“learn from yesterday, live for today, hope for tomorrow ... · hipaa rule category aws...
TRANSCRIPT
Ahmad Jubran
CTO of ConsejoSano, Inc.
Developer Week 2020 | Agile Compliance
“The ability to learn faster than your
competitors may be the only
sustainable competitive advantage.”
2
Arie de Geus, Shell Oil
Introduction
GOAL FOR THIS SESSION
Present a framework that allows us to
put features/products/ideas into the
market, frequently, while maintaining
our compliance posture.
4
Framework is presented in the context
of HIPAA Compliance in the Cloud
(AWS) but the ideas can be
generalized to other verticals and cloud
providers.
5
NOTE ON COMPLIANCE
Compliance should be the outcome of an
effective security program, not its driver.
6
WHY ME?
• 20 years in tech, mostly health tech
• Startups and large orgs
• Chief Technology Officer
• Security and Compliance Officer
7
Framework
Product backlog
Sprint Planning
Sprint backlog
Code Test Deploy
Product Alpha
Product Beta
Build Run
Regulatory Citation
Control Mapping
Reference Architecture
Infrastructure-as-code
Deploy
Security and Compliance
Stories
Acceptance Criteria
Security and Compliance Unit Tests
Security and Compliance Acceptance
Tests
9
Control Mapping
HIPAA Regulatory
Citation
(45 C.F.R. §
xxx.xxx)
Name HIPAA Regulation
Text HIPAA Rule Category AWS Commentary
Quick Start Implementation's
Applicability to the Customer's
HIPAA Compliance Program
AWS Resource Type(s) AWS CloudFormation
Template Name (Stack)
§164.312(d)
Person or
Entity
Authentication
Implement procedures
to verify that a person
or entity seeking
access to electronic
protected health
information is the one
claimed.
Security Rule
The customer is responsible
for implementing
person/entity authentication
policies and procedures.
The customer may want to
consider multi-factor
authentication for any
workstations or systems that
will have access to ePHI.
N/A Application-Level Application-Level
§164.312(b) Audit
Controls
Implement hardware,
software, and/or
procedural
mechanisms that
record and examine
activity in information
systems that contain
or use electronic
protected health
information.
Security Rule
The customer's policies and
procedures should ensure
that information systems
provide some level of audit
controls while also ensuring
that a workforce member
reviews audit control reports
on a regular basis. The
AWS Business Associate
Addendum (BAA) requires
the customer to implement
policies and procedures
regarding audit controls.
In this architecture, AWS
CloudTrail, S3 bucket logging, and
Elastic Load Balancer (ELB)
logging are enabled to record
security-relevant user/API
activities, data access activities,
and source and destination
addresses. Log records are stored
in an S3 bucket for access by
auditors and/or log analysis tools.
Infrastructure
AWS::CloudTrail::Trail
AWS::S3::Bucket
AWS::RDS::DBInstance
AWS::ElasticLoadBalancing:
:LoadBalancer
Infrastructure
Logging Template
Application Template
HTTPS://FWD.AWS/7M7B9
11
Security & Compliance Stories
HTTPS://GITHUB.COM/OWASP/USER-SECURITY-STORIES
As a Software company Customer, I need the application
to allow passphrases and/or difficult passwords.
Verify password entry fields allow, or encourage, the use
of passphrases, long passphrases or highly complex
passwords. Verify that measures are in place to block the
use of commonly chosen passwords and weak
passphrases.
As a Software company Customer, I need all connections
to an application that contains my user data to be
authenticated.
Verify that all connections to applications that contain
customer information or functions are authenticated.
User Story Acceptance Criteria
13
SECURITY & COMPLIANCE UNIT TEST
BDD with GauntLt
HTTPS://GITHUB.COM/GAUNTLT/GAUNTLT
@slow
Feature: Run dirb scan on a URL
Scenario: Use dirb to scan a website for basic security requirements and the DIRB_WORDLISTS environment
variable must be set in your path.
