Page tree

Skip to end of metadata
Go to start of metadata

Amazon EC2 is a virtual compute service that provides secure, robust, scalable, and secure compute environments in the cloud.  ClearDATA's Automated Safeguards for Amazon EC2 ensure that EC2 instances are deployed in adherence to all ClearDATA policies and procedures.  This includes automated security controls as well as compliance monitoring via the ClearDATA Compliance Dashboard.

Contents

Responsibility Assignment Matrices

Standard Operations

Standard Operations

ClearDATACustomer
Provisioning * ICRA
Application SupportICRA
SQL Server SupportICRA
EBS Storage EncryptionRAIC

* ClearDATA Support can provision EC2 instances upon request when provided with the required information.  Please contact ClearDATA Support if you would like assistance provisioning an EC2 instance.

Healthcare Compliance Controls

Healthcare Compliance Controls

ClearDATAAWSCustomer

Data backup

RA
I

Hardening

RA
I

IAM restrictions

IC
RA

Intrusion detection & prevention

RA
I
Log backupRA
I

Log monitoring

IC
RA

Network accessibility

IC
RA
Network encryptionI
RA
Physical securityIRA[2]I

Storage encryption

IRA[1] I

System patching

RA
C
Virus scanningRA
I

Vulnerability scanning

RA
I

ClearDATA Standard Operations

EBS Storage Encryption

ClearDATA enforces encryption of all Amazon EBS (Elastic Block Storage) volumes at the account level and through IAM policy, thereby ensuring that all EBS volumes that are provisioned are encrypted in order to satisfy encryption at rest requirements.

VPC Design

ClearDATA has created a standard VPC design that allows for all applications to be deployed across multiple Availability Zones and also across a combination of public and private networks. 


ClearDATA VPC Design

Availability Zones

ClearDATA deploys customer VPCs with subnets in three Availability Zones where available. Certain regions may have two Availability Zones, and in those cases the VPC will deploy subnets in two Availability Zones. This design allows for workloads that require a quorum configuration, such as Consul or MongoDB, to remain resilient in the event of an Availability Zone failure. Customers can utilize both small and large VPC footprints without worrying about recreating or migrating to a new VPC.

Subnets

ClearDATA creates two subnets per Availability Zone, one public and one private, for a total of six available subnets (or four when there are only two AZs available in the region). Customers can take advantage of any of these subnets as required.

Public Subnet Guidelines

ClearDATA uses AWS Security Groups to manage network layer data ingress and egress, and it is ClearDATA's policy that no unsecured port is allowed to be open to a server that will host or process PHI/PII. All ingress ports must be open via an encrypted channel, such as HTTPS, over an encrypted IPSEC site-to-site tunnel, or an SSL based VPN. This ensures that all traffic entering or exiting the VPC enters on an encrypted channel.  Additionally, it is ClearDATA's policy and recommendation that publicly accessible servers, including servers in a private subnet behind a load balancer, should not host any PHI/PII locally. PHI/PII can be transmitted to the server and reside locally for a short time before being moved to a non-publicly accessible server. ClearDATA recommends that data reside locally on the publicly accessible server for no more than one hour. ClearDATA can provide guidance to the customer in the event this configuration is not easily available for their application.

Ingress Rules

Ingress from the internet, and from public subnets to private subnets, will be limited by Security Groups . When possible, IP whitelisting will be leveraged to maximize security. See Automated Safeguards for Security Groups for details.

Egress Rules

Egress to the internet will depend on the workload. ClearDATA does not require egress controls for outbound traffic management. Further egress controls can be implemented, such as Layer 4 or Layer 7 proxy firewalls, at the customer discretion. Customers may be responsible for any technologies that manage Layer 4 or Layer 7 egress.  Please contact ClearDATA with any questions regarding egress traffic management.

VPC Network Communication

ClearDATA and AWS require that all sensitive data that is transmitted utilize encryption while in motion. ClearDATA is responsible for ensuring that all PHI is encrypted at the entry and exit point to the VPC, as well as encrypted at-rest at all times. ClearDATA is also responsible for encryption in motion in for intra-VPC network traffic between cluster nodes part of the Automated Safeguards for ECS, as well as certain scenarios related to Automated Safeguards for RDS.  Please click the respective links for more information.

