Announcing the Future of Cloud Compliance: The Datica Cloud Compliance Management System

Back in 2013 when we started this journey, several conditions existed which prompted us to build the first and only compliant platform-as-a-service:

That was then…

• The HIPAA Omnibus Final Rule was signed, and a lot of confusion existed as to what compliance on the cloud actually looked like
• AWS was the only major public cloud provider who signed a worthwhile BAA
• Within their BAA, only 4 services were actually “HIPAA eligible”
• Microservices hadn’t yet taken off
• Docker was barely 1.0
• Public availability of Kubernetes wasn’t even a thing
• Other PaaS products like Heroku didn’t yet sign BAAs

The options for cloud infrastructure were limited for digital health apps, creating one of the many constraints on their success. Catalyze.io, which we later rebranded to Datica in February 2017, changed the game by providing a container-based deployment mechanism for cloud native environments that was 100% HIPAA compliant and HITRUST CSF Certified.

Fast forward five years. It’s incredible how much the technology world has changed, and for the better.

…This is now

• AWS, Azure, and Google Cloud all sign rock-solid BAAs
• There are over 100 “HIPAA eligible” services across those clouds
• Compliance is now more confidently understood on the cloud
• Cloud native architectures are substantially more mature due to the global efforts of Docker, Kubernetes, et al
• Microservices and managed services rule the day

While a Compliant PaaS model has immense value for n-tier digital health applications looking to offload the entirety of DevOps and DevSecOps obligations, the fact is, in 2018, digital health applications simply demand more options with emerging cloud technology.

Datica saw this in 2017, which is why we launched our Compliant Kubernetes Service (CKS) in March 2018, the only HITRUST CSF Certified k8s cluster in the world. Customers told us how badly they wanted to use Kubernetes, but there were no good compliant options in 2017. CKS is a bridge product to help satisfy compliant k8s use cases for more complex digital health apps. Since then, all three major clouds now include their respective Kubernetes managed service in their respective BAAs, but attestation is proving hard for customers since so much of the configuration information required for assessments is unavailable via APIs or UIs. (Simple example: customers can’t ascertain the OS or OS version running a k8s cluster.) Datica CKS has a role to play until the healthcare developers can successfully attest to assessments with other managed Kubernetes services.

The immediate problem with CKS, however, is that the Datica promise of compliance only extends to the k8s cluster itself. Most of the engineering world is interested in combining application orchestration platforms like Kubernetes with existing managed services, like managed databases AWS RDS, Azure Cosmos DB, or GCP Cloud SQL. Most people we talk to have a constellation of managed services comprising their cloud environment. Beginning at the start of 2018, we asked ourselves, “How can we empower digital health to adapt to the future of managed and microservices?”

That question drove the development of the CCMS.

The answer started with a fundamental shift in philosophy from Datica. The future of compliance is less a controlling one where we guarantee compliance by owning root on hosts, but rather a SaaS-based one that empowers endless number of architecture permutations based on the needs and desires of developers.

The challenge is the opaque responsibility hoisted on developers.

• Most developers are unsure the exact configurations of certain managed services in order to map to specific framework controls.
• Most developers are confused about the relationship between Privacy, Security, and Compliance—no, you are not compliant just by doing security things.
• Most developers are unaware that compliance attestation is a 24/7 monitoring exercise, and not a set-it-and-forget-it job.
• Most developers are mistaken that because their given cloud is compliant, the Shared Responsibility model means their business is now compliant. That is unequivocally false.

The CCMS solves those issues for developers. It is a SaaS tool which monitors the configuration states of supported managed services across the three major clouds. Each configuration is explicitly audited against the HITRUST CSF, ensuring that if adopted, the configured managed service should pass a HITRUST CSF assessment.

Along with the announcement of the CCMS, we also launched free configuration guides for the three most basic managed database services across AWS, Azure, and GCP.

• AWS RDS
• Azure Cosmos DB configuration guide
• Google Cloud SQL configuration guide

Each guide gives a step-by-step walkthrough on how to configure the respective service to the HITRUST CSF. We will be launching more guides throughout the fall. Each guide will be an example of how the CCMS will function.

Empowering developers is the future of digital health

We believe so strongly in the present and future situation that we wrote a book about it, launching last month. Complete Cloud Compliance is a 100-page explanation of the conditions of compliant, the cloud, and data interoperability that lead healthcare technology to where it is today, but more importantly where it is moving in the future.

The book will be generally available for purchase (at cost) later this year. To sign up to be notified of availability, head over to completecloudcompliance.com.

The CCMS is generally available in early 2019

We are diligently building the CCMS and working toward a generally available release. Existing Datica customers will get a limited availablility preview this fall, with new customers being able to sign up in early 2019.

So why are we announcing this today?

In short: Because there is no use in waiting to discuss the future.

It’s to everyone’s advantage to start talking about what empowering digital health developers looks like on the modern cloud. It’s to our advantage to get feedback from people like you on which cloud services matter to you. (Fill out a survey here to let us know!) And it’s to your advantage to know that as a digital health developer, you can participate in modern development choices while having the confidence that you can pass a HITRUST assessment.

Let us know what you think! Keep an eye out for continued discussion throughout the rest of 2018.