Ahmad Jubran

CTO of ConsejoSano, Inc.

Developer Week 2020 | Agile Compliance

“The ability to learn faster than your

competitors may be the only

sustainable competitive advantage.”

2

Arie de Geus, Shell Oil

Introduction

GOAL FOR THIS SESSION

Present a framework that allows us to

put features/products/ideas into the

market, frequently, while maintaining

our compliance posture.

4

Framework is presented in the context

of HIPAA Compliance in the Cloud

(AWS) but the ideas can be

generalized to other verticals and cloud

providers.

5

NOTE ON COMPLIANCE

Compliance should be the outcome of an

effective security program, not its driver.

6

WHY ME?

• 20 years in tech, mostly health tech

• Startups and large orgs

• Chief Technology Officer

• Security and Compliance Officer

7

Framework

Product backlog

Sprint Planning

Sprint backlog

Code Test Deploy

Product Alpha

Product Beta

Build Run

Regulatory Citation

Control Mapping

Reference Architecture

Infrastructure-as-code

Deploy

Security and Compliance

Stories

Acceptance Criteria

Security and Compliance Unit Tests

Security and Compliance Acceptance

Tests

9

Control Mapping

HIPAA Regulatory

Citation

(45 C.F.R. §

xxx.xxx)

Name HIPAA Regulation

Text HIPAA Rule Category AWS Commentary

Quick Start Implementation's

Applicability to the Customer's

HIPAA Compliance Program

AWS Resource Type(s) AWS CloudFormation

Template Name (Stack)

§164.312(d)

Person or

Entity

Authentication

Implement procedures

to verify that a person

or entity seeking

access to electronic

protected health

information is the one

claimed.

Security Rule

The customer is responsible

for implementing

person/entity authentication

policies and procedures.

The customer may want to

consider multi-factor

authentication for any

workstations or systems that

will have access to ePHI.

N/A Application-Level Application-Level

§164.312(b) Audit

Controls

Implement hardware,

software, and/or

procedural

mechanisms that

record and examine

activity in information

systems that contain

or use electronic

protected health

information.

Security Rule

The customer's policies and

procedures should ensure

that information systems

provide some level of audit

controls while also ensuring

that a workforce member

reviews audit control reports

on a regular basis. The

AWS Business Associate

Addendum (BAA) requires

the customer to implement

policies and procedures

regarding audit controls.

In this architecture, AWS

CloudTrail, S3 bucket logging, and

Elastic Load Balancer (ELB)

logging are enabled to record

security-relevant user/API

activities, data access activities,

and source and destination

addresses. Log records are stored

in an S3 bucket for access by

auditors and/or log analysis tools.

Infrastructure

AWS::CloudTrail::Trail

AWS::S3::Bucket

AWS::RDS::DBInstance

AWS::ElasticLoadBalancing:

:LoadBalancer

Infrastructure

Logging Template

Application Template

HTTPS://FWD.AWS/7M7B9

11

Security & Compliance Stories

HTTPS://GITHUB.COM/OWASP/USER-SECURITY-STORIES

As a Software company Customer, I need the application

to allow passphrases and/or difficult passwords.

Verify password entry fields allow, or encourage, the use

of passphrases, long passphrases or highly complex

passwords. Verify that measures are in place to block the

use of commonly chosen passwords and weak

passphrases.

As a Software company Customer, I need all connections

to an application that contains my user data to be

authenticated.

Verify that all connections to applications that contain

customer information or functions are authenticated.

User Story Acceptance Criteria

13

SECURITY & COMPLIANCE UNIT TEST

BDD with GauntLt

HTTPS://GITHUB.COM/GAUNTLT/GAUNTLT

@slow

Feature: Run dirb scan on a URL

Scenario: Use dirb to scan a website for basic security requirements and the DIRB_WORDLISTS environment

variable must be set in your path.

