How Elastisys managed Kubernetes platform enables Elsa Science to improve quality of life for patients with rheumatoid arthritis, empowering them to live every day to its fullest.
Elsa Science is a company with a vision: to provide an always-available service that supports patients with rheumatoid arthritis, whenever they need it. As a vision-driven company started by medical experts, they sought a way to host their software backend in a way that was secure, compliant with relevant patient data laws, and at the same time cost-efficient.
Solution: By leveraging Elastisys fully managed Kubernetes platform, Elsa Science got a solution that is secure, built from the ground up to meet compliance demands with relevant person and patient data laws, and cost-efficient since it does not require Elsa Science to hire an in-house Kubernetes platform team.
Fun Fact: Elsa Science did an unannounced penetration test that came back reporting no exploitable vulnerabilities in the platform services provided to Elsa Science by Elastisys.
Challenge: In-house focus on application development, not platform operations
Elsa Science wants to focus on their area of expertise and create a state-of-the-art healthcare solution. Of course, this requires a lot of time and effort in developing and operating the backend of their unique clinical dashboard, coupled with a digital companion application. Time and effort that they cannot afford to lose on re-inventing the wheel of deployment and maintenance of a generic container orchestration platform.
“Our skills and expertise are in meeting the needs of patients with chronic diseases such as rheumatoid arthritis, not in managing Kubernetes servers or databases”, said Sonja Petrović Lundberg, CTO at Elsa Science.
This view is nowadays shared by many organizations, who see Kubernetes platform not as a competitive advantage, but rather as a commodity that should be supplied by a service provider and fulfill the set of relevant requirements. Nobody wants to manage Kubernetes anymore.
For the Swedish market, the platform backend has to be deployed in Swedish data centers, fully under Swedish/EU jurisdiction with no data transfer to third country, due to demands from the public sector in Sweden, as well as applicable laws such as GDPR and the Swedish patient data law (PDL). Security is also an utmost concern, given the sensitive patient data that is handled on Elsa’s digital platform.
So, typically, the engineering team will be pointed at these generic regulatory requirements and best practices, and tasked with implementing them in their system. This usually makes engineers quite unhappy, since translation of those regulations into actionable tasks relevant to the system in use is considered a challenging and tedious job. Moreover, this process requires a deep understanding of both the regulatory terminology and technical solutions. Finding engineers with an interest in law is not easy or cheap for companies, and at the same time, it is necessary to get and apply that knowledge in order to succeed in a heavily regulated market.
Hiring people who already have the skills to install, continuously maintain, and secure Linux servers with Kubernetes and PostgreSQL is simply not cost-effective, and it doesn’t create a competitive advantage on the market for Elsa to do so. "Asking our developers to also do system administration makes no sense—we hire excellent developers so they can develop", Sonja remarked.
Solution: Elastisys Kubernetes Platform - Fully managed, secure and compatible with EU regulations
The Elastisys Kubernetes Platform as a Service solution reaches far beyond typical features of traditional Kubernetes as a Service offerings.
Reducing system administration burden
Usually, Kubernetes service providers maintain Kubernetes control plane nodes, hosting Kubernetes internal components, while application owners still need to take care of worker nodes hosting their application components. However, this means that application owners need to ensure that their engineering team has necessary skills and availability to keep worker nodes healthy and secure at all times.
By choosing Elastisys as their managed service provider, Elsa Science made a strategic decision to focus the efforts of their engineering team on application development, without a risk of being slowed down by system administration on the platform level.
Does outsourcing Kubernetes platform operations mean that they don’t need to know Kubernetes and won’t interact with it at all? Of course, not!
It is still Elsa Science that takes full responsibility for their application, from design, through implementation and containerization, all the way to creating application specific Kubernetes resources and operating the application in the Kubernetes cluster! But this requires a very different skill set from this that would be needed to maintain and operate the Kubernetes platform by themselves.
To quote Elsa’s CTO Sonja again:”It is extremely valuable for us to have Elastisys support and help/advice available at (almost) all times! Always having an expert at hand that can give us directions on how to manage our K8s resources has been amazing. When we run into issues, we simply send a Slack message and after a couple of minutes we have a pointer that usually helps us accomplish what we need.”
Entirely open source and security hardened by default, the Elastisys Kubernetes platform is configured to meet the strict security requirements related to sensitive patient data. The Elastisys service was built from the ground up to be compatible with the EU privacy regulations (GDPR) and the Swedish patient data law (PDL). Moreover, it follows the security best practices issued by the European Data Protection Board (EDPB) and the Swedish DPA (IMY) as well as the ISO 27001 standard for information security management systems.
