Compliance is one of those tasks that trips up developers multiple times over. More times than anyone cares to admit developers finish an application only to discover there are any number of compliance controls that were overlooked. Sometimes, bringing that application into compliance is trivial. Other times, it can delay the rollout of the application by months.
To help mitigate this issue, Salesforce this week added a Heroku Shield module to Heroku Enterprise, its container-based platform-as-a-service (PaaS) environment available to IT organizations needing access to a dedicated platform running on Amazon Web Services (AWS). Dylan Steele, vice president of marketing for the Salesforce platform, says Heroku Shield enables developers to comply with a broad range of mandates ranging from payment card standards to any number of healthcare regulations. The goal is to automate meeting regulation compliance by making it possible for developers to automatically add the appropriate controls to their applications.
Heroku Shield requires mandatory encryption for data at rest in addition enforcing a stricter level of TLS encryption for applications deployed in a Shield Private Space. It also enforces trusted IP ranges and manages application-level authentication tokens.
The move is part of the effort to shift left more of the responsibility for IT security, by making it easier for developers to address security and compliance issues early in the application development process. That’s when the cost of fixing those issues is substantially less than when that application is deployed in a production environment.
In general, there’s not a lot of love lost between developers and auditors. Developers often feel that the controls needed to achieve compliance are not all that clear. Auditors feel that many developers are simply too lazy to implement the appropriate controls in the first place. In truth, however, there’s a lot of commonality between the control required to meet various compliance requirements. That creates a lot of opportunity for PaaS environments that abstract the underlying infrastructure away from developers to automate implementing a broad range of compliance and security controls. The biggest issue now may be simply making developers aware that’s possible.
In the meantime, DevOps teams that regularly struggle with compliance issues at the back end of an application release cycle might want to reconsider their approach. Whether it involves a PaaS environment or not, there’s a strong case to be made for moving testing of compliance controls as far left as possible in the application development process. Not only does that approach minimize the number of compliance issues that may arise before and after an application is deployed, but the documentation generated during the development process should substantially reduce the amount of time auditors spend crawling over and around an IT environment. That’s critical, since most auditors charge by the hour, and every minute they spend on an audit also increases the probability of finding something else that needs to be fixed.