I am happy to announce that Aptible has earned ISO 27001 certification for our Enclave and Gridiron products! This is the result of a lot of hard work by the Aptible team, and is good news for you if you’re an Aptible customer: You can use Aptible’s ISO 27001 certification to show your customers that your cloud computing stack meets an international standard for security.
What is ISO 27001?
ISO is an organization. In English, the name of the organization is the “International Organization for Standardization,” but usually people just call it ISO, like International Business Machines Corporation is just IBM.
ISO produces “standards:” documents that outline requirements, specifications, and guidelines.
Requirements, specifications, and guidelines for what? Lots of things. There are over 20,000 standards, and they can be very specific.
You can play around and search the ISO site. This can be strangely fascinating: pick a random noun and search for it.
“Avocado?” Boom: ISO 2295 is a guide for the storage and transport of avocados. ISO 3659 has instructions on how to ripen avocados after cold storage. And so on.
ISO standards also cover more abstract concepts. One of the best-known standards is ISO 9001, which sets out criteria for a quality management “system”, or set of principles and business processes.
ISO 27001 is also a “system” standard. It defines requirements for information security management systems. The main body of the standard outlines a governance structure that you have to adopt: requirements for determining what counts as in-scope or out-of-scope for your “system,” assigning security roles and responsibilities, security planning activities, risk management activities, monitoring/metrics, and improving the system itself.
ISO 27001 also has an annex of reference controls relating to areas like cryptography, operations security, asset management, incident management, and more. The reference controls are normative, in the sense that if you don’t implement a given control, you need to be able to convince your auditor that your decision was reasonable, or otherwise explain yourself.
What does ISO 27001 mean for software development teams?
Think of ISO 27001 as a baseline for good security management processes. “We take security seriously” is a cliche. Many developer teams know they would benefit from an organized approach to security, but don’t know where to start. Hiring someone full-time for security is a stretch for small teams, and managing security just gets more complex as you scale.
Teams seeking ISO 27001 certification need to be organized. Like most of the major information security protocols (SOC 2, HIPAA, PCI, etc.), ISO 27001 requires:
Proactive risk management, instead of just reacting to bad things as they happen
Planning ahead for security and setting appropriate security improvement goals
Writing down the rules for how security is supposed to work for your system (in policies and procedures)
Training your workforce on those rules, with advanced training for those with more security responsibilities
Training for and responding to security and availability incidents, including breaches
Most teams will end up investing in secure software development practices, such as test coverage, continuous integration/continuous deployment, code review, vulnerability scanning, penetration testing. On a practical level, you’ll probably get serious about MFA, require everyone to use a password manager, start using mobile device management to secure laptops and phones, do criminal background screenings, stuff like that.
What does ISO 27001 “certification” mean?
ISO standards are voluntary. Unlike the Department of Health and Human Services with HIPAA enforcement or the PCI Security Standards Council, the ISO organization itself doesn’t have any ability to enforce the standards. In fact, anyone can claim they “comply” or are “consistent” with any of the ISO standards.
The gold standard is a certification performed by an “accredited” certification body, or auditor. Being “accredited” means the auditors have themselves been audited against an ISO standard for how they conduct audits and certifications.
Aptible has been certified by Coalfire ISO, an ISO/IEC 27001 Certification Body accredited by the ANSI-ASQ National Accreditation Board (ANAB).
How does Aptible’s ISO 27001 certification benefit you?
Getting organized about security helps us protect your data. ISO 27001 lays out clear best practices for security management. With developer teams, huge problems can come from seemingly little things like not sanitizing inputs, not patching vulns, accidentally pushing sensitive data to the wrong system. ISO 27001 certification means we’ve spent time thinking systematically about risk, and have strong controls in place to manage it.
In turn, you can use Aptible’s ISO 27001 certification to show your customers that your cloud computing stack meets an international standard for security.
How can you get your own ISO 27001 certification?