It is the responsibility of the customer to ensure their application is configured for encryption during the PHI/PII data flow lifecycle within the VPC. It is recommended that the customer use industry standard transport encryption mechanisms, such as TLS, at the application layer to ensure secure communication throughout the PHI/PII data flow. For example, PHI/PII should be uploaded into the environment via a secure protocol and transmitted from one component of the application stack to its final at-rest location via secure protocols. The majority of applications and services available can take advantage of some form of TLS or encryption.

Virtual Private Network Support

Site-to-site VPN

Customers have the option of using a site-to-site VPN to provide secure connectivity from a site, such as a data center or a corporate office, to the VPC. ClearDATA will manage the setup of a site-to-site VPN from the customer environment in AWS to a managed networking device.  Your ClearDATA Solution Architect can provide details and assistance with VPN strategy.
 
Site-to-Site VPN Architecture

SSL VPNs

ClearDATA can provide individual SSL VPN accounts and Multi-Factor Authentication for secure access to your environment.  Your ClearDATA Solution Architect can provide details and assistance with VPN strategy.


SSL VPN Architecture

Customer Standard Operations Guidelines

EC2 Instance Provisioning

Amazon Machine Images

ClearDATA provides AMIs that are hardened against CIS Level 1 Benchmarks for the appropriate Operating System.  Customers are allowed to deploy images from these hardened AMIs.  ClearDATA provides hardened AMIs to our customers from our shared account.  Shared AMIs can be viewed from the AWS Console by selecting "Private images" from the drop-down on the AMIs page. AMIs will show up with source account starting with 2980.

Provisioning an EC2 Instance

EC2 Instances can be provisioned through various methods including the AWS Management Console, AWS CLI, and Infrastructure-as-code tools such as CloudFormation and Terraform.  See Getting Started with EC2 for directions on how to provision an EC2 Instance. 

Tagging

The following tags are put in place by ClearDATA during the creation of an instance for our customers. As alteration or removal of these tags may negatively affect the management of your environment, ClearDATA uses a IAM policy to deny customers' ability to modify any tags that start with "cleardata". Customers can tag resources in accordance with their tagging strategy, with the exception of the restriction above.

Asset Name

When cataloging machines, it is often valuable to have a name associated with the "idea" of a machine. Instance-ids come and go, but a name can give a logical label to a VM. At ClearDATA, we have the concept of an asset-id to identify machines. Customers will see the tag cleardata:asset-id applied to your instances. If you want to give us an easy name to track your instance, customers can apply a Name tag with any value you wish. If you fail to supply this value, ClearDATA will use the default instance-id.

Application Installation & Support

ClearDATA is not responsible for installation or management of any application components.  This includes services that may be a part of the Operating System service packages such as IIS for Windows or nginx for Linux, and any database software.  Customers are responsible for ensuring the application and services they require are properly installed, maintained, and updated to ensure ongoing availability and compliance.

SQL Server on EC2

ClearDATA provides EC2 AMIs (Amazon Machine Images) that come with Microsoft SQL Servers installed, including SQL Server licensing, which gives you the ability to run SQL Server in the cloud just like you do on premise with 100% compatibility.  The installation is provided as-is, and ClearDATA does not provide any configuration or support for the Microsoft SQL Server software.  ClearDATA will ensure that the Operating System Security patches are installed on a regular basis, and customers should ensure that all appropriate SQL Server patches are also applied on a regular basis.  In addition, customers are responsible for ensuring the integrity of the database backups.  See the Data Backup Safeguard section for details.  For details about Microsoft SQL Server on EC2 please contact your ClearDATA representative.

ClearDATA Healthcare Compliance Controls

Data Backup

ClearDATA provides managed backups for all machines in a customer's AWS environment. This helps comply with HIPAA CFR §164.308(a)(7)(ii)(A) and §164.312(c)(1). Backups are configured as snapshots of an entire volume, taken as a point-in-time image of the volume. Customers are responsible for ensuring their application or data is static at the time of the backup, typically through an application level backup to a dedicated volume.

Safeguards

Automated Safeguards are used to ensure that all EBS volumes that are attached to an EC2 instance are backed up on a regular basis.  Backup status reporting is available in the Compliance Dashboard.

Hardening

To meet strict security standards, ClearDATA maintains a set of hardened Amazon Machine Images (AMI) that are available for use in customer environments. In order to maintain our security and compliance posture, only ClearDATA-approved AMIs are allowed for deployment. Hardening is based on a combination of the National Institute of Standards and Technology (NIST) standards and the Center for Internet Security (CIS) Benchmarks and includes a combination of operating system and network configuration changes. 

