Shortcuts & Roadblocks Encountered on the path to protecting your data in the cloud

Simplify, Unify, OptimizeLife Science Compliance for Regulated Systems

Amazon Web ServicesIaaS for Life Sciences

• “One Slide” intro to Amazon Web Services• AWS Security, Certifications, and Compliance• Responsibility Models• Roadblock #1 – Qualify The Cloud!• Shortcut #1 – Qualify The Cloud!• Roadblock #2 – Lock down The Cloud!• Shortcut #2 – Lock down The Cloud!• Data Integrity Concerns• Conclusion

Agenda

AWS Explained in a Slide …Non-Technical Explanation

Amazon EC2

AWS Storage Gateway

AmazonS3

Amazon Glacier

AmazonRDS

Amazon Redshift

AmazonDynamoDB

AWS Direct Connect

Amazon VPC

AWS IAM

AWS IoT Amazon Kinesis

Technobabble NonsenseTechnical Explanation

Certifications / Attestations Laws, Regulations, and Privacy Alignments / FrameworksDoD SRG CS Mark [Japan] CJISFedRAMP DNB [Netherlands] CLIA

FIPS EAR CMS EDGEIRAP EU Model Clauses CMSR

ISO 9001 FERPA CSAISO 27001 GLBA FDAISO 27017 HIPAA FedRAMP TICISO 27018 HITECH FISC

MLPS Level 3 IRS 1075 FISMAMTCS ITAR G-Cloud

PCI DSS Level 1 My Number Act [Japan] GxP (FDA CFR 21 Part 11)SEC Rule 17-a-4(f) U.K. DPA - 1988 IT Grundschutz

SOC 1 VPAT / Section 508 MITA 3.0SOC 2 EU Data Protection Directive MPAASOC 3 Privacy Act [Australia] NERC

Privacy Act [New Zealand] NISTPDPA - 2010 [Malaysia] PHR

PDPA – 2012 [Singapore] UK Cyber Essentials

Adapted from https://aws.amazon.com/compliance/

Your Data

Platform, Applications, I&AM

Operating Systems, Network & Firewall Configuration

Server-side Encryption (File System and/or Data)

Client-side Data Encryption & Data Integrity Authentication

Network Traffic Protection (Encryption/Integrity/Identity)

Adapted from https://aws.amazon.com/compliance/shared-responsibility-model/

Compute Storage NetworkingDatabase

AWS Global InfrastructureRegions

Availability ZonesEdge Locations

AWSResponsible for security “of” the Cloud

CustomerResponsible for security “in” the Cloud

• Scenario: Shared Responsibility Model not understood• Efforts to qualify low-level infrastructure ensue• Policies incongruent to service model are pushed• Cycles wasted in trying to absorb AWS’s declared responsibilities

Roadblock #1 – Qualify the Cloud!

• Scenario: Shared Responsibility Model is integrated into IT• Policies are updated to allow distributed management• Controls in place to govern Cloud Assets• Definitions updated to allow for new CIs• Maintain & Manage State of Control

Shortcut #1 – Qualify the Cloud!

Manage as independent assets

Business as usual

• Enact strict “no trust/deny all” security policy on Cloud assets• Cloud assets are isolated from traditional/on prem assets• Islands of data pile up• UID poses an issue/threat

Roadblock #2 – Lock down The Cloud!

• For Private/Internal Assets• Protect/Preserve via VPC• Use Security Zones or Subnets within VPC• Lockdown & Audit assets per normal methods (business as usual)

Shortcut #2 – Lock down The Cloud!

virtual private cloud

VPC subnet

PROD LIMS

VPC subnet

DEV LIMS

corporate network

users

VPN connection

AWS Direct Connect

• Be nimble, like Jack… but remember

• POCs can unexpectedly gain momentum• Fragmentation likely to occur

• Integrate IAM early, review & audit often• Consider corporate directory integration mandatory• Strategies for Data at Rest

Data Integrity Concerns

AWS IAMAWS

CloudTrail

AWS Directory Service

• If your house is not in good order today:• It will be even worse in the cloud!

• Assess compliance gaps, perceived or real, before moving to Cloud• Implement bridges to gaps; be Cloud-Aware when doing so

• Treat AWS as an extension to your Corporate Datacenter• It will be infinitely easier to manage

• Management of Cloud Assets should be the same as on-prem• Except when it isn’t! Plan specifically for Cloud management

Conclusion