COMPLIANCE MADE UNCOMPLICATED

The IT world was a very different place when I first started my career at the tail-end of 1999. Phrases such as HIPAA, compliance and disaster recovery were concepts that people didn’t really think about, and if they did, they didn’t take them very seriously.

In fact, as laughable as it seems now, back in 1999 the thing most people worried about was the Millennium Bug and how it would create computer havoc when the clock ticked over to the Year 2000!

Needless to say the Millennium Bug came to nothing, but a series of events in the following years changed the landscape of IT and defined how risk management strategies became prevalent.

Firstly, the 9/11 attacks cemented the need for disaster recovery and business continuity to be taken seriously and highlighted the importance of maintaining an up-to-date and geographically disparate data center. Prior to 9/11 most businesses didn’t operate a secondary data center and more often than not all IT equipment would be located on site.

Those that did have a secondary data center would operate it close to the main office. In fact in one of my first IT jobs I remember performing a disaster recovery test with a data center, which was just a small room with some servers in it, within a 5 minute walk!

Secondly, as the popularity and adoption of the Internet grew more widespread and the digitization of data became mainstream, the term “data breach” became a thing. The first data breach to compromise more than 1 million records took place in March 2005 when 1.4 million credit card numbers and names were stolen from DSW Shoe Warehouse.

Following this event the data breaches just kept occurring on a more regular and more dramatic basis. These days data breaches have become so commonplace nobody bats an eye lid when a new one is announced.

These two things, along with a multitude of other events such as increased regulatory requirements following the introduction of the Patriot Act, Sarbanes-Oxley and the 2008 financial crisis, meant that businesses had to start taking compliance seriously.

Compliance standards are nothing new, HIPAA was first signed into law in 1996, HITRUST was founded in 2007 and SOC2 as we know it was introduced in 2009. However, the requirement to meet these standards has never been greater.

In the last few years I have seen a huge uptick in the number of clients requesting HIPAA or HITRUST compliant AWS environments. Fortunately AWS takes these needs very seriously and has comprehensive documentation detailing how each of their services matches up to most major compliance standards.

As a result, databasable has become experts at setting up compliant environments in the AWS cloud. The requirements are far too detailed to go into in this blog, however the process is more manageable than ever.

Please reach out if you want to learn more about how we can build your compliant environment.

Finally, here are some of the AWS services available to make your cloud environments compliant.

Amazon Cognito – Managed Microsoft Active Directory.

AWS Directory Service – Manage user access and encryption keys.

AWS Identity & Access Management (IAM) – Simple, secure service to share AWS resources.

AWS Resource Access Manager – Rotate, manage and retrieve secrets.

AWS Secrets Manager – Cloud single-sign-on (SSO) service.

AWS Single Sign-On – Detective controlsUnified security and compliance center.

AWS Security Hub – Managed threat detection service.

Amazon GuardDuty – Analyze application security.

Amazon Inspector – Discover, classify and protect your data.

Amazon Macie – Investigate potential security issues.

Amazon Detective – Infrastructure protection and DDoS protection.

AWS Shield – Filter malicious web traffic.

AWS Web Application Firewall (WAF) – Central management of firewall rules.

AWS Firewall Manager – Data protection and key storage and management.

AWS Key Management Service (KMS) – Hardware based key storage for regulatory compliance.

AWS CloudHSM – Hardware based key storage for regulatory compliance.

AWS Certificate Manager – Provision, manage, and deploy public and private SSL/TLS certificates.

AWS Artifact – No cost, self-service portal for on-demand access to AWS’ compliance reports.