Академический Документы
Профессиональный Документы
Культура Документы
TABLE OF CONTENTS
EXECUTIVE SUMMARY ..................................................................................... 3
WHAT IS AMAZON WEB SERVICE (AWS)? ..................................................................................... 3
WHY DO PEOPLE DEPLOY AWS? ................................................................................................... 3
WHAT IS THE PRIMARY COMPLIANCE CONCERN WHEN USING AWS? ........................................ 3
UNDER THE AWS SHARED RESPONSIBILITY MODEL WHO IS RESPONSIBLE FOR WHAT? ......... 3
Administrative Safeguards ........................................................................................................ 4
Physical Safeguards .................................................................................................................. 4
Technical Safeguards ................................................................................................................ 5
Policy & Procedures, Business Associates Agreement .............................................................. 5
EXECUTIVE SUMMARY
What is Amazon Web Service (AWS)?
AWS is an Infrastructure as a Service (IaaS) partner utilized by some
Healthcare Entities (HCE) and their Business Associates (BA). In other words,
customers lease virtual servers and storage from AWS; customers no longer
need to house and secure servers and data storage on their own premises. In
some cases, it is possible to move nearly 100% of and entities IT Infrastructure
to AWS.
Risk Management
This is addressed in the BAA. The AWS portion will be sufficient for their
responsibilities only. The HCE or BA bears the overall responsibility.
Physical Safeguards
Facility Security Plan, Access Control
This is addressed in the BAA. The AWS portion will be sufficient for their
responsibilities only. The HCE or BA bears the overall responsibility.
Maintenance Records
This is addressed in the BAA. The AWS portion will be sufficient. However,
AWS Maintenance Records do not eliminate the need for the HCE to maintain
records of its own maintenance of systems within the AWS environment.
Technical Safeguards
Auditing
As noted earlier, AWS provides the tools only. It is the HCEs or BAs
responsibility to build and implement a compliance auditing program. Be
prepared to utilize third party tools in this area.
Compliance Governance
AWS customers are required to maintain governance over the entire IT control
environment regardless of how the clients information technology is deployed
in AWS. Customers must have an understanding of required compliance
objectives and requirements, establish a control environment that meets those
objectives and requirements, an understanding of the validation required based
on the organizations risk tolerance, and verification of the operating
effectiveness of that control environment.
Strong customer compliance and governance might include the following basic
approach:
1. Understand as much of the entire IT environment, including technical
aspects of AWS, and document all compliance requirements.
2. Confirm/develop and implement control objectives to meet compliance
requirements.
3. Identify and document controls owned or provided by third parties.
4. Enter into an appropriately detailed Business Associate Agreement (BAA)
with AWS. (Since AWS does not allow revisions to its BAA, you may find
this not to be possible and must choose either Risk Avoidance by not doing
business with AWS or Risk Acceptance by documenting the shortcoming
along with any mitigation efforts, and then completing the process with
executive signoff)
Infrastructure Management
Moving IT infrastructure to AWS services relieves the HCE or BA of the
operational burden of operating, managing, controlling, and physically securing
hardware servers, storage devices and the communications between them.
Customers still have the responsibility and management of the operating
system (including updates and security patches), associated application
software as well as network design and configuration of the AWS security
group firewall. Overall responsibilities will vary depending on the services used,
the integration of those services into the IT environment, and applicable laws
and regulations. It is possible for customers to enhance security and/or meet
their more stringent compliance requirements by leveraging technology such as
host-based firewalls, host-based intrusion detection/prevention, encryption, and
key management. Again, third party components may be needed.
IT Controls
The shared responsibility also includes IT controls. The responsibility of
operating the IT environment is shared, as is the management, operation, and
verification of IT controls. AWS relieves customer burden of operating controls
by managing those controls associated with the physical infrastructure
deployed in the AWS environment. Every customer is deployed differently in
AWS; customers can take advantage of shifting management of certain IT
controls to AWS which results in a (new) distributed control environment. AWS
control and compliance documentation is available (described in the AWS
Certifications and Thirdparty Attestations) to perform their control evaluation
and verification procedures as required. It should be noted that the customer,
not AWS, is responsible for the overall design and implementation of a
reasonable and appropriate controls environment.