The traditional way is prepare is to use consultants or full-time hires. This usually involves a lot of Word documents and Excel spreadsheets, takes a long time, is extremely expensive, and makes you feel slightly let down, like you just spent all that time and money and not much really changed. You may have this nagging feeling that you’re not actually that much more secure, but at least you have antivirus on everyone’s laptops.
I think there’s a better way. At Aptible, we make Gridiron, a set of tools for managing security, designed specifically for software development teams. Let us know if you want to get ready for ISO 27001, HIPAA, SOC 2, PCI, NIST 800-53, 21 CFR Part 11, or any other security framework.
Are Aptible customers affected by Cloudbleed?
No, not by virtue of using Aptible. Aptible does not use Cloudflare, and as such, our services and customer environments were not affected by the Cloudbleed vulnerability disclosed yesterday.
That said, if you use or used Cloudflare, you may be affected. You can read Cloudflare’s official description of Cloudbleed here.
If I used Cloudflare to cache PHI, what should I do?
Activate your incident response plan and talk to your lawyer immediately, unfortunately. You may be required to conduct mitigation, and breach and/or security incident notifications, by HIPAA or your business associate contracts.
Cloudbleed is one issue. Another issue is that if you were using Cloudflare to cache PHI though their CDN without a BAA, you may have been in breach of the HIPAA rules before this.
Some have suggested that Cloudflare might not be a HIPAA business associate because of an exception to the definition of business associate known as the “conduit” exception. Cloudflare is almost certainly not a conduit. HHS’s recent guidance on cloud computing takes a very narrow view:
The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.
OCR hasn’t clarified what “temporary” means or whether a CDN would qualify, but again, almost certainly not, as data storage is a critical, non-incidental component of CDN functionality.
What if I used Cloudflare to cache PII?
Again, activate your incident response plan and talk to your lawyer. HIPAA is just one of many data privacy regulations. Many states require companies to report breaches of personally identifiable information belonging to residents of that state.
What if I used Cloudflare for data aside from PHI or PII?
We encourage you to be safe and rotate all credentials that might have passed through Cloudflare from your app, such as session cookies, API keys, and user passwords.
What else should I do?
We encourage you to rotate your passwords for any service that used Cloudflare between September 22, 2016, and February 18, 2017. Cloudflare has not released a list of services affected. You can find one security researcher’s list of Cloudflare DNS customers (which is likely overinclusive) here.
The Aptible Update Webinar Series is a new quarterly presentation that covers recent features and changes to the Enclave deployment platform and Gridiron security management products.
We hosted the first Update Webinar on October 25. In it, we covered:
- Deploying from Private Docker Registries: How to configure a private container deployment pipeline
- Advanced Memory Management: How to plan for and easily manage container memory issues
- New ALB Endpoints: More resilient zero-downtime deployments
- HTTP Health Checks: Smart, safe app container routing
- Platform Events: How to get more from the Enclave API and your logging
- Container Metrics: Live telemetry and dashboards for monitoring
- Working with Database Backups: On-demand backups and restoration
- Two-factor Authentication: Securing your Aptible accounts
The next Aptible Update Webinar will be on January 25, 2017, at 11am PST/2pm EST.
Webinars are recorded and made available for viewing if you cannot attend the live session.
How does a major open-source framework approach upgrades? Find out in Robert’s talk at the Ember.js NYC meetup last month.
If you find this interesting, join us!
Frank spoke at AWS re:Invent last week, in a session about architecting for HIPAA compliance. The entire panel is worth watching.
Having just come through Y Combinator, we frequently get asked whether it was worth it. The answer is absolutely yes, no hesitation. While the experience is still fresh, I want to encourage you to apply for the next cycle and give some advice for getting in.
You have a early-stage startup, or at least an idea for one. You know Y Combinator is fantastic: the network is legendary, the terms are fair, the other founders are incredible, and it provides an amazing lift for customer acquisition, fundraising, and recruiting.
The catch is that acceptance rates are brutal. Somewhere below 3% of applicants get an offer.
