— 9 min read
Airkit and Governance for Regulated Industries
The market has spoken: There’s no longer any question that Software as a Service (SaaS) can quickly bring big value into your business. There are many advantages to SaaS, but there have also been adoption challenges which are especially acute for large enterprises and those operating in regulated industries such as Healthcare, Banking, Insurance and Public Sector.
Most SaaS applications have easy to use web based configuration and administration panels, where you control configurations, add and remove users, etc. For all of their ease of use, they typically don’t provide the controls that enterprises and regulated industries, and can be difficult for enterprises that wish to extend their controls, governance, and risk management programs to the cloud or SaaS provider.
Airkit is a Platform as a Service (PaaS), which provides even more flexibility than a typical SaaS product. Think of Airkit as a toolbox for building custom user experience (UX) flows, such as checking order status, scheduling an appointment, or extending the capabilities of your enterprise systems such as Salesforce or other CRM, or Genesys or other call center automation software.
Additionally, Airkit comes with a purpose-built macro-scripting language called Airscript, which allows Airkit’s customers and partners go beyond simple digital forms and power deep decisioning, complex flows, integrate multiple data sources to create ideal customer experiences, which we call “User Journeys.”
Airkit’s Platform as a service (PaaS) is a complete development and deployment environment in the cloud, with resources that enable you to deliver everything from simple cloud-based apps such as digital forms or appointment scheduling to sophisticated, cloud-enabled enterprise applications.
Airkit is accessed over a secure Internet connection – nothing else is required to get started, and includes all required infrastructure—servers, storage, and networking—but also acts as a middleware, integrates with your existing business intelligence (BI) / reporting ecosystem, and provides a convenience database, Airdata.
Airkit’s rich set of tools to allow you to extend your enterprise control and risk management framework to Airkit, in a way that SaaS applications typically do not support, such as:
- Ability to test changes in a sandbox environment prior to promoting them to general availability/production. This is a notable lack for many SaaS applications, which often have many “global” configuration settings, which apply immediately on submission, have to set up separate testing/staging accounts and switch between them (with no connectivity or way to find differences between the configurations.)
Software Development life-cycle (SDLC) separation of duties
- For regulated industries, it is simply unacceptable that a single person be able to take a deployed application, modify it, and re-deploy it absent some review or change control, both to protect against bad actors, but also for quality assurance.
- Version state allows you to roll back if a change doesn’t work.
- Version state also allows you to provision a net new account with the same configuration, and ensure that nothing is missed.
- Version control has simply been standard practice for developers since the inception of software development- virtually all software development projects use Github or similar- and its lack of first-class citizenship in SaaS environments is a major oversight.
- Who changed what, when? Required by most governance frameworks.
- Included at a platform level, extensible by application.
As a concrete example, AWS, via their Console (web UI) had all of these challenges initially, which were eventually filled by third party tools, most notably HashiCorp’s Terraform.
Airkit addresses the compliance and control challenges mentioned previously, that are present in typical SaaS products. Airkit provides tools to manage version control, control access and the SDLC, provide logging, and multi-environment support.
Empowering Citizen Developers = More Velocity for Enterprises
Airkit aspires to enable “citizen developers,” not just software professionals, to build high quality workflows and user experiences. For enterprises, this means that while your development or IT team may need to be involved in developing a first application – typically establishing data connections, resources, and designing the application architecture – but once that initial setup is complete, revising applications and building subsequent, net new applications is well within the capabilities of business users. If your stakeholders can use or configure Salesforce or make an Excel spreadsheet, they can edit an Airkit app.
Airkit also provides extensive self help training and documentation, as well as professional services implementation services either directly or with implementation partners.