From AWS whitepaper: AWS provides a wide range of information regarding
its IT control environment through white papers, reports, certifications, and
other thirdparty attestations. This assists customers in understanding the
controls in place relevant to the AWS services they use and how those controls
have been validated. This information also assists customers in their efforts to
account for and to validate that controls in their extended IT environment are
operating effectively.
Note in the paragraph above that AWS assists customers in their extended IT
environment. The ultimate responsibility for insuring compliance, even within
the AWS environment, is on customer.
Per the AWS BAA, You are responsible for implementing appropriate privacy
and security safeguards in order to protect your PHI in compliance with HIPAA
and this Addendum. Without limitation, you will CI) not include protected health
information (as defined in 45 CFR 160.103) in any Services that are not HiPAA
Eligible Services, (ii) utilize the highest level of audit logging in connection with
your use of all HIPAA Eligible Services, and (iii) maintain the maximum
retention of logs in connection with your use of all HIPAA Eligible Services.
Encryption
Just as all data is not equal in protection needed, all AWS data storage is not
equal. Two storage facilities are offered: EC2 (Elastic Compute Cloud) and S3
(Simple Storage Service). The customer must know the difference. To further
complicate matters the two can be used in combination with each other. Per
AWS BAA, You must encrypt all PHI stored In or transmitted using the
Services in accordance with the Secretary of HHSs Guidance to Render
Unsecured Protected Health.
EC2. The same data encryption mechanisms used in in-house computing
environments and operational systems can be used in EC2. The customer has
full root access and administrative control over the virtual server. It is possible
to create an encrypted Elastic Block Store (EBS) volume and attach it to EC2
instances. Data on the volume, disk I/O, and snapshots created from the
volume are all encrypted. The encryption occurs on the servers that host the
EC2 instances, providing encryption for data as it moves between EC2
instances and EBS storage.
A complete firewall solution can be created utilizing EC2s default deny-all
mode, which automatically denies all inbound traffic unless the customer
explicitly opens an EC2 port.
S3. You, as the customer, can encrypt data on the client side and upload the
encrypted data to S3. In this case, you manage encryption process, the
encryption keys, and related tools. Optionally, you can use the server-side
encryption feature in which S3 encrypts your object data before saving it on
disks in the AWS data centers and decrypts it when you download the objects,
freeing you from the tasks of managing encryption, encryption keys, and
related tools. You can also use your own encryption keys with S3 server-side
encryption. AWS recommends S3 be encrypted prior to transmission. AWS
Contingency Planning
Disaster recovery is typically one of the more expensive HIPAA requirements to
comply with. It involves maintaining highly available systems, keeping both the
data and system replicated off-site, and enabling continuous access to both
environments.
EC2. From the AWS Whitepaper As a virtual server environment,
administrators can start instances very quickly. An elastic IP address (a static
IP address for the cloud computing environment) offers seamless failure from
one machine to another. EC2 offers Availability Zones. Administrators can
launch Amazon EC2 instances in multiple Availability Zones to create
geographically diverse, fault-tolerant systems that are highly resilient in the
event of network failures, natural disasters, and most other probable sources of
downtime.
These are wonderful features; however, realize each feature may have a
separate cost associated with it.
S3. From the AWS Whitepaper, Data is replicated and automatically stored in
separate data centers to provide reliable data storage with a service level of
99.9% availability and no single points of failure.
Notice, the word was data, not systems, applications, etc. S3 is raw data
storage. You as the customer will have to handle applications on your own.
Auditing
From the AWS Whitepaper, HIPAAs Security Rule also requires in-depth
auditing capabilities. The services in AWS contain many features that help
customers address these requirements.