Supported Images

ClearDATA provides compute images that cover a wide range of Linux and Windows based Operating Systems. Please contact ClearDATA Support or your account team for a full list of images.

Image Hardening

ClearDATA utilizes industry-accepted best practices for hardening standards and improving security. Our hardening guidelines provide a straightforward blueprint for implementing core security protocols on a subset of operating systems we currently support. More information on our hardening process is available upon request. 

Image Updates

ClearDATA uses a robust automation pipeline to patch, build, and test new images on a nightly basis.  Images that meet the high standards of our testing requirements are made available to our customers, with a new image of each supported OS being available every 30 days at most.  See Amazon Machine Images for details.

IAM Restrictions

Access to manage EC2 Instances is controlled by AWS Identity & Access Management (IAM). ClearDATA provides IAM groups that can administer functions of EC2 instances, including groups to allow for separation of duties such as a server administrator having the rights to manage the servers and a network administrator having the rights to manage the Security Groups.  See Automated Safeguards for IAM - Group & User Self Service for details.

Intrusion Detection & Prevention

ClearDATA provides a managed host-based intrusion detection agent on all EC2 instances.

Safeguards

ClearDATA will provide an intrusion detection system (IDS) for each managed customer asset. The IDS will detect possible security incidents that would put at risk the security of ePHI on the asset. Intrusion Detection status reporting is available in the Compliance Dashboard.

Log Collection & Backup

ClearDATA enables AWS CloudTrail in all customer accounts, ensuring that every API call (meaning any action taken by API, CLI, or management console) is logged. The logs are available for review and download from the ClearDATA Portal. By tracking all API actions, an audit trail of all configurations is created, enabling version control at the environment level and the usage of version-controlled automation templates. 

ClearDATA deploys the AWS CloudWatch Logs agent on each EC2 instance via automation and configures the agent to collect the Operating System Security Logs. Recent logs are available in the CloudWatch console for recent logs, while retained logs are available in the ClearDATA Customer Portal.

System Patching

ClearDATA offers a patching solution that will deploy all Operating System security updates.

Safeguards

System patching is reviewed by ClearDATA to ensure systems are updated at least monthly. Patches are applied via Azure Automation and patching schedules are manually configured through collaboration with ClearDATA.

Virus Scanning

ClearDATA manages anti-virus protection via anti-virus software installed with each instance. Anti-virus signatures are regularly updated and applied to customer instances as they become available. The anti-virus system reports abnormalities to ClearDATA, which will first notify the customer, and then begin managing the remediation to eliminate the virus or issue. This supports compliance with §164.308(a)(5)(ii)(B).

Safeguards

ClearDATA will provide a managed anti-virus/anti-malware agent for each managed customer asset. The agent will detect possible virus or malware that would put at risk the security of ePHI on the asset. Anti-virus/anti-malware status reporting is available in the Compliance Dashboard. 

Vulnerability Scanning

ClearDATA provides a baseline of quarterly vulnerability scanning covering both infrastructure and application functions to help comply with §164.308(a)(1)(ii)(A).  For more information about vulnerability scanning please contact ClearDATA Support.

Safeguards

All managed assets will be scanned by the ClearDATA vulnerability assessment tooling and reviewed with customers upon request.

Customer Healthcare Compliance Guidelines

IAM Restrictions

Access to manage EC2 Instances is controlled by AWS Identity & Access Management (IAM). ClearDATA provides IAM groups that can administer functions of EC2 instances, including groups to allow for separation of duties such as a server administrator having the rights to manage the servers and a network administrator having the rights to manage the Security Groups. See Automated Safeguards for IAM - Group & User Self Service for details.

Log Monitoring

This resource's logs are integrated with Amazon CloudWatch. Amazon CloudWatch is a monitoring and management service built for developers, system operators, site reliability engineers (SRE), and IT managers. CloudWatch provides you with data and actionable insights to monitor your applications, understand and respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications and services that run on AWS. You can get an introduction to the Amazon CloudWatch Logs service and inspect its features at Getting Started with Amazon CloudWatch Logs.

Create a Log Query

 Click here to expand...