Given "dirb" is installed
And the following profile:
| name | value |
| hostname | http://localhost:8008 |
| dirb_wordlists_path | Overwritten by $DIRB_WORDLISTS |
| wordlist | vulns/tests.txt |
When I launch a "dirb" attack with:
"""
dirb <hostname> <dirb_wordlists_path>/<wordlist> -wf
"""
Then the output should contain:
"""
FOUND: 0
"""
15
SECURITY & COMPLIANCE ACCEPTANCE TESTS
Security Risks & Vulnerabilities Testing with Zap
HTTPS://WWW.ZAPROXY.ORG/
#!/usr/bin/env python
import time
from pprint import pprint
from zapv2 import ZAPv2
apiKey = 'changeme'
target = 'https://public-firing-range.appspot.com'
zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'})
# TODO : explore the app (Spider, etc) before using the Active Scan API, Refer the explore section
print('Active Scanning target {}'.format(target))
scanID = zap.ascan.scan(target)
while int(zap.ascan.status(scanID)) < 100:
# Loop until the scanner has finished
print('Scan progress %: {}'.format(zap.ascan.status(scanID)))
time.sleep(5)
print('Active Scan completed')
# Print vulnerabilities found by the scanning
print('Hosts: {}'.format(', '.join(zap.core.hosts)))
print('Alerts: ')
pprint(zap.core.alerts(baseurl=target))
17
SECURITY & COMPLIANCE ACCEPTANCE TESTS
Compliance as Code with INSPEC
HTTPS://WWW.INSPEC.IO/
control 'sshd-21' do
title 'Set SSH Protocol to 2’
desc 'A detailed description’
impact 1.0 # This is critical ref 'compliance guide, section 2.1’
describe sshd_config do
its('Protocol') { should cmp 2 }
end
end
describe file('/etc/myapp.conf') do
it { should exist }
its('mode') { should cmp 0644 }
end
describe apache_conf do
its('Listen') { should cmp 8080 }
end
describe port(8080) do
it { should be_listening }
end
19
Reference Architecture
BEST PRACTICES
The architecture built to support AWS best practices for high availability and security and to directly map to controls
from the HIPAA Citation (examples):
• Multi-AZ architecture intended for high availability
• Isolation of instances between private/public subnets
• Network access control list (ACL) rules to filter traffic into subnets as an additional layer of network security
• A secured bastion host instance to facilitate restricted login access for system administrator actions
• Monitoring and logging; alerts and notifications for critical events
• S3 buckets (with security features enabled) for logging, archive, and application data
• HTTPS-enabled Elastic Load Balancing (ELB) load balancers with hardened security policy
• Amazon RDS database backup and encryption
• Compliance automation (AWS Config Rules)
HTTPS://DOCS.AWS.AMAZON.COM/QUICKSTART/LATEST/COMPLIANCE-HIPAA/OVERVIEW.HTML#FIGURE-2
21
eu-west-2a
eu-west-2b
Proxies
NAT
RDSDB
DMZSu
bnet
PrivateS
ubnet
PrivateS
ubnet
RDSDB
Private
Subnet
Private
Subnet
DevelopmentVPC
DMZS
ubnet
Proxies
eu-west-2a
eu-west-2b
Proxies
NAT
RDSDB
DMZSu
bnet
PrivateS
ubnet
PrivateS
ubnet
RDSDB
Private
Subnet
Private
Subnet
ProductionVPC
DMZS
ubnet
Proxies
Management VPC
Users
Archive Logs
Bucket
S3 Lifecycle Policies to
Glacier
CloudTrail AWS Config
Rules CloudWatch
Alarms
NAT
eu-west-2a
Bastion
eu-west-2b
Potential use for security appliances for monitoring, logging, etc.
22
Infrastructure as Code
HTTPS://GITHUB.COM/AWS-QUICKSTART/QUICKSTART-COMPLIANCE-HIPAA
LoggingTemplate: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-
compliance-common/templates/logging.template - QSS3Region: !If - GovCloudCondition - s3-us-gov-west-1 - s3 TimeoutInMinutes: 20 Parameters: pNotifyEmail: !Ref pNotifyEmail pSupportsGlacier: !FindInMap - RegionServiceSupport - !Ref AWS::Region - Glacier
24
Questions?
Ahmad Jubran
LinkedIn: www.linkedin.com/in/ahmadjubran