By Craig Wicks, Sr. Manager, AWS SaaS Factory
Do you know what personal data your organization collects from customers? Do you know what third parties are doing with that data? Do customers understand where their data goes?
For Software-as-a-Service (SaaS) companies responsible for data collection and processing on behalf of multiple organizations, privacy is a core requirement and a competitive differentiator. Knowing the answers to these questions is critical to meeting data management, security, and privacy requirements.
If you want to be successful in today’s complex IT environment, and remain that way tomorrow and into the future, teaming up with an AWS Competency Partner like WireWheel is The Next Smart.
Get Started with WireWheel
As new privacy laws toughen requirements for personal data collection and processing, WireWheel automates the most important tasks required to comply.
This includes the General Data Privacy Regulation (GDPR), California Consumer Privacy Act (CCPA), and many other new or evolving privacy regulations around the world.
Working with AWS SaaS Factory, WireWheel navigated technical and business decisions for launch and beyond.
AWS SaaS Factory provides APN Partners with resources that help accelerate and guide their adoption of a SaaS delivery model. SaaS Factory includes reference architectures for building SaaS solutions on AWS; Quick Starts that automate deployments for key workloads on AWS; and exclusive training opportunities for building a SaaS business on AWS.
The AWS SaaS Factory team sat down with Ed Peters, WireWheel’s Chief Technology Officer, to learn how they streamline data privacy management. We also asked what advice they have for other APN Partners building SaaS solutions on AWS.
Q&A with WireWheel
SaaS Factory: Can you tell us about your background and personal experience with cloud computing?
Ed Peters: I’ve been building enterprise software for about 20 years, with most of it being SaaS, so I’m deeply familiar with cloud computing. About seven years ago, I got involved in taking applications built for proprietary data centers and retargeting them for public cloud environments. I also have experience building for public clouds like AWS.
SaaS Factory: What products and solutions has WireWheel built on AWS?
Ed Peters: In 2018, we launched the WireWheel Platform for data privacy management. It helps IT, security, and privacy teams understand the personal data you have, where that data is stored and computed, and which third parties you’d contact if downstream deletion were required. AWS Solution Architects supported our platform development efforts with the Well-Architected Framework.
SaaS Factory: How does the WireWheel platform work?
Ed Peters: At WireWheel’s core is a sophisticated tasking engine that lets users collaborate in the collection of information. There’s a component of it which is oriented around humans working with one another, asking questions and capturing the answers for processing.
WireWheel also contains hooks so that answers can add new entities into the system database, be pre-filled with known content from the platform, and send and receive messages to participate in automated workflows. This helps customers make the most of their time and stop answering the same questions over and over again.
WireWheel leverages public cloud APIs for asset discovery, as well as proprietary technology for automated schema analysis. This helps speed up privacy analysis by giving direct access to information about where everything is running and kick-starting the classification of potentially sensitive data sets. This reduces the amount of time spent chasing down information during a data inventory project.
With these elements in place, our customers can get insights about where the risk lies in their systems. For instance, by tying data classification with infrastructure information, customers can identify unencrypted storage of sensitive personal data, which is a red flag for regulators and can trigger large fines. By relating a detailed inventory of a cloud environment directly to required privacy analysis, customers can identify areas where they may have “unknown unknowns,” which refers to significant systems that have not been subject to the proper scrutiny.
As a proof point, a team of just three people at Under Armour used WireWheel to involve hundreds of employees and dozens of vendors in a privacy program that was recognized by the International Association of Privacy Professionals.
SaaS Factory: SaaS Factory: What’s the opportunity for customers?
Ed Peters: The majority of customers we talk to say they are overwhelmed and don’t know where to begin when it comes to establishing a solid privacy program. Even those who’ve done the required analysis are flummoxed by recent changes in legislation and unsure how to demonstrate to customers and regulators that they’re being responsible data stewards.
We think there’s a common-sense backbone to all privacy requirements that will make sure you’re doing the right thing with personal data, regardless of regulatory evolution.
You need to know: (1) what kind of personal data are you collecting and hosting; (2) where is it being stored and processed; (3) what third parties are you giving it to; and (4) why is all this a legitimate use of that data? Companies that have lost track of the answers to one or more of those questions are at risk of compromising the personal data they’re responsible for.
One industry trend is the desire of companies to find a fully automated privacy solution. Currently, no solution can deliver on that demand or promise. A critical element to privacy compliance and turning privacy into a business generator is human analysis and decision-making around core privacy issues. WireWheel’s technology automates processes that surface the most important information to inform those key decisions.
Customers operating in public cloud environments are in a better position than ever to answer these questions. The rich amount of metadata available about their infrastructure makes it easy to perform due diligence to establish a baseline of compliance, and then establish solid governance programs to keep from drifting off course.
SaaS Factory: How does WireWheel’s solution address this for customers?
Ed Peters: The WireWheel platform helps simplify, structure, and automate data protection and privacy compliance, turning a compliance effort into a competitive and business advantage. We simplify all privacy regulations down to five key actions that companies must take to build trust with their customers and meet regulators’ requirements:
- Data flow mapping.
- Data discovery and classification.
- Vendor management, scoring and approval for privacy.
