This slides is a final project presentation for Cloud Security course in Harvard Extension School. It describes how to design a HIPAA Compliance Auditing and Logging in Cloud Infrastructure for a fictitious company called GoodBuy.

1. Final Project
Harvard University
CSCI E-49 Cloud Security
Professor: Ramesh Nagappan
MOHD SHAHRUL ZHARIF SHARUDIN (BIG.GAMMA@GMAIL.COM)
ROBERT DORNBERGER (ROBDORNBERGER@ME.COM)
CHETAK PATEL (PATEL.CHE@GMAIL.COM)

2. Background
GoodBuy is a small chain of grocery stores with headquarters in
Michigan. Each GoodBuy's location has a pharmacy on site to fill
prescriptions for patients. The pharmacies have a pharmacy
management system that keeps track of all prescriptions and patient
information. GoodBuy is planning to migrate the server in each store to
the AWS cloud. Since this is a pharmacy all HIPAA regulations must be
followed to secure patient data.

4. Goal
▶ Migrate the pharmacy systems and servers in each Goodbuy store
to the AWS cloud.
▶ Ensure the new Cloud system comply with HIPAA requirement
▶ Implement appropriate security controls to protect the cloud
architecture and its data
Problem Statement
GoodBuy is planning to migrate the server in each store to the AWS
cloud. Since this is a pharmacy all HIPAA regulations must be followed
to secure patient data.

5. HIPAA Requirement (45 CFR 164.312 -
Technical safeguards)
▶ (a)(1)Standard: “...allow access only to those persons or software programs
that have been granted access rights ...”.
▶ (a)(2)Implementation specifications:

(i)Unique user identification (Required).

(ii)Emergency access procedure (Required).

(iii)Automatic logoff (Addressable).

(iv)Encryption and decryption (Addressable).
▶ (b)Standard: Audit controls.
▶ (c)(1)Standard: Integrity. protect PHI from improper alteration or destruction.
▶ (c)(2)Implementation specification: Mechanism to authenticate electronic
protected health information (Addressable).
▶ (d)Standard: Person or entity authentication.
▶ (e)(1)Standard: Transmission security.

6. Cloud
Deployment
Plan &
Strategy

7. GoodBuy Cloud Security Control
Identity & Access
Management
Virtual Private Cloud Simple Storage Service Key Management
Service
 Secure access to the
management console and
control access to other
AWS resources without
having to share your
password or access key.
 Able to grant different
permissions to different
people for different
resources.
 Able to securely provide
applications that run on
EC2 instances the
credentials that they need
to access other AWS
resources, like S3 buckets
and RDS databases
 Setup a virtual network like
what you would have in a
datacenter. Security
groups are use to filter only
over certain ports and IP
addresses.
 Only VPN server is expose
to the world.
 All the virtual machines are
isolated in separate
subnets and protected
using AWS security
policies
 Stores encrypted logs
from CloudTrail and data
from EC2 instances
 Use S3 bucket policy as
access control
 Manage encryption
key use for S3.
 Protecty key security
and availability

8. GoodBuy Cloud Logging & Monitoring
▶ We have created accountability using AWS CloudTrail for logging.
− AWS API calls and related events
− Identify who, where and when calls to AWS services are made.
− Use to create audit log for system event (E.g. change in VM
state) or data event (E.g. CRUD operation on S3 bucket)
− Monitoring has been setup using cloud trail to send alert on
important security events such as when VM shutdowns

9. Future Improvement
 Create secure images to deploy EC2 instances
using templates after everything has been
tested and approved.
 Create snapshots, and images and keep them
up to date with patches and upgrades. This will
allow a restore from a snapshot or when you
deploy from an image the latest patches and
security upgrades will be already installed.
 Malware protection needs to be in place for the
virtual machines.
 Establish a read-only operating environment to
make the operating system kernel and binaries
tamper proof.
 The logs we have in cloud trail can be
integrated into a SEIM solution.
 Federation is ready to be used we have setup simple
directory.
 Static anti-virus software needs to be running to provide
advanced malware protection.
 Install an intrusion prevention system.
 Create Disaster Recovery plans for the virtual
machines.
 Disaster Recovery needs to be integrated into the
business continuity and Disaster Recovery plan.
 Store logs long term in AWS Glacier
 Logs must be stored for 6 years