Again, Amazon clearly states that it helps customers meet their compliance
requirements. Although AWS continues to tout the Shared Responsibility
Model and gently state where the ultimate responsibility lies, it is clear that
Amazon puts the sole end responsibility about compliance on customers,
which, per compliance standards, is right where that responsibility lies in this
type of arrangement. AWS provides the world-class infrastructure and tools;
the design, implementation, management, and auditing for compliance is solely
the HCEs or BAs responsibility. AWS does provide some guidance in this
respect, Auditing Security Checklist for Use of AWS
10
11
12
13
2.
14
15
Manage IT Security
Manage IT Assets
Using AWS, there are multiple features available for you to quickly and easily
obtain an accurate inventory of your AWS IT resources.
o
AWS CloudHSM
Control IT Costs
Using AWS, there are multiple features available for you to easily and
accurately understand and control your IT resource costs.
o
Billing Alarms
Consolidated billing
Manage IT Security
Using AWS, you can easily and effectively outsource controls related to
physical security of your AWS infrastructure to AWS specialists with the skillsets and resources needed to secure the physical environment. AWS has
multiple different, independent auditors validate the data center physical
security throughout the year, attesting to the design and detailed testing of the
effectiveness of our physical security controls.
o
16
Secure IT Resources
AWS provides multiple security features that enable you to easily and
effectively secure your IT resources.
o
Amazon VPC
17
AWS CloudTrail
Manage IT Performance
Monitor and respond to events
Using AWS, there are multiple monitoring features that enable you to easily
and effectively monitor and manage your IT resources.
o
Amazon CloudWatch
Achieve Resiliency
Cloud computings server virtualization enables the quality resiliency programs
to be feasible and cost-effective. Using AWS, there are multiple features that
enable you to easily and effectively achieve resiliency for your IT resources.
o
AWS Import/Export
Multi-region deployment
18
Healthcare businesses subject to HIPAA can utilize the secure, scalable, lowcost, IT infrastructure provided by Amazon Web Services (AWS) as part of
building HIPAA compliant applications.
Amazon Elastic Compute Cloud (Amazon EC2) provides resizable compute
capacity in the cloud.
Amazon Simple Storage Service (Amazon S3) provides a virtually unlimited
cloud-based data object store.
Methodology
Security Controls: Encrypting Data in the Cloud
Encryption and Decryption (A) - 164.312(a)(2)(iv)
Encryption (A) 164.312(e)(2)(ii)
Amazon EC2 provides the customer with full root access and
administrative control over virtual servers.
Using AWS, customers system administrators can utilize token or keybased authentication to access their virtual servers. Amazon EC2
creates a 2048-bit RSA key pair, with private and public keys and a
unique identifier for each key pair to help facilitate secure access.
Administrators also can utilize a command-line shell interface, Secure
Shell (SSH) keys, or sudo to enable additional security and privilege
escalation.
Amazon S3 can be accessed via Secure Socket Layer (SSL)encrypted endpoints over the Internet and from within Amazon EC2.
This ensures that PHI and other sensitive data remain highly secure
19
In Amazon S3, the system administrator maintains full control over who
has access to the data at all times and the default setting only permits
authenticated access to the creator. Read, write and delete
permissions are controlled by an Access Control List (ACL) associated
with each object.
20
Using Amazon EC2, customers can run activity log files and audits
down to the packet layer on their virtual servers. They also can track
any IP traffic that reaches their virtual server instance.
21
22
23
Network Security
The AWS network has been architected to permit customers to select the level
of security and resiliency appropriate for their workload. To enable customers
to build geographically dispersed, fault-tolerant web architectures with cloud
resources, AWS has implemented a world-class network infrastructure that is
carefully monitored and managed
Secure Network Architecture
Protections of Malicious Software (A) 164.308(a)(5)(ii)(B)
Access Control 164.312(a)(1)
Network devices, including firewall and other boundary devices, are in place to
monitor and control communications at the external boundary of the network
and at key internal boundaries within the network. These boundary devices
employ rule sets, access control lists (ACL), and configurations to enforce the
flow of information to specific information system services.
