Our good friends over at Dash helped us out with this article. You can read more about Dash down below, but if you’re looking at SOC2, HIPAA, or HITRUST compliance for your AWS environment, they make it really easy. You should definitely check them out: https://dashsdk.com.
Cloud Security Program Basics
With more organizations building applications and workloads in Amazon Web Services (AWS) and the public cloud, cloud security has become increasingly more important. Organizations operating in regulated industries such as healthcare and finance must meet stringent regulatory requirements and cybersecurity standards such as HIPAA, PCI DSS and SOC 2.
Most public cloud providers, including AWS, operate under a cloud shared responsibility model, meaning that security requirements are shared between the cloud provider and the cloud customer. The cloud provider (AWS) manages specific physical safeguards, including locking server cabinets and employee access, as well as technical safeguards such as encryption standards and networking standards. It is up to the cloud customer to implement all remaining technical safeguards as well as implement administrative policies and procedures relevant to the compliance standard.
Architecting for Cloud Compliance
While AWS does provide security certifications and attestations that can jumpstart an organization’s compliance efforts, it is up to the security team to build and enforce effective security controls to meet security and regulatory compliance standards. Organizations should build a cloud security program with the following components.
ADMINISTRATIVE POLICIES
Security teams must develop administrative policies and procedures that fit their organization and technologies. Policies should outline topics including security roles, risk assessment, employee training, and disaster recovery (DR). Policies should be written for the organization’s reality rather than written aspirationally. That is to say, first document the reality of your security practice, then work on improving that reality.
CLOUD SECURITY CONTROLS
Organizations must implement security controls around standards such as backup and disaster recovery, audit logging, encryption, firewall, and access control. While AWS does provide many security and configuration options, it is up to your team to ensure that the proper security settings are implemented for each individual cloud service.
IMPLEMENTING SECURITY SOLUTIONS
Many open-source and third-party vendor options can be utilized to fulfill compliance standards. Security teams may turn to software solutions outside of AWS in order to satisfy their team’s security needs and quickly build their security programs. For example, teams may turn to a third-party intrusion detection service or disaster recovery solution to meet security requirements and get-to-market faster.
Disaster Recovery (DR) and Cloud Compliance
Implementing a backup and disaster recovery (DR) plan is a requirement of most regulatory standards and cybersecurity frameworks. A proper DR plan is essential to preventing data loss and ensuring business continuity. You can see how DR fits into the applicable security standards below.
APPLICABLE COMPLIANCE STANDARDS
HIPAA: HIPAA requires that organizations implement backup and disaster recovery plans. This means that teams must have specific processes and documentation in place for backup and disaster recovery processes.
164.308(a)(7)(ii)(A) – Data Backup Plan
164.308(a)(7)(ii)(B) – Disaster Recovery Plan
SOC 2: SOC 2 Trust Service Criteria (TSC) requires organizations to create backups in a remote location, create a business continuity plan and test recovery of backups under the Additional Criteria for Availability category.
A1.2 – The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives.
A1.3 – The entity tests recovery plan procedures supporting system recovery to meet its objectives
HITRUST: The HITRUST CSF requires organizations to create backups in a remote location, conduct testing of backups and the restoration process, as well as implement encryption and automate backups for higher-level implementations.
9.05 Information Back-Up – 09.l Back-up
STEPS TO MEETING DISASTER RECOVERY COMPLIANCE REQUIREMENTS
In order to build a backup and disaster recovery program that meets compliance requirements organizations should consider the following best practices:
- Create a Disaster Recovery Policy detailing processes around how the organization will respond and recover from disasters such as temporary loss of cloud services.
- Implement an appropriate solution like Arpio for backing up cloud resources.
- Set realistic Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO).
- Ensure backups are stored on encrypted storage and that access is limited to only necessary staff.
- Store backups in a separate region and/or availability zone (AZ).
- Test and revise disaster recovery plans on a periodic basis.
About Dash
Dash provides a solution for building and managing HIPAA, HITRUST and SOC 2 security programs in Amazon Web Services (AWS). Dash ComplyOps enables teams to create custom security policies alongside cloud solutions like Arpio and enforce security standards with continuous compliance monitoring. Learn how Dash can help your organization manage AWS security compliance.