EP126 What is Policy as Code and How Can It Help You Secure Your Cloud Environment?

Topics covered:

• What is a policy, is that the same as a control, or is there a difference? And what’s the gap between a policy and a guardrail? 
• We have IaC, so what is this Policy as Code? Is this about security policy or all policies for cloud?
• Who do I hire to write and update my policy as code? Do I need to be a coder to create policy now?
• Who should own the implementation of Policy as Code? Is Policy as Code something that security needs to be driving? Is it the DevOps or Platform Engineering teams?
• How do organizations grow into safely rolling out new policy as code code? 
• You [Mondoo] say that "cnspec assesses your entire infrastructure's security and compliance"  and this problem has been unsolved for as long as the cloud existed. Will your toolset change this? 
• There are other frameworks that exist for security testing like HashiCorp’s sentinel, Open Policy Agent, etc and you are proposing a new one with MQL. Why do we need another security framework?
• What are some of the success metrics when adopting  Policy as Code?