Introducing Heroku Shield: Continuous Delivery for High Compliance Apps

Listen to this article

Today we are happy to announce Heroku Shield, a new addition to our Heroku Enterprise line of products. Heroku Shield introduces new capabilities to Dynos, Postgres databases and Private Spaces that make Heroku suitable for high compliance environments such as healthcare apps regulated by the Health Insurance Portability and Accountability Act (HIPAA). With Heroku Shield, the power and productivity of Heroku is now easily available to a whole new class of strictly regulated apps.

At the core of Heroku’s products is the idea that developers can turn great ideas into successful customer experiences at a surprising pace when all unnecessary and irrelevant elements of application infrastructure are systematically abstracted away. The design of Heroku Shield started with the question: what if regulatory and compliance complexity could be transformed into a simple developer experience, just as has been done for infrastructure complexity? The outcome is a simple, elegant user experience that abstracts away compliance complexity while freeing development teams to use the tools and services they love in a new class of app.

Heroku Shield is generally available to Heroku Enterprise customers. For more information about Heroku Enterprise, please contact us here.

To use Heroku Shield, start by creating a new Private Space and switch on the Shield option. The first thing you notice is that logging is now configured at the space level. With Private Space Logging, logs from all apps and control systems are automatically forwarded to the logging destination configured for the space. This greatly simplifies compliance auditing while still leaving the developers in full control of app configuration and deployment.

Shield Private Spaces also adds a critical compliance feature to the heroku run command used by developers to access production apps for administrative and diagnostic tasks. In a Shield Private Space, all keystrokes typed in an interactive heroku run session are logged automatically. This meets a critical compliance requirement to audit all production access but without restricting developers from doing diagnostics and time sensitive remediation tasks directly on production environments.

In a Shield Private Space you can create special Shield flavors of Dynos and Postgres databases. The Shield Private Dyno includes an encrypted ephemeral file system and restricts SSL termination from using TLS 1.0 which is considered vulnerable. Shield Private Postgres further guarantees that data is always encrypted in transit and at rest. Heroku also captures a high volume of security monitoring events for Shield dynos and databases which helps meet regulatory requirements without imposing any extra burden on developers.

With Heroku Shield, you can now build healthcare apps on Heroku that are capable of handling protected health information (PHI) in compliance with the United States HIPAA framework. The healthcare industry is living proof of how challenging it is to modernize application delivery while meeting strict compliance requirements. All you have to do is compare the user experience of most healthcare apps with what you have come to expect from apps in less regulated industries like e-commerce, productivity and social networks.

It's simply too hard to evolve and modernize healthcare apps today because they are delivered using outdated, rigid platforms and practices. At Heroku, we are doing our small part to change this by providing development teams a HIPAA-ready platform with the industry's best Continuous Delivery Experience.

Of course, this is just a step on our trust journey - the work of providing more security and compliance capabilities is never complete. We are already working on new capabilities and certifications for Heroku Shield, and as always look to our customers and the developer community for input on how to direct and prioritize those efforts.

The opportunity to combine developer creativity with the opportunities for innovation in high compliance industries is powerful and potent. Heroku has had the privilege to see the possibilities that result from removing obstacles from developers, and with Shield, hope to see that promise amplified yet again. For more information on Shield, see the Dev Center article here, or contact Heroku.

Want to learn more about Heroku Shield? Contact sales