Many of our clients have a need to run workloads that need to be compliant with industry regulations. One of the most common of these is HIPAA compliance. Because the HIPAA guidelines are not prescriptive, and because there is not an industry certification for HIPAA compliance, many of our clients have chosen to get these workloads HITRUST certified. It is commonly accepted that HITRUST ication is a superset of the technical controls that HIPAA requires. Although it is a significant amount of work, these controls are generally best practice from a security perspective, which we should all be following anyway.
One of our current clients, a global pharmaceutical company, has many workloads that will likely fall under HIPAA, and would benefit from running in a HITRUST certified environment. The target environment for these workloads is AWS. We assisted our customer in designing and building a secure HITRUST certified platform to run these workloads in a compliant manner on AWS. Among many of the requirements was ensuring that the systems OS’ are hardened. These servers will be running on EC2, Amazon’s elastic compute service.
We assisted our customer in building an AMI bakery, which automated the process of building the AMIs (Amazon Machine Images) that would be used by all of the product teams. This allowed us to bake in all of the security tools to the AMI’s and also allowed us to integrate scanning into the pipeline. In order to implement scanning, we used Ansible to ensure that the CIS benchmarks are met on each AMI before it can be shared out to the product team AWS accounts.
If you are interested in the details of how to do that, check out our blog post series here. If you’d like more details on this entire concept that we call, “Shifting Security to the Left”, read more here.
The result of the project? The security team is confident that the workloads running on AWS EC2 across the company are hardened and secure. The product teams can develop and release quickly without requiring the effort and expertise to ensure that their base AMIs are hardened and secure. Velocity increases, without compromising security.