- Documentation (privacy threshold, privacy impact, and data protection impact assessments, and more).
- Subject access requests.
By focusing on these actions through different workflows, we allow customers to:
- Demonstrate ethically sourced data in data inventories.
- Provide customer-facing privacy portals.
- Create a self-service internal privacy management tool.
- Demonstrate transparency and build trust through shared reports/documentation.
- Create easily manageable and automated data governance processes.
SaaS Factory: Can you walk us through the architecture? What AWS services are key?
Ed Peters: Building off the workflows we just talked about, we strive to keep our architecture simple. Our core application is a set of micro services packaged as Docker containers.
We originally self-hosted on Amazon Elastic Compute Cloud (Amazon EC2) instances, but we became early adopters of Amazon Elastic Container Service for Kubernetes (Amazon EKS) and that has provided a ton of cost savings and manageability benefits.
Our two primary data stores are Amazon S3 for unstructured data and MongoDB for documents. S3 is a well-known workhorse, and we were able to take advantage of hosting services from MongoDB, an AWS Solution Provider. The combination of these two technologies has the scale and manageability we need to keep our operations light.
We’ve also been dipping our toes in the serverless water. We have a couple of document transformation and scanning features we’ve deployed as AWS Lambda functions listening to our S3 buckets. That provided great benefits from an encapsulation perspective, and also huge scalability when we needed it during large-scale migrations.
Working with AWS, we have also focused on using AWS Security’s Shared Responsibility Model to demonstrate “Of the Cloud” and “In the Cloud” responsibility for a Privacy Shared Responsibility Model. We’ve identified 12 additional services besides the AWS compute, storage, and database services that WireWheel can leverage for customers. WireWheel also supports a customer’s use of Amazon Macie and AWS Glue.
SaaS Factory: What technical challenges did you face building this SaaS solution on AWS?
Ed Peters: We faced multiple challenges, but AWS SaaS Factory worked with us hand-in-hand to solve them and turn them into opportunities.
On the business side, we faced the challenge of understanding how to engage cloud customers and bring the tool to them as an early-stage startup. We also faced the challenge of determining how to price our product for cloud customers. On the technical side, we chose to invest early in our relationship with AWS, so wanted to ensure we were architected to AWS’s standards for our testing and production environments.
While we are capable of supporting on-premises or hybrid cloud customers, the true power to comply with data protection and privacy requirements comes from being deployed in the cloud. When a customer is using AWS for their IaaS or PaaS, WireWheel dynamically maps their environment, conducts metadata analysis of data stores and compute, and creates privacy-related insights and alerts.
SaaS Factory: What support did AWS SaaS Factory provide your team?
Ed Peters: Our experience with AWS SaaS Factory has been incredible, from multiple angles. AWS has been a fully committed partner and has top quality talent to work with. Your focus on the customer matches with our values.
On the technology front, the SaaS Factory team supported our Well-Architected Review and helped us connect with AWS ProServ to get advice about transitioning our original architecture to a Kubernetes environment. On the business side, SaaS Factory helped us work with AWS Marketplace to make our product available to all AWS customers and get into a pilot that combined contract and consumption pricing models.
AWS has an extensive partner program to help APN Partners build, market, and sell their products or services. From the WireWheel perspective, we have clearly seen AWS is willing to invest in partner relationships in terms of time, money, and other resources to help us succeed.
AWS SaaS Factory was a critical element to helping us build our product and to position us to go-to-market with AWS and sell our product on AWS Marketplace.
SaaS Factory: What would you tell others planning to build a SaaS solution on AWS?
Ed Peters: The time for a SaaS company to engage with AWS is from the start. AWS knows its technology better than anyone and will provide expert guidance and even cost-saving advice. Especially for a SaaS product builder, AWS has become a hub for SaaS offerings.
AWS also helped us get ready to go-to-market, providing advice on how to best architecture our development, test, and production environments on AWS. They helped us prepare for a general offering in AWS Marketplace and conducted joint marketing efforts together, including webinars and promotion of a whitepaper and e-book.
As a partner for a growing business that is focused on the transition to the cloud, AWS has been fantastic. The AWS offerings give our customers a chance to really do privacy right, from the start.
SaaS Factory: What are your future plans with AWS?
Ed Peters: We are continuing to build and improve our product on AWS and deepening our partnership with AWS. We have achieved the AWS Security Competency and are focused on expanding our sales through AWS Marketplace.
We see AWS Marketplace’s effort to expand the Enterprise Contract Program (ECP) as a great service for customers to help reduce sales procurement frictions. We also look forward to special announcements with the AWS Activate team in helping support startups. We have benefited from the AWS Startup team’s efforts and want to pay it forward to other startups who are building their products on AWS like we did.
Learn More About AWS SaaS Factory
Additional technical and business best practices can be accessed via the AWS SaaS Factory website >>
ISVs that are not APN Partners are encouraged to subscribe to the SaaS on AWS email list to receive updates about upcoming events, content launches, and program offerings.
WireWheel – APN Partner Spotlight
WireWheel is an AWS Security Competency Partner. Its platform automatically discovers and maps AWS services for privacy compliance, including GDPR and more.
*Already worked with WireWheel? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.
from AWS Partner Network (APN) Blog