This series of posts explores the intriguing challenges I’ve encountered throughout my career. Today, I’m excited to share a pivotal chapter: spearheading compliance for Splunk Cloud’s multi-tenant services, covering SOC2, HIPAA, ISO, and PCI standards.

Back in 2019, we had developed around 20 multi-tenant Splunk Cloud services to enhance the existing, monolithic Splunk solution. Despite their innovative capabilities, these services operated from a single region and lacked essential compliance certifications. This absence was a significant barrier, precluding these services from being integrated into customer cloud solutions and halting numerous product launches that relied on these new services.

I was tasked with leading the compliance journey for all 20 microservices. Armed with a security architect credential - Certified Information Systems Security Professional (CISSP) from ISC2 obtained in 2015, I faced the daunting challenge of navigating uncharted territory, as Splunk had no previous blueprint for certifying multi-tenant microservices. The task at hand was to understand, author, and unify the operations for 20 different microservice teams, each working autonomously.

In collaboration with the internal audit team and other adjacent leaders, I initiated comprehensive changes to simplify authorization requirements across service teams. We then tackled the issue systematically, identifying different service layers and approaching compliance from the bottom layer up. I developed Standard Operating Procedures (SOPs) for all service teams and concurrently launched tooling projects to automate evidence collection, demonstrating adherence to these SOPs.

The endeavor was a resounding success, culminating in the certification of all 20 services within a mere 9 months—surpassing our initial timeline. Several factors were pivotal to our success:

  • Fostering collaboration to distill complex policies into understandable controls and SOPs.
  • Implementing broad modifications to authorization processes, streamlining security requirements.
  • Adopting a segmented approach, focusing on a subset of services at a time, which facilitated learning and adaptation.
  • Leveraging automation in evidence collection through the development of new microservices.

This journey underscored the importance of collaboration, simplification, strategic problem-solving, and the power of automation in overcoming compliance hurdles in multi-tenant cloud services. It was a testament to the team’s dedication and innovative spirit, showcasing how complex challenges can be transformed into opportunities for growth and improvement.