecycle (SDLC), organizations can safely speed up innovation and scale up security, governance, and compliance. Additionally, these solutions help provide attestation during regular audits and reduce the cost and effort of compliance audits.

This GigaOm Key Criteria report details the criteria and evaluation metrics for selecting an effective policy as code platform. The companion GigaOm Radar report identifies vendors and products that excel in those criteria and metrics. Together, these reports provide an overview of the category and its underlying technology, identify leading policy as code offerings, and help decision-makers evaluate these platforms so they can make a more informed investment decision.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.