One of the most important aspects of compliance is business continuity. In this post, we will explain how using off-the-shelf open source components makes business continuity planning a breeze for risk officers.
What is business continuity?
When it comes to data privacy and security, compliance is about identifying risks to data confidentiality, integrity and availability — the so-called CIA triangle — and planning ahead how to deal with said risks. Business continuity is a control included in most information security standards, such as ISO 27000. It requires you to proactively identify “the weakest link” for data availability and plan ahead on how to deal with it. It’s a bit like keeping pasta in the cupboard, just in case your fridge breaks down. It might be sub-optimal for your keto diet, but at least you won’t starve.
As a concrete example of business continuity, Swedish patient law requires you to have procedures for “all tech is down”. Indeed, a hospital needs to continue functioning in an orderly manner — albeit at reduced capacity. Or would you like to hear “the Internet is down”, instead of being treated for an emergency?
Suppliers — also called vendors or partners — are a particularly tricky aspect of business continuity. On one hand, suppliers allow you to reduce your costs, by providing you with off-the-shelf, ready-made, battle-tested services and products. On the downside, they are a nightmare for business continuity. What if a supplier goes bankrupt? What if a supplier unexpectedly decided to discontinue a product? What if the political climate makes it legally difficult to use your favorite cloud supplier, such as after the “Schrems 2” CJEU ruling?
Open source and cloud agnosticity are key ingredients in business continuity planning. Did your supplier discontinue support or managed service for an open source product in your tech stack? No worries! Pick another supplier or take the project over with in-house resources. Will the legal landscape ban your cloud provider? No worries! Pick another cloud provider and move your workloads there. Kubernetes provides an abstraction layer on top of cloud providers, which significantly reduces migration costs. Being open source, Kubernetes is not controlled by any single supplier, and features a rich ecosystem of contributors and service providers. Indeed, it has never been easier to “exit” a bad supplier which provides you an unstable platform.
Of course, a mature platform not only allows you to run containerized workloads. It also provides answers to access control, logging, incident management and many other controls, to facilitate compliance with your regulations. Here again, a cloud-agnostic strategy is important for business continuity. Otherwise, it’s easy to get trapped into using cloud-specific services, significantly increasing migration costs and weakening your business continuity posture.
“Exiting” a Platform
So what are the steps to “exit” a platform?
- Find the right skills: Recruit the right skills, either internally or externally. With Kubernetes, look out for Certified Kubernetes Administrator (CKA) and Certified Kubernetes Security Specialist (CKSS). While these certifications do not guarantee finding the right person, they are strong indicators of an individual being passionate about the things that matter to you.
- Training: In case you haven’t found the right skills, consider using “good enough” talent and offering them training. Fortunately, there are plenty of Kubernetes Training Partners (KTP), to get your staff up-to-speed with CKA and CKSS.
- Take over the platform: As the saying goes, Kubernetes is a powerful engine, but your platform is more like a car. Your staff needs to understand how the platform was set up and configured to meet your unique regulatory and security requirements.
Update your IT policies: Since compliance with information security regulations is no longer delegated to your supplier, it is now your direct responsibility. Your IT policies need to be updated accordingly. Questions you need to answer include: Who monitors that the Kubernetes cluster is healthy and has enough capacity? Who alerts whom when disk space is running low?
Welkin Managed by Elastisys
Do you want to run your application on top of a platform, which reduces compliance burden, but is easy to “exit” from? Welkin is a battle-tested, open source platform to facilitate compliance with various regulations, such as GDPR and patient data laws, on any cloud provider or on-prem. A dedicated team of experts can take full responsibility for the platform, including 24/7 monitoring, daily checks and security upgrades, so you can focus on your application. Stay with us as long as you like, but if you need to “exit”, Elastisys is a certified Kubernetes Training Partner (KTP) and can help train your engineers for CKA or CKSS.