Given "dirb" is installed

And the following profile:

| name | value |

| hostname | http://localhost:8008 |

| dirb_wordlists_path | Overwritten by $DIRB_WORDLISTS |

| wordlist | vulns/tests.txt |

When I launch a "dirb" attack with:

"""

dirb <hostname> <dirb_wordlists_path>/<wordlist> -wf

"""

Then the output should contain:

"""

FOUND: 0

"""

15

SECURITY & COMPLIANCE ACCEPTANCE TESTS

Security Risks & Vulnerabilities Testing with Zap

HTTPS://WWW.ZAPROXY.ORG/

#!/usr/bin/env python

import time

from pprint import pprint

from zapv2 import ZAPv2

apiKey = 'changeme'

target = 'https://public-firing-range.appspot.com'

zap = ZAPv2(apikey=apiKey, proxies={'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'})

# TODO : explore the app (Spider, etc) before using the Active Scan API, Refer the explore section

print('Active Scanning target {}'.format(target))

scanID = zap.ascan.scan(target)

while int(zap.ascan.status(scanID)) < 100:

# Loop until the scanner has finished

print('Scan progress %: {}'.format(zap.ascan.status(scanID)))

time.sleep(5)

print('Active Scan completed')

# Print vulnerabilities found by the scanning

print('Hosts: {}'.format(', '.join(zap.core.hosts)))

print('Alerts: ')

pprint(zap.core.alerts(baseurl=target))

17

SECURITY & COMPLIANCE ACCEPTANCE TESTS

Compliance as Code with INSPEC

HTTPS://WWW.INSPEC.IO/

control 'sshd-21' do

title 'Set SSH Protocol to 2’

desc 'A detailed description’

impact 1.0 # This is critical ref 'compliance guide, section 2.1’

describe sshd_config do

its('Protocol') { should cmp 2 }

end

end

describe file('/etc/myapp.conf') do

it { should exist }

its('mode') { should cmp 0644 }

end

describe apache_conf do

its('Listen') { should cmp 8080 }

end

describe port(8080) do

it { should be_listening }

end

19

Reference Architecture

BEST PRACTICES

The architecture built to support AWS best practices for high availability and security and to directly map to controls

from the HIPAA Citation (examples):

• Multi-AZ architecture intended for high availability

• Isolation of instances between private/public subnets

• Network access control list (ACL) rules to filter traffic into subnets as an additional layer of network security

• A secured bastion host instance to facilitate restricted login access for system administrator actions

• Monitoring and logging; alerts and notifications for critical events

• S3 buckets (with security features enabled) for logging, archive, and application data

• HTTPS-enabled Elastic Load Balancing (ELB) load balancers with hardened security policy

• Amazon RDS database backup and encryption

• Compliance automation (AWS Config Rules)

HTTPS://DOCS.AWS.AMAZON.COM/QUICKSTART/LATEST/COMPLIANCE-HIPAA/OVERVIEW.HTML#FIGURE-2

21

eu-west-2a

eu-west-2b

Proxies

NAT

RDSDB

DMZSu

bnet

PrivateS

ubnet

PrivateS

ubnet

RDSDB

Private

Subnet

Private

Subnet

DevelopmentVPC

DMZS

ubnet

Proxies

eu-west-2a

eu-west-2b

Proxies

NAT

RDSDB

DMZSu

bnet

PrivateS

ubnet

PrivateS

ubnet

RDSDB

Private

Subnet

Private

Subnet

ProductionVPC

DMZS

ubnet

Proxies

Management VPC

Users

Archive Logs

Bucket

S3 Lifecycle Policies to

Glacier

CloudTrail AWS Config

Rules CloudWatch

Alarms

NAT

eu-west-2a

Bastion

eu-west-2b

Potential use for security appliances for monitoring, logging, etc.

22

Infrastructure as Code

HTTPS://GITHUB.COM/AWS-QUICKSTART/QUICKSTART-COMPLIANCE-HIPAA

LoggingTemplate: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - https://${QSS3BucketName}.${QSS3Region}.amazonaws.com/${QSS3KeyPrefix}submodules/quickstart-

compliance-common/templates/logging.template - QSS3Region: !If - GovCloudCondition - s3-us-gov-west-1 - s3 TimeoutInMinutes: 20 Parameters: pNotifyEmail: !Ref pNotifyEmail pSupportsGlacier: !FindInMap - RegionServiceSupport - !Ref AWS::Region - Glacier

24

Questions?

Ahmad Jubran

ahmad.jubran@gmail.com

LinkedIn: www.linkedin.com/in/ahmadjubran