Leveraging Spinnaker for Cloud Compliance
Nov 5, 2016 by DROdio
The Armory team is exploring a new use case for Spinnaker around cloud compliance. Things like:
- How to meet compliance regulatory concerns
- How to transition from bare metal into public clouds
- How to leverage Spinnaker to get FedRAMP certification
- How to leverage Spinnaker for multi-cloud
- How to more effectively sell to customers using public clouds
Here’s a 10 minute video where we discuss the opportunity, along with the customer profile we’re looking for to test this use case with. If you’re a company that’s looking to accomplish any of the above, contact us below.
Here’s the Transcript:
Daniel: All right, guys. We are Armory. And we just got out of a customer meeting. We’re sitting here in San Francisco, just chatting a little bit about one of the big topics of this meeting that we wanted to share, which is compliance. I’m Daniel. I’m the CEO.
Isaac: I’m Isaac. I’m the CTO.
Ben: Ben. I’m the CPO
Andrew: Andrew, engineer.
Daniel: So who wants to give us a summary and synopsis of big issue around compliance you guys were talking about?
Ben: I think just to set the stage, we do a lot of customer validation. We talk to over 100 customers. And we thought we knew what the problem was, which we solved in our last company, which was around deployment philosophy. And then what we learned from talking to all the customers is that most large enterprises care a lot more about deployment safety. In the last two or three meetings, specifically with one customer that we’re talking to today, a brand new use case that we had never considered came up, which is around compliance.
Specifically, there’s a certification called FedRAMP, which is one of the more stringent compliance regulations out there and enables a company to sell into the government. And this is something that is fairly new. And a lot of large companies that have enterprise customers, especially cloud-based customers, are now […– 01:20]. So that was really interesting […– 01:23]. And we’ve heard it now from two or three customers.
Isaac: Yeah, we heard it earlier today from another customer. So it’s coming up a lot. And to get into a little bit more of the technical issues of what’s happening is within larger organizations, we know that they have very different deployment pipelines. And everybody is building their own deployment pipelines. There’s a bunch of glue code, and everybody is doing their own thing, which means that there’s no consistency within the organization and that the images and the services and the machines themselves have no consistency. And so one of the things that compliance is all about is about having consistencies, about making sure that you have the right security patches and the right network-level security. And doing so means that everybody kind of has to be on the same page, to have all those same patches. They need some level of consistency in order to meet these compliance issues. And you need to have a tool or system in order to do that. And that’s where we’re starting to see the solution that we have from Armory, [to be able to – 02:29] help because it provides that consistency. And thus you’re able to have a way of looking at what’s in production, an audit trail of what’s in production to know whether it meets or doesn’t need the compliance […– 02:46] or any of the compliance […– 02:47].
Daniel: Let’s talk a little bit more about what it is about Spinnaker and Armory. Obviously, it’s a very new use case. But we’re hearing it from customers. That’s a good signal. What is it about Spinnaker that makes it potentially a good fit for this?
Ben: Let me talk a little bit about the world before Spinnaker inside of customer when they’re trying to implement some kind of compliance like FedRAMP. They have lots of different engineering teams. And someone, one of the executives or somebody in the management says, “We want to become FedRAMP compliant.” And then there’s a mandate to all the different teams that you have to implement this new requirement or we have to support these types of patching that satisfy the FedRAMP compliance.
Now what we think we can do on top of Spinnaker is provide a more consistent way to deploy such that the engineering teams don’t have to worry about the plans anymore because Spinnaker is now […– 03:47] deploying an AMI or Docker image that’s compliant already.
Isaac: Yeah. And to add a little bit more technical detail to that, what these last two companies are doing, they have Ubuntu. They have CoreOS. Maybe they’re using Cloud Foundry. Or maybe they’re using Kubernetes, with a whole bunch of different types of underlying machines. And when somebody says, “Hey, I want to make that change […– 04:17] talking about,” it makes it impossible to go snap your fingers and have that change happen across the board. And it really puts the engineering teams […– 04:28]. Then they have to scramble to figure out what exactly it means to patch up CoreOS versus Ubuntu versus maybe using the Amazon Linux flavor. All of them are different in nature. So it allows us to have consistency to deploy all of [this at once – 04:48]. You can chain. So you can have a team focused on just compliance and FedRAMP. And they focus on building one or two or three AMIs so that once those AMIs are built using Spinnaker, it’ll kick off all the other pipelines so that you have this consistency that the compliance team is responsible for building the AMI that meets the regulatory concerns, and then it kicks off the other pipelines such that it updates automatically. And that all works out of the box.
Daniel: So this is a pretty new use case for us, but let’s talk a little bit about what a company that would be a good profile for Armory to help […– 05:29]. So what I’m hearing you guys say, it’s like obviously it’s a company that wants to be on a public cloud, that is maybe a little bit worried about moving to a public cloud. What are some of the things that we would look for to help them accomplish this?
