In one of my cloud migration projects, couple of years back, a leading global Business Management Consulting firm wanted to migrate an entire product suite of 20 odd applications built on premise to Cloud. Their target was to onboard their next biggest customer to this solution suite from cloud and followed by 3 more in the next 6 months. This migration was considered one of the biggest investments that business had made that year.
They also wanted to enable continuous delivery of the complete SaaS product on a public cloud such that it can onboard on average 20+ customers on demand every month.
One of the key requirements was to comply with the firm’s strict security policies that were in line with ISAE 3000 Compliance.
What is ISAE 3000 Compliance?
This International Standard on Assurance Engagements (ISAE) deals with assurance engagements other than audits or reviews of historical financial information, which are dealt with in International Standards on Auditing (ISAs) and International Standards on Review Engagements (ISREs), respectively.
Generally ISAE 3000 is applied for audits of internal control, sustainability and compliance with laws and regulations. ISAE 3402 states that assurance engagements should be performed in accordance with the ISAE 3000 standard.
Being of the leading Business Consulting firm till date, they had customers from most industries, sometimes even competitors from the same space.
Their biggest challenge was to securely host these multi tenant data with utmost data privacy and confidentiality measures, so that one competitor does not accidentally see other's business information.
That's why they had to get every architectural change from infrastructure provisioning to application deployment certified under ISAE 3000 standards. So when they decided to migrate their infrastructure from on-premise to Cloud, compliance became the top most criteria driving any design and implementation decision across the board.
The Challenges:
The multi-tenancy architecture of the product made the security of customer data and Intellectual Property the highest priority.
Different customers had different preferences for cloud providers.
The product was neither scalable nor cloud-ready. Application tech stack had constraints on the operating system. The deployment process was not completely automated.
Integration and testing of multiple modules and engines to work together seamlessly.
Ensuring Security of both the application and the infrastructure to avoid compromise and loss of intellectual property and customer data.
In addition, there were other operational challenges like
Playing multiple technical and business roles all at the time. Mentoring and Pairing with a complete fresh bunch of developers while implementing the solution.
Time-constrained and culturally diverse operations teams working across EU, US and India. Coordination and Communication was the key. Multiple processes involved in architecture review, security review, pen testing etc.
The timeline was to get the platform ready within 4 months
The Initiatives:
Infrastructure As Code for
Provisioning servers, network, load balancers, DNS and more
Enabling Security Standards such as OS and App Hardening, Network segregation and access control, Identity and Access Management, Data Encryption on disk and database layer.
Configuration Management of application data.
One click deployment pipeline for
Infrastructure provisioning
Application build, package and publish
Application deployment
Application Database Management
Continuous Integration for
All environments from dev to prod followed a standard architecture diagram bringing consistency in the development and testing of the application.
Testing multiple modules and engines to work together seamlessly.
The deployment tools were agnostic of cloud providers making it portable across different cloud providers like AWS, Azure etc. Core expertise in DevOps and cloud domains were enabled within the development teams to make it a part of their application lifecycle.
The Final Outcomes:
Secure and Scale ready cloud infrastructure inline ISAE3000 standards.
Onboarding new clients became much easier and could scale up to 10 times in a month.
They were able to sell one of their flagship solution for the first time to a very big customer, something they have been trying to build for 2 years.
They was able to migrate their first customer within 4 months followed by the 20 others in the next two months.
Environments on demand in less than an hour, which otherwise would take weeks. Less dependency on operations reduced infrastructure and operational costs.
Faster deployments cutting down the release cycles from months to weeks enabling steady scale up.
If you like this article, I am sure you will find 10-Factor Infrastructure even more useful. It compiles all these tried and tested methodologies, design patterns & best practices into a complete framework for building secure, scalable and resilient modern infrastructure.
Don’t let your best-selling product suffer due to an unstable, vulnerable & mutable infrastructure.
Thanks & Regards
Kamalika Majumder
Comments