Architecting for HIPAA Compliance on AWS

Agenda Overview:

18:00 – 18:15 Gathering

18:15 – 18:45 Ran Rothschild, Senior Account Manager at CloudZone - Achieving HIPAA compliance on AWS:

Cloud based HIPAA compliance can be achieved by building and maintaining internal procedures and processes, designing IT environments in a correct and un-compromising manner, and keeping up to date regarding any regulation changes/updates. No one should think that achieving compliance is easy, however, it should not be regarded as boiling the ocean.In this lecture I will review the barriers companies are facing when seeking HIPAA compliance and suggest methods in which to overcome them.

18:45 – 19:30 Marius Aharonovich, Cloud Security Architect at ClickSoftware:

ClickSoftware Cloud Service is a SaaS deployed in AWS and is storing and processing personal information of the SaaS customers and also their end-customers. The Cloud Service is also HIPAA compliant and ISO 27001 certified, and implements security and privacy controls and practices which enable to deal also with ePHI. The cloud service uses AWS and third party solutions in order to cope with HIPAA challenges. The presentation will detail the path to achieve a HIPAA compliance SaaS.

19:30 – 20:00 Moshe Ferber, Chairman of CSA Israel Chapter & Nir Valtman, Security Architect at NCR -Cloudefigo From zero to secure in one minute:

Cloud instances lifecycles are changing fast and forces us to improve the way we secure those IaaS instances. Nowadays we can find servers that are installed, launched, process data and terminate - all within a range of minutes. This new accelerated lifecycle makes traditional security processes such as periodic patches, vulnerability scanning, hardening, and forensics impossible. In this accelerated lifecycle, there are no maintenance windows for patches or ability to mitigate vulnerability, so the security infrastructure must adapt to new methods. In this new thinking, we require automation of instance security configuration, hardening, monitoring, and termination. Because there are no maintenance windows, Servers must be patched before they boot up, security configuration and hardening procedures should be integrated with server installation and vulnerability scanning and mitigation processes should be automatic. In this presentation, we announce a new open source tool called "Cloudefigo" and explain how it enables accelerated security lifecycle. We demonstrate how to launch a pre-configured, already patched instance into an encrypted storage environment automatically while evaluating their security and mitigating them automatically if a vulnerability is found. In the live demo, we leverage Amazon Web Services EC2 Cloud-Init scripts and object storage for provisioning automated security configuration, integrating encryption, including secure encryption key repositories for secure server's communication. The result of those techniques is cloud servers that are resilient, automatically configured, with reduced attack surface.