Security & Compliance are Day 0 Objectives

How does our engineering team engineer security into what we do for our customers?

We focus generally on the engineering side of automation. We like to have our security controls done via code and things like the AWS conformance packs really help with that because there are pre-built controls that we can use to do kind of standard things like PCI compliance.

It's really nice because you have a situation where our customers now aren't having to build something for themselves and reinvent the wheel. They're able to take advantage of what AWS has built. That solves for the technical challenges that align towards the technical requirements or what has to happen in the AWS environment. 

When you get to policies and procedures, do you find that some of our startup customers are likely to have what they need on the government side of the house in addition to the technical?

Generally, they can really use help when it comes to the writing of policy and documenting those policies as well, so that they actually match the technical deployments that we're doing. One of the things we found is that, you've got startups that are focused on the product, or you've got young companies that are focused on product development, and they may not be as focused on HIPAA compliance, for example, knowing the ins and outs of the policies that they need, not just within AWS but also their personnel policies and user computing policies. And so one of the things that we've been developing at Caylent is a starter pack for policies and procedures for the different, common frameworks like HIPAA & PCI, so that we can marry the technical implementation along with the policies and procedures that are needed to talk to an auditor, to speak to the entire company's compliance against a standard.

So with customers that are newer to compliance and maybe need some help writing policies or need discovery done to discover essentially what they already have deployed versus what needs to be done, what can we do to help?

 Some customers are just new to a standard in general. So there's the CAIQ, a "consensus assessment investment questionnaire", that allows us to map to multiple standards.

So if you don't know what you don't know about conforming to PCI or conforming to HIPAA, these can give customers a leg up on where they're at and understand what the gaps are, and prioritize that. So there's going to be a list of things that need to be accomplished for, say, PCI compliance. And it's something that would work with them over a short engagement to make sure that they understand where they are.

Now, that's going to show up things that are technical to the AWS environment as well as policies and procedures gaps, but what's interesting is our AWS Control Tower Caylent Catalyst. It already sort of addresses and gets ahead of that. It anticipates that a lot of our customers are going to be regulated. We apply almost presumptively, the same processes we're using for customer compliance as well.

We deploy the normal standard guardrails that come with the Control Tower - CPEs and your config rules, and we also do custom ones. We can deploy ones from the AWS conformance packs. We can also add in any custom rules that are policies that are directly related to what the customer has written themselves. Now, the nice thing about that is really quickly getting to baseline compliance so that you're sure that you're getting what you need for your customers, you're getting what you need for future auditors and, and making sure you're doing things and adopting AWS in a secure way.