All these generic regulations and best practices have been evaluated by Elastisys experts, translated into particular technical requirements following the ISO 27001 controls model, implemented using various open source, cloud native tools, and pre-configured accordingly.
Importantly, the platform was evaluated by external auditors and repeatedly verified in various production environments. To date, Elastisys manages over 50 environments similar to the one provided to Elsa Science. For all our customers, we are processing and protecting some type of sensitive information, such as patient or financial data. This means that stakeholders such as CEOs, CTOs, CISOs, CIOs, DPOs, architects, and lawyers from several different companies and industries have all evaluated and approved the service from an operations, security, and compliance perspective.
With Elastisys managed services, Elsa Science didn’t have to invest resources into the whole process of making sure that their platform complies with all applicable regulations. Instead of spending time on installing and carefully configuring the platform, they could focus on engineering tasks at the application layer, which make them stand out and provide real value to their customers.
Secure by design
Kubernetes was designed to provide automation, scalability, portability, and extensibility. Thanks to these characteristics, its users benefit from a streamlined and repeatable application deployment process. However, the default Kubernetes installation is not secure by itself. Contrary, it requires significant efforts to complement it with features required to achieve a fully secure production environment.
Elastisys Kubernetes Platform implements security by design and provides tools to secure your supply chain and runtime.
In this setup, Elastisys is responsible for maintaining the Kubernetes platform, which involves:
- ensuring uptime of the platform,
- performing regular updates of Kubernetes and all supporting services included in the platform,
- performing security patching of Kubernetes and all supporting services,
- establishing and enforcing safeguards.
Below, we describe how these tools help Elsa Science deliver a secure and compliant solution while at the same time empowering developers by automating various tedious tasks and minimizing chances of human error.
59% of security incidents in Kubernetes are due to misconfiguration. As we mentioned above, Kubernetes is not secure by default and because of its extensibility and configurability, there are numerous settings that can be adjusted. That also means numerous opportunities for misconfiguration and increasing the potential attack surface.
Luckily, Kubernetes offers an option to extend its admission process, which is triggered every time a new application is deployed in a cluster, with security checks. Gatekeeper is the state-of-the-art tool, which allows establishing various safeguards, to make security and reliability easy for you.
That means that every time Elsa Science developers deploy a new application component or upgrade an existing one, its configuration is cross-checked against the security and reliability best practices. If these standards are not followed, changes are rejected, and developers get an error message specifying the violation. Thanks to such an approach, developers can immediately fix issues before the change is enacted in the live environment.
Container images encapsulate application components together with their dependencies. All these software artifacts can contain vulnerabilities that can be used by malicious actors to gain unauthorized access to our system.
To mitigate the risks associated with exploits of known vulnerabilities, images of utilized containers have to be regularly scanned and updated once vulnerabilities are discovered.
To help developers in automating this process, images are scanned using Trivy both in the image registry (Harbor) as well as in the Kubernetes cluster (using Starboard).
Starboard's approach is especially interesting, since it uses Custom Resource Definitions (CRDs) to extend Kubernetes API and treats vulnerability reports as Kubernetes resources.
It is within the Elsa Science developers' responsibility to assess the discovered vulnerabilities within their application container images and act upon them accordingly.
Internet security and privacy depend to a great extent on the Transport Layer Security (TLS) protocol. This protocol builds on the concept of cryptographic certificates.
Normally, managing certificates is a tedious and dull job, since certificates have a limited lifetime and have to be renewed periodically.
But that is not the case for users of Elastisys Kubernetes platform, which includes cert-manager, a tool that automates all aspects of certificate management, including their renewal.
Therefore, Elsa Science engineers don’t have to worry about expiring certificates and manual tasks of generating, validating, and rotating them. It is enough that they just specify in an Ingress definition that the traffic should be encrypted using TLS and select appropriate issuer provided by the Elastisys Kubernetes platform.
A Kubernetes platform makes it very easy for application developers to implement distributed systems by solving such challenges as communication among cluster nodes and service discovery. By default, all software components deployed in a Kubernetes cluster can communicate with each other. This, on one hand, makes it very easy to develop and integrate various components of a distributed system, but on the other hand, leaves the system vulnerable to attacks. If a malicious actor gains control over a single component, they would be able to inspect the whole cluster network in an unconstrained manner.
To mitigate such a threat and reduce the blast radius, some Kubernetes Network Plugins, such as Calico, support defining and enforcing so-called Network Policies. Using network policies allows denying all traffic except that which is explicitly allowed.
In order to protect their system, Elsa Science engineers identify all network connections between their application components and describe them using Kubernetes network policies. Thanks to this approach, in the unlikely event of a malicious actor managing to take over control of a component, like in the case of the infamous Log4j Critical Vulnerability, they will not be able to perform extraordinary actions and penetrate the system.