Ben: I would say definitely that a large company that’s already on public cloud, that wants to move to public clouds, to a large company whose customers are on public clouds. They’re shipping software. They’re shipping […– 05:56] services onto the clouds of their customers within the customers’ Amazon AWS account or within their customers’ Google GCP account or maybe some private cloud like OpenStack or Cloud Foundry.
Isaac: Yeah. And I think also there’s another type of profile that we see within companies, which is there is a bit of a tension between maybe the sales organization and the technical organization where obviously, the sales organization wants to continue selling because they have the compliance in maybe bare metal or their OpenStack implementation. Or you have the technical benefits of moving to the cloud. So you get velocity. You get a cheaper infrastructure cost. You don’t have to hire so many employees to take care of your bare metal infrastructure. And there’s this tension. So we can help you continue to meet the compliance and those regulatory concerns while getting the benefit out of moving into the cloud.
The other thing about Spinnaker is that it is multi-cloud. So if you’re deploying to bare metal, you’re using something like OpenStack and want to move into AWS or GCP, well, Spinnaker works out of the box with those cloud infrastructures. So you can literally have a smooth transition if not an all or nothing kind of thing where you just go, “Well, today we’re in OpenStack. Tomorrow we’re in Amazon.” Spinnaker can help you transition into this new public cloud space. And at the same time, get the compliance so the rest of your organization is happy about.
Daniel: That’s a really big deal. Multi-cloud […– 07:31] long time. You guys want to talk any more about that multi-cloud possibility, abstracting the infrastructure up to a platform? That seems amazing.
Ben: There are two benefits. One is not fully realized yet, but I think it will be in the future, which is cloud arbitrage. So if you’re running a bunch of services in Amazon, you might get better pricing from GCP. And you might want to [deploy – 07:55] some of your workloads there or vice versa. And then what we mentioned before, which is customers that are deploying software to their own customers’ accounts. And if my customer is on AWS, then I need something that works on AWS. Of course, the customer B might be on Google or Microsoft.
Isaac: And we’re starting to see that a lot more. I think that fundamental premise of Armory itself, which is software is eating the world. We all know that to be true. And you can see these new companies that are cropping up that deliver software to their customers. And now it’s just like B2B software sales. And they’re no longer delivering it on prem because nobody is on prem anymore. Everybody is on the cloud. Their customers are on the cloud. And if you’re delivering, let’s just say, a data analytics solution, well, everybody’s data is already in the cloud. You’re not going to deliver a product that’s on prem. So now you need to start working with your customers’ concerns and the things that they care about, which is the […– 08:50] clients. Think about a health insurance company that needs to do data analytics. And if you have a data analytics product, all of this stuff needs a little bit of cloud. And it’s a health insurance company. So privacy obviously is really important. And meeting all those compliance and regulatory concerns. You have to do it in order to sell to them. So we’re also seeing this kind of just being a necessity. So now being able to sell to a larger customer base because not everybody lives on Amazon. A bunch of people […– 09:22] with Microsoft, and a bunch of people […] on GCP. So again, as much as it is, it’s vendor locking [issues are – 09:31] a real fear and people care about it. But I think the bigger concern is can you build a bigger business. Can you sell to more customers by having multi-cloud? And that’s starting to become a reality now.
Daniel: Let’s summarize the main points of this discussion today. Many companies think deployments as a technical activity. At Armory we often say that deployment is becoming a business activity, and compliance is an example of that. Spinnaker is not just something that lets you deploy more effectively and not break customer trust, […– 10:04] higher velocity […]. But it’s something that helps you from a not causing more problems for your customers level. So it’s cost savings, potentially. But now it might actually help you sell more effectively. So compliance, if you have customers that are on cloud or multi-cloud, potentially, now deployments in using Armory and using Spinnaker is a way for you to increase sales.
Ben: Opening up a new sales channel.
Daniel: Opening up a new sales channel. […– 10:31] perfect. So […– 10:35] multi-cloud, cloud arbitrage. There’s longer… maybe medium to long-term opportunities there […– 10:41] infrastructure […] level. What are the main themes from this conversation?
Isaac: You’ve got […– 10:49]. I think there are multi-level value propositions […– 10:55] doing. At the base level, keeping your engineers happy, who doesn’t want to produce more work, increasing velocity, making sure everything is consistent. Moving up one stack, maybe you could save money going […– 11:07]. Moving up another level is building a bigger business. So we want to work with companies who want all three of those things and really think about this as just not an engineering problem but a […– 11:21] problem.
Daniel: All right. We really enjoy having these conversations. If you liked watching this, let us know. We’ll do more of these. We’ll probably do more of them anyway, but we’ll do a lot more if we get great feedback about it. So thanks for the time.