Run a Sample Query

To run a CloudWatch Logs Insights sample query

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
  2. In the navigation pane, choose Insights.
  3. Near the top of the screen is the query editor. When you first open CloudWatch Logs Insights, this box contains a default query that returns the 20 most recent log events.
  4. Select a log group to query, above the query editor.
  5. When you select a log group, CloudWatch Logs Insights automatically detects fields in the data in the log group and displays them in Discovered fields in the right pane. It also displays a bar graph of log events in this log group over time. This bar graph shows the distribution of events in the log group that matches your query and time range, not just the events displayed in the table
  6. Choose Run query.
  7. The results of the query appear. In this example, the results are the most recent 20 log events of any type.
  8. To see all fields of one of the returned log events, choose the arrow to the left of that log event.

Add a Filter Command to the Sample Query

This tutorial shows how to make a more powerful change to the query in the query editor. In this tutorial, you filter the results of the previous query based on a field in the retrieved log events.

If you have not already run the previous tutorials, do that now. This tutorial starts where that previous tutorial ends.

To add a filter command to the previous query

  1. Decide on a field to filter. To see the fields contained in a particular log event, choose the arrow to the left of that row. The Discovered fields area shows the most common fields that CloudWatch Logs has detected in the log events received by this log group in the past 15 minutes, and the percentage of those log events in which each field appears. If you do not see Discovered fields, choose the left arrow near the top right of the screen to open the right-side panel.

    The awsRegion field may appear in your log event, depending on what events are in your logs. For the rest of this tutorial, you use awsRegion as the filter field, but you can use a different field if that field is not available.

  2. In the query editor box, place your cursor after 20 and press Enter.

  3. On the new line, first type | (the pipe character) and a space. Commands in a CloudWatch Logs Insights query must be separated by the pipe character.

  4. Type filter awsRegion="us-east-1".

  5. Choose Run query.

    The query runs again, and now displays the 50 most recent results that match the new filter.

    If you filtered on a different field and got an error result, you may need to escape the field name. If the field name includes non-alphanumeric characters, you must put back-tick characters (`) before and after the field name. For example, `error-code`="102".

    Using the ` characters is necessary for field names containing non-alphanumeric characters, but not for values. Values are always contained in double quote marks (").

CloudWatch Logs Insights includes powerful query abilities, including several commands and support for regular expressions, mathematical, and statistical operations. For more information, see CloudWatch Logs Insights Query Syntax.

For more details please see the Amazon CloudWatch Documentation

CloudWatch User Guide

CloudWatch Events User Guide

CloudWatch Logs User Guide

Network Accessibility

The network accessibility control is managed by EC2 Security Groups.  A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. Customers are able to create new security groups that use any RFC1918 space (10.0.0.0/8, 172.16.0.0/12, & 192.168.0.0/16) as the rule source.  If customers wish to use a routable IP address in a Security Group rule they must request an exception (see below).  In order for ClearDATA to allow the rule, our Information Security team will review all exception requests against our policies and procedures and make a determination.  

Users must be added to the appropriate IAM Group in order to create and modify Security Groups. See Automated Safeguards for Security Groups for details on how to create and manage Security Group rules to properly control network accessibility.

Safeguards

ClearDATA provides a system of enforcement that allows only approved security group rules are available for use, helping organizations ensure the firewall rules used in their environment adhere to their required policies and procedures.

Network Encryption

ClearDATA and AWS require that all sensitive data that is transmitted utilize encryption while in motion. ClearDATA is responsible for ensuring that all PHI is encrypted at the entry and exit point to the VPC, as well as encrypted at-rest at all times. ClearDATA is also responsible for encryption in motion in for intra-VPC network traffic between cluster nodes part of the Automated Safeguards for ECS. It is the responsibility of the customer to ensure their application is configured for encryption during the PHI/PII data flow lifecycle within the VPC. It is recommended that the customer use industry standard transport encryption mechanisms, such as TLS, at the application layer to ensure secure communication throughout the PHI/PII data flow. For example, PHI/PII should be uploaded into the environment via a secure protocol and transmitted from one component of the application stack to its final at-rest location via secure protocols. The majority of applications and services available can take advantage of some form of TLS or encryption.

References

Contain a list of references in Wikipedia's style. Use confluence Anchor Links. Example:

  1. Amazon EBS Encryption
  2. AWS Data Center Controls


  • No labels