auremar - Fotolia


Knowledge is power with AWS compliance

Amazon Web Services has made strides to meet compliance regulations. Developers still need to build compliant apps to meet the cloud provider halfway.

Public cloud can make some things easier, but developers can hit snags when building compliant applications. Unless IT teams know the specific compliance requirements and how to properly leverage AWS, they can run into trouble.

Regulated industries such as healthcare providers, for example, need to build Amazon Web Services (AWS) applications to withstand breaches and meet compliance regulations. And while compliance probably wasn't the first order of business for AWS or for its early adopters, the company has made strides to make it easier to meet compliance regulations in its public cloud.

In fact, compliance with the Health Insurance Portability and Accountability Act (HIPAA) is not hard to achieve with AWS, according to Stephanie Tayengco, senior vice president of operations for New York-based Logicworks, an AWS Premier Consulting Partner and managed service partner. "AWS provides infrastructure that's capable of being HIPAA-compliant, but using it makes you neither secure nor compliant," notes Tayengco. As health IT systems grow more complex and span on-premises technologies with AWS clouds, it's no longer enough to simply institute strong security policies and meet compliance regulations at the outset. But AWS can help.

"You need to re-evaluate as you evolve," Tayengco added. "Once you have security measures you've designed to enforce policies, cloud automation helps guarantee that they are maintained throughout the lifecycle of the infrastructure."

In contrast, when healthcare companies rely on manual work to maintain security, the possibility of a manual error further exacerbates the risk an attacker poses.

In addition, HIPAA has been supplemented by the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, and now includes more complex requirements to protect Personal Health Information. In the cloud context, the most critical feature of these regulations is the requirement that the cloud provider -- like any other entity in the healthcare system -- be part of a Business Associate Agreement (BAA).

HIPAA rules mandate this, so there is a legal agreement by the business associates to appropriately safeguard protected health information. AWS has a standard business associate agreement that it regularly uses with organizations that must conform to HIPAA requirements.

"A number of services are covered by a BAA with AWS, but you are still responsible for configuring and using them in a way that is secure and meets compliance requirements," Tayengco said. For example, the customer is still responsible for encrypting file systems and data in transit; they also must ensure logs are stored properly.

AWS compliance has taken recent steps forward, making its data center facilities ISO 27018 compliant, which "establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII)," according to the standards body.

Having the conformance code demonstrates that to meet AWS compliance, a company will have a system of controls in place to specifically address the privacy protection of its content. In addition, the provider states that data protection inherent in the code covers all data, whether or not it is PII-compliant.

The cloud provider also announced AWS GoldBase at re:Invent 2015 last week in Las Vegas; GoldBase aims to help customers create secure and compliant workloads. According to the company, GoldBase will facilitate secure deployment across a range of compliance regimes, including not only HIPAA, but also Federal Information Security Management Act, Payment Card Industry, Criminal Justice Information Services and Federal Financial Institutions Examination Council.

For now, however, AWS customers can rely on the company's commitment to the Federal Risk and Authorization Management Program (FedRAMP), a four-year-old federal initiative that provides a standardized approach to security assessment, authorization and monitoring for agencies to use with cloud products and services, said Luis Benavides, CEO of Day1 Solutions in McLean, Va., an AWS reseller.

FedRAMP has been so successful and widely used it has become the de facto to an industry standard, referenced far beyond the federal government. All of these factors take AWS compliance a step forward, he adds.

Next Steps

AWS RDS gains HIPAA eligibility

Organizations turning to AWS for healthcare compliance

AWS compliance, security earning enterprise trust

Dig Deeper on AWS compliance, governance, privacy and regulations