Another crucial aspect of implementing an always-available system is disaster recovery. Cloud native approach to application development accepts the fact that failures of any system components are unavoidable and ensures high availability through redundancy and failover techniques.
Kubernetes High Availability Setup
The availability of the application depends strongly on the availability of the underlying platform and infrastructure. Therefore, Elastisys partnered up with several top-quality, European-owned cloud providers to host the Kubernetes platform on their infrastructure.
When setting up the Kubernetes clusters for their customers, Elastisys ensures that the platform can tolerate both outages of underlying servers, as well as, failures of Kubernetes components themselves. This is achieved using high-availability control plane setup and anti-affinities configured at both node and pod levels. Moreover, that applies to PostgreSQL configuration with replication on dedicated nodes in the cluster.
Even though our aim is to keep the system available all the time, according to best practices and various regulations, it is mandatory to take regular backups of application data. Again, it is considered a tedious task that is rarely enjoyed by developers.
Elastisys makes the task of backing up data trivial by leveraging Velero. It fully automates backups of application components hosted in Kubernetes, following custom schedules, and even eases the process of data restoration when necessary.
Elastisys takes a daily backup of all Kubernetes Resources in all user namespaces. Persistent Volumes will be backed up if they are tied to a Pod. If backups are not wanted, the only action that is required to be performed by the Elsa Science engineers is to add the label compliantkubernetes.io/nobackup to opt-out of the daily backups.
When taking backups, it is crucial to store them in a way that will not be subject to the same outage as the original data or will not be compromised when a malicious actor manages to get access to the Kubernetes cluster.
To automate these tasks, Rclone is used in Elastisys Kubernetes platform, which ensures business continuity of the Elsa Science digital companion application, by pushing backups to off-site immutable cloud storage. This, in the end, will protect backups from being destroyed in the case of a complete data center fire or encrypted by malicious actors during a ransomware outbreak.
What’s more, Elastisys managed service comes with a pre-configured observability stack, which includes Prometheus and Grafana for monitoring as well as OpenSearch for logging. Thanks to these top-quality, open-source technologies, Elsa Science engineers have an abundance of infrastructure and platform level metrics and logs they can use to evaluate resource utilization. Furthermore, just by following best practices for cloud native observability, they can easily get application level metrics and logs in the same data stores. This, in the end, enables Elsa Science engineers to visualize data from all these sources in dashboards and create automatic alerts, which are forwarded to on-call engineers. Best practices for creating application level Grafana dashboards was covered in a previous Elastisys blog: Zen and the Art of Application Dashboards
All non-trivial applications require additional services, such as databases, distributed cache, message queues, tracing or continuous delivery tools. Operation of these services, similarly as administration of Kubernetes clusters, is time consuming and requires specialized skills. Therefore, posing a potential threat to velocity of application development.
Elastisys has a long history of supporting their customers in adopting cloud native solutions. Based on these experiences, they carefully evaluated and selected best of breed projects in each of the previously mentioned categories of additional services: database–PostgreSQL, cache–Redis, message queue–RabbitMQ, tracing–Jaeger, continuous delivery–Argo CD. Now, we offer these projects as additional managed services available to users as ready-to-use, fully managed services. This way, Elastisys enables their customers, to an even greater extent, to focus on their area of expertise.
Elsa Science’s application requires PostgreSQL to persist its data. Of course, data is a valuable asset and has to be handled with care. Maintaining the database with internal resources would require acquiring necessary skills and developing operational procedures to ensure that data is secure and highly available. Instead, Elsa Science decided to outsource this job to Elastisys, who have gained extensive experience in operation of databases for containerized workloads by serving their customers over years. Elastisys offers high performance PostgreSQL clustered for availability and backed up with point-in-time recovery capabilities.
Elsa Science provides a digital companion application that is co-developed by people living with a chronic disease, health-care providers, scientific researchers, and the life science industry.
Elsa Science chose Elastisys to manage a fully-featured Kubernetes platform and PostgreSQL for them. This way, they improved efficiency of their engineering team and reduced operational costs, while increasing the security and compliance posture of their data processing system.
By leveraging the Elastisys Kubernetes Platform, their developers get the automation and agility of Kubernetes, but waste no time on administrative work maintaining the platform layer software itself. It also reduces the cost for Elsa Science! There is no need to hire expensive engineers to operate the Kubernetes platform and PostgreSQL in-house.
Elastisys is proud of contributing to the success of Elsa Science by ensuring that the platform underlying the backend of Elsa’s unique digital companion application stays secure, in line with relevant regulations, is always-available and cost-efficient.