Should you skip this application cycle and apply later, when your company is more mature?
You should apply now, even if you don’t think you are ready.
There are two main reasons for this:
The application process itself is valuable. Preparing the application requires you to think carefully about your idea, your company, your market, your team, and the obstacles in your way. Forcing yourself to reflect honestly is painful, but extremely beneficial. Seize the opportunity to do it now.
You have a better chance than you think. The traits YC looks for in companies and founders are well-known and addressable. By “well-known,” I mean go read PG and Sam’s essays. By “addressable,” I mean you can improve your chances with focused work and practice. If your company doesn’t have the ideal characteristics, you can acquire the important ones. If you have the right ingredients, you can learn to convey that clearly and concisely.
That’s why you should apply now.
Here’s how to get in:
Step 0: Make something people want.
I’m kidding but not really.
“Make something people want” is YC’s motto. It’s also what they look for in companies. It’s not always sufficient, but it is necessary. If you do it, the rest can fall into place. If you don’t do it, you’re toast. Or Clinkle.
Others have written about how to find something to make that people want. I won’t get into that here, but I will add that most of the YC application process reduces to proving you’ve made something people want.
How do you prove it? Having paying customers is convincing. Having a lot of users is also convincing.
Showing that people want something similar to what you made or that you could make something people want are not convincing.
Sign contracts, take preorders, get LOIs, fill a waitlist, collect emails from customers saying how they can’t wait to pay you. Stop reading this and go do whatever you can to prove people want what you make. Now!
Step 1: Apply
Now, armed with proof that you make something people want, you are ready to apply.
Spend time thinking carefully about the questions. Don’t spend any time trying to game the application.
- Be honest with yourself. You know what your weaknesses are. Don’t shy away from them, but don’t waste too much time worrying if you can’t change them. For example, when we submitted our application, Aptible had no paying customers. We work in a regulated industry (healthcare) where getting security and stability right is critical, and we were confident that waiting was the right choice.
- Use every question to show that people want what you make. We made sure to explain what our waitlist looked like and how many customers had signed contracts to pay soon.
- One or two sentences is fine for most answers. Be clear and direct, then move on.
- Don’t overthink the video. Introduce yourselves, briefly explain what you’re working on, and spend the rest of your time explaining how you know people want what you make. Follow the instructions. Here’s our video.
Step 2: Interview
The application questions are a subset of the questions you may be asked at an interview.
Before our interview, Frank and I:
- Collected all of the known Y Combinator interview questions we could find
- Wrote out 1-2 sentence answers
- Agreed on which founder would lead on the answer, and
- Practiced with flash cards until we could answer every question fluently
Writing your answers out will help you formulate concise, consistent responses.
To test our fluency, we did mock interviews with each other, with our startup/tech friends, and with YC alums.
Mock interviews are the best way to practice. You will be shocked and disappointed by how incompetent you sound at first. Don’t worry, you’ll improve dramatically with repetition.
As one of our investors puts it, “You’re going to be telling people what you do eight times a day for the rest of the company’s life. Get good at it.”
Below are the questions we used to prepare. I don’t remember where we found each one, so apologies to the original sources. I’ve grouped them into categories by how important I think they are. The groups are my own and do not reflect YC’s views.
Remember: One or two sentences each. If you prepare longer answers, you’ll be flustered when the YC partners cut you off to ask another question. James Cunningham and Colin Hayhurst (GoScale, S12) built a fun app with a timer to help you practice concise answers.
These are the most important questions. They are all different ways of determining if you make something people want. You need to have a good answer, or an excellent reason for not having an answer. Many of these are in the application itself.
- What are you working on?
- Who would use your product?
- How do you know customers need what you’re making? How do you know people want this?
- How will you make money?
- How much money could you make per year?
- Why isn’t someone already doing this?
- Why will you succeed over others? What do you understand that others don’t?
- What have you learned so far from working on your product?
- How much does customer acquisition cost?
- How many users do you have?