Airkit maintains the following third party, audited, compliance frameworks:
- SOC 2 Type II
- HIPAA/HITECH Type 1 attestation (with AT-C 105, AT-C 205, and AT-C 315)
Secondarily, going beyond the baseline industry minimums, Airkit also maintains:
- ISO 29147/ ISO 30111 Security vulnerability disclosure program with HackerOne
- Internal NIST 800-53 risk management program
Airkit routinely passes enterprise security assessments for the most stringent customers, including third party audits such as:
- RSA Archer
Shared Responsibility Model
Airkit is both a development environment and a platform for hosting the applications built using its powerful toolkit. Similarly to other PaaS offerings though, you and your developer are responsible for the behavior of the programs and experiences that you build on Airkit. Most developers and IT professionals are familiar with Shared Responsibility Models, as they were popularized by the major cloud providers. However, if you need to do more research to understand the Shared Responsibility Model, please have a look at this article from AWS.
Airkit provides all the tools you need to build secure and compliant applications much more rapidly than traditional software development practices.
Get started with Airkit today. Registration is free and open to all.
Airkit FAQ for Regulated Industries
Airkit provides tools that allow the platform to conform to your internal control framework out of the box. Most of the enterprise security challenges present in other PaaS solutions have already been solved without the need to integrate external tools. This makes it quick and easy to deploy customer-facing or internal solutions, even in regulated frameworks such as PCI-DSS for payment processing, HIPAA for healthcare, and comply with existing data protection regulations such as GDPR, CCPA, as well as emerging standards and requirements.
💡 “How do I test changes, manage our SDLC with Airkit?”
Airkit provides multiple environments out of the box. Start with Development, QA, and Production, but expand with your needs.
💡 “How do I know my application works properly?”
- Test it, and any changes, in a QA environment, prior to moving it to production
- Airkit recommends automated testing and will work out of the box with your web based (or API) testing frameworks. For those just getting started, the free (open source) Selenium-IDE is a great way to record and play back browser sessions, building.
💡 “How do I ensure only authorized changes are made to my application?”
- Of course, only authorized users with the correct roles can log into studio/console
- With our Enterprise plan, you can control which of your developers/admins has access to which environment, and it is possible to create a “release only,” role (which can deploy, but not edit, applications, for proper separation of duties)
💡 “How do I handle version control in regulated industries? How to handle hotfixes?”
- Airkit supports branches (or clones, where the changes from a baseline are tracked)
- Detailed docs on managing the application lifecycle
💡 “How do I know my application is working?”
- Activity explorer is the best way to “peer over the shoulder,” of your users, and see how they are interacting with your application.
- As your application has more usage, looking “one by one,” doesn’t work, we provide a robust reporting platform. Snowflake secure data sharing – provides SQL access to your reporting data. Splunk HEC – ties in with your Splunk instance.
💡 “How do I authenticate users into our environment?”
Studio / Console authentication
- Standard plan supports email & password, Google SSO
- Enterprise plan supports SAML authentication to Studio & Console
Application authentication (ie the apps you build and deploy)
💡 “How do I securely transfer information in and out of my Airkit environment?”
- In this case, API means “API exposed by the application that you have built”
- Support for Apigee to frond-end the Airkit APIs
💡 “How do I keep my data secure in Airkit?”
AWS “Bring Your Own Key” or BYOK
- For customers with the highest data sensitivity requirements, the keys can be completely controlled by the customer. By using this mechanism, the customer can “fail secure”, the encrypted data at any time, meaning no one – not Airkit administrative personnel, no end user, can read the data.
💡 “How does Airkit help with Information Classification?”
- Data Tagging / Information Classification –Tag PII, HIPAA, or other data
💡 “How do I log, and how do I know they are secure?”
- Airkit can stream app and audit logs to an S3 bucket controlled by you; Airkit can write/append, but not modify or change.
- Direct streaming to your Splunk instance via HEC
💡 “How do I build apps that conform to our brand guidelines?”
- Airkit’s theme builder gives far more control than typical low-code providers, down to the level of custom fonts. Your design teams can create customized elements, to look and feel exactly like your other brand elements.
💡 “How do I validate data in Airkit?”
- Airkit provides a number of data types with built in validators, such as phone numbers, email addresses, etc, with the ability to create your own validators
💡 “What other security controls does Airkit provide?”
- Please see our App Security FAQ