WorkHands
A comprehensive infrastructure migration to meet compliance requirements
Challenge
Meet compliance requirements like SOC2
Outcome
Seamless migration to AWS, passed SOC2 audit
About WorkHands
Making apprenticeship management easy
Professional apprenticeships in the US require a lot of documentation and tracking of on-the-job training. WorkHands is an organization on a mission to make apprenticeships simpler.
Ten years after founding by CEO Patrick Cushing, their primary way to help apprentices and apprenticeship programs is through their web application. It helps apprentices across trade industries, healthcare fields, accounting and more manage things like documentation, training and hours from anywhere.
Challenge
Upgrade a Rails app to meet FedRAMP and SOC2 requirements
As the WorkHands solution picked up traction, they started getting more inquiries from large, regulated government entities like States. With these exciting new opportunities came a long list of compliance requirements.
To ready themselves for this new era of work and the associated regulations, the WorkHands team needed to remediate known issues in the system with FedRAMP and SOC2 compliance. Core elements of their existing infrastructure like the Rails version and cloud platform had to be updated. Patrick wanted to be strategic about approaching this undertaking and get expert consulting on not just the implementation, but the series of technical decisions to be made.
Solution
Upgrading Rails and migrating from Heroku to AWS with thoughtbot Flightdeck
thoughtbot brought in our Platform Engineering team which specializes in building platforms for highly regulated products. We also pride ourselves on quickly getting clients up and running on a robust cloud platform according to best practices around security and reliability.
Step 1: understanding migration goals and infrastructure
The first order of business was understanding WorkHands’ objectives and conducting an inventory of their infrastructure. WorkHands was on an instance of Rails that needed to be upgraded. Old versions lack the latest maintenance / security patches and preclude updating other libraries that depend on later versions. They also needed to migrate from Heroku to achieve compliance and scalability goals while keeping focus on cost management. We dug into the code bases to determine what would be involved in terms of updates, migration, and what infrastructure needed to be moved over.
To support the project, thoughtbot introduced Flightdeck, our toolkit to provision a production-ready application platform with Kubernetes, AWS, and an infrastructure as code model via Terraform.
Using the thoughtbot Flightdeck toolkit for AWS migrations
Flightdeck is a series of modules and associated documentation that helps DevOps engineers manage the complexity of a secure, multi-account AWS environment designed according to latest security / compliance recommendations. It includes secrets management, foundational monitoring, an isolated account / network architecture, ingress and routing leveraging SSL, and tools to easily build out deployment pipelines alongside application code repositories.
As our team worked on the new, more secure platform and migration plan, we followed our security best practices around isolation, multiple environments, single sign-on, but also focused on training the WorkHands team to be able to manage future changes. A major component of a platform migration is not just executing on the implementation, but instilling these best practices to the client to understand, take over, and set them up for long-term success.
A smooth AWS migration with an incremental approach
thoughtbot facilitated the migration process with a detailed plan that included setting up a staging environment, containerization, a thorough checklist, and working closely with the WorkHands team on Rails upgrades and testing checklists.
The incremental strategy paid off for this time-sensitive project. The migration itself was incredibly smooth and took less than 60 minutes. Hundreds of gigabytes in images and documents migrated; postgres database; redis; memcached; third party services. The value of rigorously reviewing and rehearsing steps around a production rollout cannot be overstated.
Handoff to the WorkHands team
To handoff the new platform to the WorkHands team we documented key steps of the new environment and conducted a lot of pairing sessions. We got them used to fundamental elements of CI/CD with the new platform and activities like running deploys, doing basic maintenance and debugging checks, gathering logs and looking at the state and health of their environment.
The top priority of the project was to make this transition as easy for WorkHands as possible by 1) maintaining stability and 2) leaving the WorkHands team feeling confident in the changes to the environment.
Outcome
A compliant application and leveled-up team
WorkHands is now compliant for FEDramp and completely prepared for SOC2 compliance from a technology perspective. They passed a check in with their auditor with flying colors and are on to the next steps of their SOC2 process.
The team has integrated many of the thoughtbot best practices and processes into their own standards and seen a vast improvement in quality and efficiency. Patrick and the team cite these improvements and their learning both individually and as a team as the greatest benefit to their engagement with thoughtbot. From pairing with thoughtbot experts to the depth of documentation implemented, WorkHands has entered a new phase of their journey as a product team and found confidence in the long term security, scalability, and performance of their app.
thoughtbot continues to provide ongoing maintenance to WorkHands and is their trusted source for technical guidance around their new infrastructure and processes, just a Slack question away.