- Where do new users come from? How do users find out about you?
- How are you meeting customers?
- What is your distribution strategy? How will you grow?
- What makes new users try you?
- Why do the reluctant users hold back?
- What is your growth like?
- What is your user growth rate?
- What’s the conversion rate?
- How many users are paying?
- Who is going to be your first paying customer?
- What resistance will users have to trying you and how will you overcome it?
- How are you understanding customer needs?
- What are the top things your users want?
- What has surprised you about user behavior?
- What’s new about what you make?
- What problems and hurdles are you anticipating? How will you overcome them?
- Six months from now, what’s going to be your biggest problem?
These questions concern narrative, team, and tactics. They are important, but only if you make something people want first.
- Why did you choose this idea? Why did you pick this idea to work on?
- Where is the rocket science here?
- How does your product work in more detail?
- What do you understand about your users? What domain expertise do you have?
- What are the key things about your field that outsiders don’t understand?
- What’s an impressive thing you have done?
- How did your team meet?
- Why did your team get together?
- Who in your team does what?
- Who would you hire or how would you add to your team? Who would be your next hire?
- What part of your project are you going to build first? What are you going to do next? What is the next step with the product evolution?
- If your startup succeeds, what additional areas might you be able to expand into?
- Who are your competitors?
- Who might become competitors?
- What competition do you fear most?
- What is your burn rate?
- How long can you go before funding?
- Have you raised funding?
These are questions that have a correct answer.
- What will you do if we don’t fund you? Keep working on this, because it’s a good idea that we can execute.
- Would you relocate to Silicon Valley during YC? Yes.
- Who is “the boss”? (Agree on one founder.)
If you get asked these in an interview, either you’re not doing well or you’re being tested. Try to preempt them with good answers to the more critical questions.
- How do we know your team will stick together? Will your team stick at this?
- What else have you created together?
- Are you open to changing your idea?
- Someone just showed us an idea like this right before you guys. I don’t like it. What else do you have?
Have answers, but don’t stress about these questions.
- What systems have you hacked?
- Tell us about a tough problem you solved?
- In what ways are you resourceful?
- What is something surprising you have done?
- What’s the funniest thing that has happened to you?
- What’s the worst thing that has happened? What’s the biggest mistake you have made?
Step 3: Start Now
Step 3 might be “Accept”, but if you interview, you should have already decided. You give up ~7% of the company for $120k in funding. YC will increase the value of your company by much more than 7%, without question. You will not get a better deal from fairer, more transparent partners anywhere.
You will only have about 100 days between getting accepted and Demo Day to make the most convincing case possible to investors. If you don’t get in, you have about 200 days to prove you can make something people want before you can apply again. Start now.
Good job on making it to the end! Feel free to ping me on Twitter or with the contact link above if you have questions. After interview invitations go out, I’ll volunteer a limited number of mock interview spots on Twitter.
You can find the Hacker News discussion for this post here.
Update - October 29, 2016: Formatting edits.
YES! Finally! The Aptible team and I are very happy to announce our public launch.
Frank and I started Aptible because we saw how difficult it was for technology companies to navigate the regulatory environment in healthcare. We believe that many of the most intractable problems in healthcare can be addressed with great technology, and we are working to empower smart, dedicated people to tackle them.
For the last few months, we have been working closely with a group of companies that represent the future of digital health. We are looking forward to telling you their stories in the coming weeks.
We are also excited to announce our relationships with three fantastic organizations:
Aptible is proud to be part of Y Combinator’s S14 batch. All of the partners have been amazing - YC is one of those rare organizations that is every bit as great on the inside as you hope it would be from the outside. Thanks especially to Justin, Garry, Kat, Jon, and Aaron for helping us prepare for this launch.
Today is the beginning of something very special. With an incredible team and the support of our customers and partners, we are going to rapidly accelerate the adoption of technology in healthcare, and help a lot of people on the way. If you want to be part of this, let us know, or email me at firstname.lastname@example.org.