ACLs, or traffic flow policies, are established on each managed interface, which
manage and enforce the flow of traffic. ACL policies are approved by Amazon
Information Security. These policies are automatically pushed using AWSs
ACL-Manage tool, to help ensure these managed interfaces enforce the most
up-to-date ACLs.
Secure Access Points
Access Control 164.312(a)(1)
AWS has strategically placed a limited number of access points to the cloud to
allow for a more comprehensive monitoring of inbound and outbound
communications and network traffic. These customer access points are called
API endpoints, and they allow secure HTTP access (HTTPS), which allows
customers to establish a secure communication session with their storage or
compute instances within AWS. To support customers with FIPS 140-2
requirements, the Amazon Virtual Private Cloud VPN endpoints and SSLterminating load balancers in AWS GovCloud (US) operate using FIPS 140-2
level 2-validated hardware.
In addition, AWS has implemented network devices that are dedicated to
managing interfacing communications with Internet service providers (ISPs).
AWS employs a redundant connection to more than one communication
service at each Internet-facing edge of the AWS network. These connections
each have dedicated network devices.
24
Transmission Protection
Transmission Security 164.312(e)(1)
Customers can connect to an AWS access point via HTTP or HTTPS using
Secure Sockets Layer (SSL), a cryptographic protocol that is designed to
protect against eavesdropping, tampering, and message forgery.
For customers who require additional layers of network security, AWS offers
the Amazon Virtual Private Cloud (VPC), which provides a private subnet within
the AWS cloud, and the ability to use an IPsec Virtual Private Network (VPN)
device to provide an encrypted tunnel between the Amazon VPC and data
center.
Amazon Corporate Segregation
Access Control 164.312(a)(1
Logically, the AWS Production network is segregated from the Amazon
Corporate network by means of a complex set of network security / segregation
devices. AWS developers and administrators on the corporate network who
need to access AWS cloud components in order to maintain them must
explicitly request access through the AWS ticketing system. All requests are
reviewed and approved by the applicable service owner.
Approved AWS personnel then connect to the AWS network through a bastion
host that restricts access to network devices and other cloud components,
logging all activity for security review. Access to bastion hosts require SSH
public-key authentication for all user accounts on the host.
Fault-Tolerant Design
Contingency Plan 164.308(a)(7)
Amazons infrastructure has a high level of availability and provides customers
with the capability to deploy a resilient IT architecture. AWS has designed its
systems to tolerate system or hardware failures with minimal customer impact.
Network Monitoring and Protection
Information System Activity Review (R) 164.308(a)(1)(ii)(D)
AWS utilizes a wide variety of automated monitoring systems to provide a high
level of service performance and availability. AWS monitoring tools are
designed to detect unusual or unauthorized activities and conditions at ingress
and egress communication points. These tools monitor server and network
2014 All Rights Reserved | ecfirst
25
26
AWS Access
Access Control 164.312(a)(1)
The AWS Production network is segregated from the Amazon Corporate
network and requires a separate set of credentials for logical access. The
Amazon Corporate network relies on user IDs, passwords, and Kerberos, while
the AWS Production network requires SSH public-key authentication through a
bastion host.
AWS developers and administrators on the Amazon Corporate network who
need to access AWS cloud components must explicitly request access through
the AWS access management system. All requests are reviewed and approved
by the appropriate owner or manager.
27
28
BIBLIOGRAPHY
Note The Information in the White Papers below, even those recently done,
may no longer be accurate. Changes to the AWS environment are constant,
some as recent as 30 days within the publication of this report are included
above. Also, Amazon has chosen not to reveal publicly certain information,
such as their BAA template.
1.
2.
3.
4.
5.
6.
Corporate Office
295 NE Venture Drive
Waukee, IA 50263
Toll Free: 877.899.9974 x17
Phone: 515.987.4044 x17
Fax: 515.978.2323
www.ecfirst.com
29