Template-Driven Intent-Based Security

What is claimed is: 1 . A computer-implemented method for template-driven, intend-based security, the method comprising: receiving a target, the target specifying workloads of a plurality of workloads to be included in the security policy, the plurality of workloads being associated with the cloud computing environment; identifying nodes and edges in the graph database using the target, the graph database representing the plurality of workloads as nodes and relationships between the plurality of workloads as edges; getting a security intent, the security intent including a high-level security objective in a natural language; obtaining a security template associated with the security intent; and applying the security template to the identified nodes and edges to produce security rules for the security policy, the security rules at least one of allowing and denying communications between the target and other workloads of the plurality of workloads. 2 . The computer-implemented method of claim 1 wherein the target includes an attribute, and the identifying nodes and edges in the graph database finds nodes in the graph database matching the attribute. 3 . The computer-implemented method of claim 2 wherein the attribute can be at least one of an application name, application function, business organization, realm, location, and Internet. 4 . The computer-implemented method of claim 1 wherein the security template is in at least one of Jinja, Jinja2, JavaScript Object Notation, YAML Ain't Markup Language, and Open Policy Agent. 5 . The computer-implemented method of claim 1 wherein the security intent can be at least one of whitelist isolation, whitelist separation, best practices for an application type, regulatory requirement, and user-specified template. 6 . The computer-implemented method of claim 2 wherein the security policy is in at least one of a JavaScript Object Notation document, YAML Ain't Markup Language document, and Open Policy Agent rule. 7 . The computer-implemented method of claim 1 further comprising: gathering data about the cloud computing environment; updating the graph database using the data; and deploying the security policy in the cloud computing environment. 8 . The computer-implemented method of claim 1 , wherein the data includes at least one of streaming telemetry from network logs, events from a cloud control plane, and inventory from a configuration management database. 9 . The computer-implemented method of claim 1 , wherein the deploying is performed by a cloud driver using a topology and inventory of the cloud computing environment, the cloud driver communicating with the cloud computing environment using an application programming interface of the cloud computing environment. 10 . The computer-implemented method of claim 1 , wherein the cloud computing environment is hosted by a plurality of different cloud services. 11 . A system for managing security in a cloud computing environment, the system comprising: a processor; and a memory communicatively coupled to the processor, the memory storing instructions executable by the processor to perform a method comprising: receiving a target, the target specifying workloads of a plurality of workloads to be included in the security policy, the plurality of workloads being associated with the cloud computing environment; identifying nodes and edges in the graph database using the target, the graph database representing the plurality of workloads as nodes and relationships between the plurality of workloads as edges; getting a security intent, the security intent including a high-level security objective in a natural language; obtaining a security template associated with the security intent; and applying the security template to the identified nodes and edges to produce security rules for the security policy, the security rules at least one of allowing and denying communications between the target and other workloads of the plurality of workloads. 12 . The system of claim 11 wherein the target includes an attribute, and the identifying nodes and edges in the graph database finds nodes in the graph database matching the attribute. 13 . The system of claim 12 wherein the attribute can be at least one of an application name, application function, business organization, realm, location, and Internet. 14 . The system of claim 11 wherein the security template is in at least one of Jinja, Jinja2, JavaScript Object Notation, YAML Ain't Markup Language, and Open Policy Agent. 15 . The system of claim 11 wherein the security intent can be at least one of whitelist isolation, whitelist separation, best practices for an application type, regulatory requirement, and user-specified template. 16 . The system of claim 12 wherein the security policy is in at least one of a JavaScript Object Notation document, YAML Ain't Markup Language document, and Open Policy Agent rule. 17 . The system of claim 11 wherein the method further comprises: gathering data about the cloud computing environment; updating the graph database using the data; and deploying the security policy in the cloud computing environment. 18 . The computer-implemented method of claim 11 , wherein the data includes at least one of streaming telemetry from network logs, events from a cloud control plane, and inventory from a configuration management database. 19 . The computer-implemented method of claim 11 , wherein the deploying is performed by a cloud driver using a topology and inventory of the cloud computing environment, the cloud driver communicating with the cloud computing environment using an application programming interface of the cloud computing environment. 20 . A system for managing security in a cloud computing environment, the system comprising: means for receiving a target, the target specifying workloads of a plurality of workloads to be included in the security policy, the plurality of workloads being associated with the cloud computing environment; means for identifying nodes and edges in the graph database using the target, the graph database representing the plurality of workloads as nodes and relationships between the plurality of workloads as edges; means for getting a security intent, the security intent including a high-level security objective in a natural language; means for obtaining a security template associated with the security intent; and means for applying the security template to the identified nodes and edges to produce security rules for the security policy, the security rules at least one of allowing and denying communications between the target and other workloads of the plurality of workloads.