cloud service architecture - overcoming hipaa challenges - click software
TRANSCRIPT
Agenda
Cloud Service Overview
Architecture
PHI Security Controls – Approach
Security – Infrastructure
Administrative Controls
Technical Controls
Incidents Detection and Response
2
Cloud Services – Overview (1/2)
3
Mobile Workforce Management & Optimization
Dispatcher/Mobile/GIS
Number of Cloud Customer: 60+
Data stored and processed:
Personal and Protected Health Information (PHI)
Customer’s and Customer’s Clients’ Information
Cloud Services – Overview (2/2)
Software as a Service
Amazon Web Services (AWS) Based
Holding 3 Regions (US, EU, AUS)
HIPAA business associate
Operation team
Cloud Ops, NOC & Support 24x7, DevOps, Security
SLA – 99.9%
DR – Other Region / Availability Zone
Data Daily Backup – AWS S3 in encrypted format
4
Architecture
5
VPC – Virtual Private CloudSaaS – Software as a ServiceDC – Domain ControllerCSSO – Service Optimization
WEBHTTPS
Amazon Firewall / Internet GW
ClientA
CSSOMSSQL
Full Redundant(Mirroring)
Client C
CSSO
ClientB
CSSO
SiteMinder Authentication
GIS (PTV)
DCBDC
ELB
ELBELB
SaaS VPC
ClickSoftwareSaaS
Covered Entity (Customers)
Business Associate (ClickSoftware Cloud Services)
Private Data / PHI must be Processed with:
Limited purposes
Not kept for longer than is necessary
Mitigation of unauthorized access
No transfer to third parties without adequate protection
PHI Security Controls – Approach
6
• AWS assurance programs:
SOC2 & SOC3 & FIPS 140-2 (encryption) & NIST (media re-use)
ISO 27001- Information Security Management System (ISMS)
HIPAA (& BAA) – Health Insurance Portability and Accountability Act
• AWS addresses common infrastructure security threats, such as:
Distributed Denial of Service (DDoS) attacks
Man In the Middle (MITM) attacks
IP spoofing
Port scanning
Packet sniffing by other tenants
Security – Infrastructure
7
• Security Personnel – Security and Privacy Officer
• ISO 27001 and HIPAA compliance (& BAA)
• Information Security and Privacy Policy
• Risk Assessments
• Code Inspections
• Penetration Tests
Administrative Controls (1/3)
8
• Internal Security Audits:
Brute-forces & changes in groups, servers, applications and GPO
Changes in AWS Security Groups & ELB
AWS tools: Trusted Advisor, Credentials Report
Administrative Controls (2/3)
Credentials Report:
Username (Console / API)
user_creation_time
password_enabled/disabled
password_last_used
mfa_active/inactive
access_key_active/inactive
Security Group changes: Email:Hello,
AWS Auditing Alert - Please check the log lines below
2015-01-27 06:31:53 AM: Object: Security Group(sg-XX)
ObjectId: tcp Decription: Security Group IpProtocol
RANGE (YY) had been added
9
Employees:
NDA, Employee Security Requirements
Security Awareness Training (OPS, NOC, Support, R&D)
Background Screening
• Specific policies and Procedures
DRP
Backup & Restore
Data Sanitization (PHI disposal: database, logs, backup)
Administrative Controls (3/3)
10
AAA – Authentication, Password policy, Strict Permissions, Logs
Active Directory
Identity Manager
SSO - Federation and SAML2
URL filter and Reverse Proxy
IPS & WAF & DDoS Protection
Antimalware, Security Patches
Technical Controls (1/3)
11
Network Segmentation and Traffic Control
VPC - Private, isolated and controlled section of AWS
Dedicated Database Instance / Dedicated HIPAA Environment
AWS Security Groups (inbound & outbound)
Authorized IP Addresses
Remote Access:
AWS Management console: TLS with Two Factor Authentication (TFA)
AWS Environment: VPN/TLS with TFA
Technical Controls (2/3)
12
HTTPS access – TLS termination
AWS ELB / Security Gateway
Web Server
Data at-rest encryption:
Elastic Block Store (EBS) encryption
Mobile local database encryption
De-Identified Health Information - Static & dynamic data masking
Audit of actions in PHI Database
Technical Controls (3/3)
13
Detect and Notify
SIEM - Logs collection, aggregation, correlation
AWS Changes detection, CloudTrail / CloudWatch
On-going Audits
Contain – Isolation, blocking, prevention of further damage
Recover (snapshots)
After Action – Forensics (snapshots)
Breach notification
Timeline
Legal & Marketing cooperation
Incidents Detection and Response
14