Pete Stein

Can the cloud conform to your institution's information security policies? Yes!

Many universities and research organizations have internal information security policies that are stricter than even what HIPAA calls for. Within the last few years, major cloud providers have embraced security standards, and now offer services that can satisfy requirements that go beyond HIPAA.

Health researchers and software engineers are by now well versed in the requirements of HIPAA and HITECH, which set guidelines for securing private personal information. Often, though, a research application will fall under even more stringent institutional requirements: tighter access controls, infrastructure security, and auditing. University researchers may wonder, “Can I run my research web application server in the cloud without violating my institution’s security policy?” With the increasing focus of hosting services on security compliance, the answer is almost certainly “Yes.”

At Little Green Software, we frequently work with research universities to produce security-sensitive applications that are both HIPAA-compliant and compatible with each school’s internal information security policy. Let’s take a look at some typical “extra” requirements, and how they match up with major cloud providers – Amazon Web Services (AWS) and Microsoft Azure – to see that the Cloud is a viable option for hosting.

HIPAA Compliance

First, are AWS and Azure HIPAA-compliant? Amazon makes it very clear at its “HIPAA Compliance” website that it is. AWS subscribes to the HITRUST framework which certifies compliance with HIPAA/HITECH and other health-related requirements. For HIPAA, specifically, Amazon notes:

“There is no HIPAA certification for a cloud provider such as AWS. In order to meet the HIPAA requirements applicable to our operating model, AWS aligns our HIPAA risk management program with FedRAMP and NIST 800-53, a higher security standard that maps to the HIPAA security rule. NIST supports this alignment and has issued SP 800-66, “An Introductory Resource Guide for Implementing the HIPAA Security Rule,” which documents how NIST 800-53 aligns to the HIPAA Security rule.”

https://aws.amazon.com/compliance/hipaa-compliance

Azure likewise has well-documented HIPAA compliance explained on its HIPAA website.

AWS and Azure make a special point to explicitly support HIPAA’s requirement of a signed “business associate agreement” (BAA). Both providers offer a BAA which spells out legal expectations and responsibilities.

Beyond HIPAA/HITECH: Institutional Requirements

Cloud hosting might throw a red flag to a research institution’s IT department, even if HIPAA-compliance is assured, because of concerns about other strict controls that regulate who has access to data, how it might impact the institution’s infrastructure, and what level of control the institution can maintain over its digital assets when the hardware is controlled by a third party.

Since AWS and Azure aim for compliance not only with HIPAA, but also with various ISO standards, as well as regulations for governments (e.g. the United States and China), both services offer a wide spectrum of security services that should satisfy security checklists for research institution IT managers:

Access and monitoring
  • Control of physical and electronic access to sensitive information and resources
    Automated and in-person security mechanisms for physical and remote access to cloud resources. Physical access controls provided by professional security staff (who require two-factor authentication before entering a data center), along with video surveillance, automatic fire detection/suppression, power redundancy and climate control.

  • Intrusion prevention / 24/7 monitoring
    24/7 automated physical and network security monitoring, and personnel on-call to respond to incidents.

  • Emergency access
    24/7 access to support engineers with < 1 hour response time for “urgent” issues. Enterprise support available for < 15 minute response time for “critical” issues.

Data security
  • Full disk encryption (for data at rest)
    AWS: Amazon EBS supports full disk encryption.

    Azure: Azure Disk Encryption is available for Windows and Linux virtual machines.

  • Strict data deletion policy
    AWS: Amazon EBS volumes are wiped before allocation, and specific data deletion methods (e.g. from DoD or NIST standards) are available.

    Azure: Deletion is compliant with NIST 800-88.

  • Data and application services are physically/logically isolated
    AWS: For the most strict isolation policies, an Amazon EC2 instance can run on dedicated physical hardware to ensure that data and processing are isolated at the lowest level. (Amazon EC2 Dedicated Instances)

    Azure: System and network environments are isolated from each other physically and by a variety of technical controls (network segmentation, firewalls, packet filtering, etc.)

Network security
  • Internet filtering/hardware firewall
    AWS and Azure feature firewalls and other “boundary” security controls to cover network infrastructure security.

Whitepapers: AWS, Azure



Cloud support checklist for (typical) institutional security policies


Requirement AWS Azure
3rd-party information security/vulnerability assessments
AWS-SOC

AZURE-SOC
SSAE-16/AT-801
Business associate agreement

Data center can be visited/audited ?[1] ?[1]
Data encryption at rest

Electronic security
AWS-SWP
ISO 27017:2015

CCM IVS-01-IVS-13
Employee access audits and automatic credential termination
AWS-SWP

CCM IAM-01-IAM-13
Environmental protection
AWS-SWP

CCM BCR 01-BCR-11
Full disk encryption
Available with EBS

Azure Disk Encryption
HIPAA/HITECH [2] [3]
Incident management
ISO 27017:2015

CCM SEF-01-SEF-05
Intrusion prevention/automatic detection and log review
AWS-SWP

CCM IVS-01-IVS-13
Least privilege access controls
AWS-SWP

CCM IAM-01-IAM-13
CCM IVS-01-IVS-13
Password complexity and enforcement
AWS-SWP

CCM IAM-01-IAM-13
Physical/logical isolation
XEN virtual isolation, isolated virtualized disks

CCM IVS-01-IVS-13
Physical security
AWS-SWP
ISO 27017:2015

CCM DCS-01-DCS-09
Responds to security vulnerability alerts
AWS-SWP

CCM SEF-01-SEF-05
Risk management program
AWS-SWP

CCM GRM-01-GRM-11
Secure data destruction
ISO 27018:2014 [5]

CCM BCR-11.15


[1] Doubtful, although AWS and Azure are accredited by numerous organizations and standards, and those accreditations are backed by physical audits.
[2] https://aws.amazon.com/compliance/hipaa-compliance/
[3] https://www.microsoft.com/en-us/TrustCenter/Compliance/HIPAA
[4] EBS wiped before allocation, specific DoD/NIST method can be selected



Caveats

While cloud hosting provides a number of immediate advantages in terms of standard security features and performance, not all benefits are automatic or cheap:

  • Depending on the specific requirements of a particular institution, cloud hosting may not provide coverage for all security concerns directly out of the box. For some projects, it might be necessary to employ additional layers of encryption (e.g. row-level database encryption, full-disk encryption, or end-to-end encryption), or to adopt specific manual routines for ensuring that data is destroyed according to specific standards.
  • Other requirements may result in the need for a more expensive hosting or support package, which an institution would need to factor into its cost-benefit analysis.
  • Private institutions may also be hesitant to relinquish direct control over IT infrastructure when it comes to security and reliability, but in-house hosting may struggle to compete with large professional hosts like Amazon and Microsoft when it comes to cost and performance.

Compliance Verdict

Both AWS and Azure meet all of the typical “extras” for institutional information security checklists. Cloud hosting also makes a strong case for outperforming in-house services when it comes to the breadth of security controls and enterprise-level support–resources that may be out of reach for institutions with smaller IT departments.

The ultimate decision to choose cloud hosting will fall on a number of project-specific factors (e.g. cost, support response time, physical access). Those considerations aside, major cloud providers have demonstrated (through compliance reports and accreditations) that they will meet or exceed any information security or infrastructure requirement that a private institution might have.