Even though larger cloud providers offer security and implementation guidelines, companies still face significant risks and challenges when deploying secure applications to the cloud. A new class of security-focused cloud platforms promises to bridge this gap, bringing best-practices and regulatory compliance with the convenience of platform as a service (PaaS).
Notable examples of this type of company include Datica, Healthcare Blocks and Aptible, all founded in 2013 and all container-based. These companies boast elite security and DevOps teams that work to secure their products and write new features.
Their services are available at low price points and provide a convenient security framework that allows their customers to focus their development efforts on function rather than security.
For example, startups with limited resources can use these platforms to become more capable to demonstrate their unique value to customers. Small hospitals that cannot afford in-house information security or development teams have a far better chance of success using the standard features of these services and the support of season IT professionals that comes with them. Large enterprises and government organizations could benefit from the modern DevOps tooling such as continuous integration and containers built into the products to increase business agility.
Datica, Healthcare Blocks and Aptible, have already served a wide range of customers, including large government organizations, medical practices, hospitals and health/financial tech startups:
- The U.S. Department of Veterans Affairs partnered with Datica to deploy new tools more quickly and gain new insights to patient behavior.
- The Greater Colorado Anesthesia medical practice used Healthcare Blocks to migrate several on-premises clinical applications to the cloud.
- Retail telepharmacy software provider TelePharm credits Aptible with extending its development team.
[Related: -->The business case for telepharmacy]
What do security cloud platforms do?
The following technical features found in security cloud platforms have become table stakes:
- "Push to deploy" git-based automation that is now standard in continuous integration workflows
- Ease of scaling to many application instances
- Wide support for different technologies from the rising Go programming language to traditional J2EE setups
- Secret management services for API keys and passwords
- Detailed performance metrics and alerts for servers and databases
- Setup and management of Virtual Private Clouds (VPCs) to reduce network exposure risks
- VPN tunnel support for secure integrations to partners and on-premise installations
- Load-balancing across multiple application instances
- Host-level isolation
- SSL termination
- Compliant handling of application logs
- At-rest database encryption with automated backups
- Intrusion detection systems (IDS) integrations, available or built-in
- Operating system hardening
- Disaster recovery
- Emergency 24/7 support
Modern deployment infrastructures are notoriously complex, consisting of hundreds of services that must all be maintained, updated, reconfigured and patched. This is an especially important activity in secure environments, as neglect of their upkeep often results in critical security vulnerabilities. These new platforms promise to simplify management and vastly reduce such risks by providing secure deployment defaults and aggressively refining their technology and policies across all customers.
[Related: -->Rugged devops: Build security into software development]
For example, when the POODLE, Shellshock and Heartbleed vulnerabilities hit, customers using secure PaaS had to do little more than await updates from their vendors, which came within just hours. This was made possible by the underlying container technologies and managed components such as load balancers, reverse proxies and data stores. The reduction in DevOps responsibilities allow teams to move forward on application development instead of dropping everything to put out new fires.
The platforms typically include access management schemes and policy controls for a customer's organization. These settings allow administrators to dictate "who can see or change what," and are important for audits, risk assessments and compliance. Customers are given tools and documentation made to be helpful in passing security checks by regulators and prospective clients.
However, blind trust in these platforms is not advised, as data security is a very delicate matter. For example, few if any protections are provided at the application layer. A page containing sensitive data without password protection would still constitute a data breach, even on these services. As always, understanding the gamut of what these systems do or don't provide is essential to using them effectively. Security through transparency is an industry best practice, and many of these vendors readily provide their security architectures on their websites for review.
These companies offer several different plans, ranging from monthly billing based on resource usage to bespoke enterprise contracts for complex requirements. The industry is new enough that standardization is still actively emerging, and the companies will often offer consulting services to onboard new customers. In fact, the platforms mentioned above are all members of the AWS Partner Network.
While self-serve options are offered for standard application configurations, secure PaaS vendors will readily take meetings to discuss the intricacies of securely deploying their services for new customers. The customer's development teams can then explore the product offerings via inexpensive trials, having their questions and concerns further addressed by the vendor's technical support staff.
These technologies have great potential to lower the barrier to entry for tech companies in regulated environments such as healthcare and fintech, allowing more progress with far fewer resources. Likewise, they could grant enterprises an edge to their internal teams, unlocking the sort of innovation and problem-solving that is enabled with autonomy and lean thinking.