Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to Handle PCI and HIPAA Compliance with Serverless Architecture( SRV214)

2,613 views

Published on

This session explores how a serverless approach simplifies the effort to meet compliance needs. After an introduction to the PCI standard, we look at how to build an e-commerce solution using Amazon API Gateway and AWS Lambda. Then, we explore how we can expand that system to include the handling of Protected Health Information (PHI) to achieve HIPAA compliance.

Published in: Technology

How to Handle PCI and HIPAA Compliance with Serverless Architecture( SRV214)

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS re:INVENT How to Handle PC I and HI PAA C omp liance with Se rve rle ss Archite ctu re M a y a n k T h a k k a r - H e a l t h c a r e a n d L i f e S c i e n c e s S o l u t i o n s A r c h i t e c t R y a n K o l a k - S e n i o r S o l u t i o n s A r c h i t e c t S R V 2 1 4
  2. 2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • Security within AWS • PCI DSS and AWS Serverless Services • HIPAA and AWS Serverless Services • Q & A
  3. 3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS - Security Model
  4. 4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Core Security Services AWS CloudTrail AWS Config AWS KMS AWS ArtifactAWS Certificate Manager IAM AWS CloudHSM
  5. 5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model
  6. 6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shared Responsibility Model - Serverless
  7. 7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS and PCI-DSS
  8. 8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ‘Serverless’ Services in Scope – PCI DSS Amazon S3 AWS Lambda Amazon Kinesis Amazon API Gateway Amazon DynamoDB Amazon SQS Amazon CloudFront Amazon Cognito And many more…
  9. 9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Serverless Architecture – eCommerce website Amazon S3 bucket Website Assets Amazon DynamoDB Amazon Cognito Amazon API Gateway AWS Lambda Users Browser Amazon S3 bucket encrypted objects Amazon Kinesis
  10. 10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Implementing Controls Requirement 10: Track and monitor all access to network resources and cardholder data. IAM Policy to limit access to sensitive attributes in DynamoDB Encrypt sensitive data in DynamoDB with KMS CloudTrail produces log entries when encrypted data is accessed Enable log file integrity in CloudTrail to ensure logs are not modified IAM AWS KMS Amazon DynamoDB AWS CloudTrail
  11. 11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS and HIPAA
  12. 12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The basics • Build HIPAA-eligible applications that store, process and transmit PHI • Business Associate Agreement (BAA) addendum available • Required if you are Covered Entity or Business Associate as defined by HIPAA • Broad range of HIPAA-eligible services (36+) under the AWS BAA addendum StorageCompute Database Managed Big Data Archiving Data Warehousing Networking
  13. 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ‘Serverless’ Services in Scope – HIPAA Amazon S3 (including S3 Transfer Acceleration) AWS Lambda Amazon Kinesis Streams Amazon API Gateway (excluding Amazon API Gateway caching) Amazon DynamoDB Amazon SQS Amazon CloudFront (including Lambda@Edge) Amazon Cognito Amazon SNS AWS WAFAWS Batch And many more… AWS CloudHSM AWS KMS Amazon Inspector
  14. 14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Medical Data Telemetry (Mobile Devices) Mobile Device AWS Lambda Amazon S3 – raw data Medical Sensor Amazon Kinesis Streams Amazon DynamoDB Amazon SNS Amazon API Gateway AWS Lambda Amazon Cognito
  15. 15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meeting Compliance Objectives Objective AWS Services Encryption in transit • Use https endpoints Encrypt data at rest • Amazon S3, Amazon Kinesis: Native encryption • Amazon DynamoDB: Client Side encryption • AWS Lambda: encrypt sensitive information in Lambda environment variables Enforcing least privilege • Use IAM roles and policies to achieve segregation of control Auditing • Amazon S3: Enable access logging to audit GET requests • Amazon CloudTrail, Amazon CloudWatch Logs and S3 (custom logs)
  16. 16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Meeting Compliance Objectives Objective AWS Services Data Backup • S3 & Glacier High Availability & Disaster Recovery • Regional services, use multiple Availability Zones (within a region) by default • Use DynamoDB cross region replication solution • Use S3 cross region replication feature to migrate data to another region Logging and logs integrity • S3 and CloudTrail for logging. Enable log file integrity in CloudTrail
  17. 17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Q & A
  18. 18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. References • Services in scope by program here • PCI – DSS • FAQs • Quickstart • Case studies: Simple, Stripe, PaymentSpring and many more… • HIPAA • Compliance • Quickstart • Case studies
  19. 19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. THANK YOU!

×