
Introducing Heroku Private Spaces - grk
https://blog.heroku.com/archives/2015/9/10/heroku_private_spaces_private_paas_delivered_as_a_service
======
grandalf
This is about three years overdue, but at least it's here.

How close does it come to making PCI-DSS Level 1 attainable on Heroku? What
about HIPAA?

~~~
GolfyMcG
Would love to get a response to this. We are required to be HIPAA compliant
and started out on Heroku. We basically only had a prototype built and didn't
have any clients yet, so we didn't really care. After a weeks of paying for
Heroku we got a very standard sales call from Heroku. They were checking-
in/trying to up-sell us on some stuff.

They asked us what we needed, and I responded with, "We need to be HIPAA
compliant - what do we need to do to make that happen on Heroku?"

The sales rep immediately replied along the lines, "We don't do that."

He ended the call shortly after that, clearly uninterested in our money.

Since then, we started using Aptible
([https://www.aptible.com)and](https://www.aptible.com\)and) they are AWESOME.
The biggest difference for us is that they also provide the legal
documentation and advice to working through HIPAA compliance. They're totally
willing to go beyond just being a PaaS and really start to blend into a
moderate level of legal counsel. Only downside is that their premium service
entails a premium price.

~~~
mberning
I talked to them out at AWS re:invent in November and it was implied but not
confirmed that HIPAA compliance was being worked on. Maybe things have changed
since then.

~~~
yeukhon
There are many things in AWS that are not HIPAA-compliance yet, so I am not
sure how Herkou (if that's the one you are referring to) can be HIPAA
compliance in everything.

------
anacleto
"This is about three years overdue."

I couldn't agree more

Recommended write-up: What is Heroku: getting started with PaaS development

[0] [http://cloudacademy.com/blog/what-is-
heroku/](http://cloudacademy.com/blog/what-is-heroku/)

~~~
pbiggar
No-one is ever happy.

------
mrfusion
Can someone explain like I'm from 2005?

~~~
gleenn
Private cloud app hosting which people like the government need

~~~
roymurdock
Or anyone creating apps for companies in industries where the data
generated/stored by the app is regulated by the government.

Healthcare is the main concern here with HIPAA but it should also apply to
insurance, finance, and some industrial use cases.

------
pinum
So... PPaaSaaS?

------
timlang
You can sign up for the beta of Private Spaces here, as well as a technical
webinar: [https://www.heroku.com/form/enterprise-beta-
programs](https://www.heroku.com/form/enterprise-beta-programs)

~~~
austenallred
Is the technical webinar required to sign up for the beta?

~~~
timlang
No, but those attending the webinar will likely get precedence.

------
llama052
I guess I don't understand this market, if you need any sort of compliance,
why don't you just host it direct in AWS? The tools are there and it's not
hard? Using something like this is not cost effective imho.

~~~
kgosser
Speaking from a HIPAA point of view, the amount of complexity you must manage
to build your own compliant environment on AWS is extremely high. HIPAA's
controls account for block level encryption, managing your logs a certain way,
and many many more things.

Furthermore, compliance is more than just doing the right thing. It's proving
that you are compliant. There is immeasurable value with selecting a vendor
who is audited to be HIPAA Compliant or HITRUST Certified because then the
risk is offloaded to someone with credibility in the marketplace via a
Business Associate Agreement. If you wanted to build your own HIPAA compliant
stack on AWS, and you want to be taken as credible when trying to sell to a
CIO at a hospital, then you will need to go through the procedure of becoming
HITRUST Certified as well.

Otherwise you will just be nibbling at the edges and taking on all the risk
while hampering your business model.

~~~
llama052
Aren't you still building your own compliant environment on the application
side with a heroku like model?

I'm pretty sure AWS has a package for HIPAA compliance that will checkmark
most of the required fields outside of the application, and general settings
fields. Most of the problems will come from the Application architecture. You
can have a prebuilt envorionment for everything but if you're code is garbage
then good luck.

Not sure how hosting in AWS is any different from hosting on Heroku,
considering you're ultimately still responsible for the Application side. Does
Heroku manages your logs in someway that AWS cannot?

Even with an agreement with a merchant, aren't you still responsible for your
application code? Isn't that still subject to HIPAA requirements?

Also AWS is HIPAA compliant and they will do a Business Associate Agreement,
and has been HITRUST certified iirc.

~~~
markolschesky
"I'm pretty sure AWS has a package for HIPAA compliance that will checkmark
most of the required fields outside of the application."

Not quite, in fact, the first thing you need to do to meet a BAA with many
cloud vendors is terminate SSL locally. This means no using things like ELBs.
What about if you need a VPN? How do you guarantee that traffic is still
encrypted (let's say TCP) once it hits the VPC VPN to your application server.
These are very real healthcare compliance scenarios which you would need to
figure out a solution for on the infrastructure side which you would need to
build buy. I'm sure there are similar things that need to be handled WRT PCI.

Application security is important (of course). I used to work on application
security with hospital organizations at an EHR vendor, so even though we sell
infrastructure I can help customers out when it comes to this topic. The
reason why there isn't really an "Application Security checkbox" is because
the question? "What is the correct amount of access to patient data" is a hard
one. Prestigious healthcare organizations all the way down to startups
struggle with it, so it's usually a more involved process.

------
dirkdk
Is this running in Salesforce datacenters? Not Amazon anymore, as it used to
be?

~~~
amerine
No

------
zrail
I'm really excited about this, and also really excited to see what the pricing
is like.

~~~
sudhirj
The video looks like it's org-only - I think getting an org on Heroku starts
at USD1000 a month.

~~~
isaiahdw
Heroku Enterprise (required for Orgs, Private Spaces, etc) requires an annual
agreement paid upfront ($18K/year minimum) for pre-allocated resources with a
20% premium for the included premium services (Org Account, Customer Solutions
Architect and 24/7 Premium Support SLA).

------
guiporto
Heroku please launch new regions! I really hope you guys launch in Sao Paulo,
Brazil.

~~~
Paulods
Yep. Wouldn't hurt to have Tokyo regions as well for Asia.

~~~
njohansson
They do in fact launch Tokyo as a region in combination with this
announcement! (together with Frankfurt, Germany and two US regions) As all
these places are AWS regions and this service most likely is built upon VPC I
don't think it's a too wild guess that this service will eventually be
available in all AWS regions ([https://aws.amazon.com/about-aws/global-
infrastructure/](https://aws.amazon.com/about-aws/global-infrastructure/))

~~~
Paulods
Yes i saw. I should have made clear i mean for standard Heroku instances.

------
sudhirj
I can't make out if public facing apps can deployed inside a space, though - I
just want to be able to use Heroku in the Singapore region :-/

~~~
amerine
Yes, the applications are publicly accessible by default, just like the Cedar-
based ones.

------
cdnsteve
Does Private Spaces (aka VPC) offer any type of SLA?

------
sudhirj
Is this enterprise-only?

