Compliance in the Private Cloud: PaaS and the CISO

By Atos Apprenda Support

When talking about the business value derived from Platform-as-a-Sevice (PaaS), the benefits usually get divided into two extremely broad categories:

  1. Cost Savings
  2. Business Agility

Both categories provide a sound business case for the deployment of PaaS – especially in the context of the enterprise where the positive impact of either category can equate to millions of dollars!

In talking with many enterprise organizations, it is clear that a third category is emerging fast: compliance. While perhaps not (currently) at the top of the RFI checklist, compliance is definitely becoming a key driver for PaaS adoption.compliamce

If we look to the financial services industry for instance, the Dodd-Frank Act has added so many new regulations to financial institutions, it has helped boost a 31% projected growth in job opportunities for compliance officers. Meanwhile, the repercussions for those organizations that do not take compliance seriously are more visible that ever before. The front pages are dominated by headlines that can tarnish the most positive brand. Headlines such as:

A Tale of Two Clouds

2 cloudGiven the staggering increase in regulations many industries are faced with, and the major damage limitation that is required for those that are breached, it is somewhat surprising that enterprises are even considering PaaS adoption. According to ZDNet, “data security is still the number one issue that comes up when cloud computing is discussed within companies, especially in the enterprise market.” But those concerns are primarily based on usage of the public cloud where, according to a Ponemon Institute survey: “two thirds of organizations moving data to the cloud have little or no knowledge about what measures their providers have put in place to protect data.” This is where a private (or hybrid) approach to PaaS comes into play.

As GigaOM notes in the report Private PaaS: The next generation platform for enterprises, “the drivers behind using private PaaS extend the benefits of PaaS to environments that provide the right amount of security, compliance, and control over core business processes and data.” In fact, according to the GigaOM report: The top two drivers for enterprises that have deployed or are considering private PaaS are compliance related:


These findings are consistent with the views of Apprenda’s enterprise clients who typically embrace private PaaS for four main reasons – the top two of which are related to security, compliance and IT governance.

Private PaaS: Can You Afford Not To?

Private PaaS offers an enterprise the benefits of reduced costs and increased business agility — Apprenda customers are seeing 300% increases in infrastructure utilization, 45% decreases in infrastructure related costs, 700% improvements in developer productivity, and 85% increases in application time-to-market. But Private PaaS also provides automated policies that help to maximize IT security and regulatory compliance.

Apparently, when it comes to cloud adoption, 73% of IT professionals say they are relying on manual policies rather than automated management applications. “In a lot of cases the IT organizations are taking an ignorance-is-bliss approach,” suggests another Ponemon survey. Not good. Remember those negative headlines we were talking about?

In comparison, Private PaaS–and specifically Apprenda–allows the IT department to automate very specific policies around two unique areas of compliance:

1. Application library usage

This policy allows IT operators to set rules stating that if any application uses a restricted or non-compliant library, it is to be prevented from being deployed. Furthermore, the developers are informed of this compliance issue while they are writing and testing the application, rather than endure the wasted productivity of being turned back at deployment time.

2. Application deployment location

This second major policy focuses on where the application is deployed. A good hybrid PaaS allows an organization to transform their data center into a world-class private cloud, while federating public cloud resources from providers like Microsoft’s Azure or Amazon’s AWS. The PaaS becomes a control point for the private-to-public application migration boundary. This control point becomes the mechanism by which the CISO can properly manage decisions and mitigate risk in an automated fashion. For example, if an application contained Personally Identifiable Information (PII)–which puts the enterprise at risk of violating regulations such as HIPPA or PCI DSS–the IT organization can define automated rules as to where the application is to be deployed. In this instance, you would expect the organization to deploy the application on its own private cloud infrastructure. And perhaps even only on a select group of servers that have been vetted by the security organization and operate in a highly-controlled environment.

Private PaaS: A Win-Win

The beauty of Apprenda’s approach is that it allows operators to define the rules on how applications should be written and deployed to winwinensure maximum compliance. The responsible experts will have defined the rules, and the platform simply applies them: without any additional effort from the developers or operators.

Private PaaS offers exceptional benefits concerning cost reduction and business agility. Yet it’s most important benefit might be it’s ability to keep enterprises secure, compliant, and out of the headlines. I’m sure the CISO would wholeheartedly agree.

And for more detailed explanation of Apprenda’s compliance capabilities, review a great post by Apprenda’s VP of Engineering, Abraham Sultan. Those capabilities can also be seen in a webinar on Apprenda 5.0, given by Rakesh Malhotra, Apprenda’s VP of Product:


Atos Apprenda Support