Q&A: Why is compliance as code necessary? Stacklet answers
Speed is everything when developing apps in competitive markets like fintech or healthcare. But, developing apps while at the same time trying to remain compliant slows down the entire process and adds lots of challenges and complexities.
Compliance is not a one-time event. Instead, it is a continuous process, especially when developers add new services or features. So, it can be pretty tempting to set compliance aside and push forward with those new services or features. But doing away with compliance will ultimately make app development and operations more time-consuming and costly in the long run.
Cloud Custodian, an open-source cloud resource orchestrator, was created as a way to enforce governance as code using a common language across all cloud providers. After creating Cloud Custodian, Kapil Thangavelu (pictured left), co-founder and chief technology officer of Stacklet Inc., developed Stacklet, a user interface policy pack at scale execution for multiple accounts.
“I realized that what we really needed was a way to go faster on the compliance side, and Cloud Custodian was born out of that effort,” Thangavelu said. “So it was about accelerating the velocity around compliance but doing it in the same way we do application and infrastructure’s code.”
Thangavelu and Umair Khan (pictured right), director of marketing at Stacklet, spoke with theCUBE industry analyst Keith Townsend at the recent KubeCon + CloudNativeCon Europe event, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. (* Disclosure below.)
They discussed Cloud Custodian, Stacklet and the user’s experience. [The following content has been condensed for clarity.]
What’s the problem statement? What are you guys doing?
Thangavelu: We’re building on top of an open-source project, Cloud Custodian, that is in CNCF. And the challenge that I saw was, “How do we enable developers to pick whatever tools and technologies they want if they want to use Terraform, CloudFormation or Ansible?”
The cloud gives us APIs, and we want to enable people to use those APIs in innovative ways. But at the same time, we want to make sure that, regardless of what choices those developers make, the organization is being well managed and all that infrastructure is complying with the organization’s policies. And we also saw at the time that we were getting impediments around our velocity into the cloud, because we had to cover all of the compliance and regulation aspects, and we were doing that as one-offs.
So talk to us about that initial customer engagement. What’s that conversation like?
Thangavelu: So we start off by deploying our platform on top of Cloud Custodian, and we give our customers a view of all the things that are in their cloud, what is their baseline. We’ll go in and we’ll deploy a Stacklet platform for them. We’ll basically show them all the things that are already there to an extent. We provide a real-time SQL interface that customers can use. That is an asset inventory of all their cloud assets.
Then we provide policy packs that sort of cover compliance, security, cost optimizations and opportunities for them. And then we help them through getting ops around those policies. We help deploy remediation activities and capabilities for their environment.
When you look at moving to something like an SRE model … where does the SRE sit in an organization? How does Stacklet help me make those types of strategic decisions if I’m talking about governance overall.
Khan: In terms of persona, there’s a cloud engineer and then an SRE. I think that what at its core Stacklet and Cloud Custodian [provides] is a centralized engine. So your cost policies, your compliance policies and your security policies are not in a silo anymore. It’s one tool. It’s one repository that everyone can collaborate on as well.
A lot of engineering teams run Custodian and adopt Custodian as well. So in terms of persona, Stacklet really helps bring it together. All teams have the same simple YAML DSL file that they can write their policies, share their policies, and communicate and collaborate better as well.
Thangavelu: What we found is that Stacklet and Cloud Custodian get primarily deployed by one of three groups. You’ve got the CIO buyer within that cloud infrastructure engineering team. And then we also have the CISO teams that want to get to a secure compliance state to be able to do an audit and validate that all the environments are secure. And then we get to the CFO groups. They’re really focused on the cost optimization, finding the overprovisioned and underutilized things, and establishing workloads for dev environments to turn them off at night. And so those are sort of the three groups that we see that really want to engage with us because we can provide value for them to help them accelerate their business goals.
Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the KubeCon + CloudNativeCon Europe event:
(* Disclosure: TheCUBE is a paid media partner for the KubeCon + CloudNativeCon Europe event. Red Hat Inc., the main sponsor for theCUBE’s event coverage, Stacklet Inc., or other sponsors do not have editorial control over content on theCUBE or SiliconANGLE.)
Photo: SiliconANGLE
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU