Data security
Introduction
The cloud – and your data therein – is extremely secure: Provided you and your research group learn and follow security guidelines. On this page we describe essential security practices, the primary one being: Learn the ropes and how to avoid common mistakes. Under the security umbrella you may hear terms related to HIPAA compliance. HIPAA is a domain of federal regulation for information about people. The associated cloud technology can be translated as extremely secure.
CC*IIE Remarks
Objective and Approach
A research team must operate freely on data that is considered private or protected.
We conform to the stringent security requirements for HIPAA compliance as these apply
to the task of securely holding and operating on project data.
This work breaks down in down as four sub-topics.
- Encryption of data at rest and in motion
- Maintaining a secure virtual machine
- Logging access to the environment
- Research team education and practice
In addition the considerations of account management (particularly cost-tracking) also apply.
Solution
We build on the AWS technology stack:
- S3 bucket storage must require encryption on ingress.
- A Virtual Private Cloud (VPC) with a private sub-net for sequestered virtual machines
- Configure virtual machines via an NAT gateway to block unwanted external access
- Enabled Cloud Watch / Cloud Front logging and associated access alarms
- Bastion server and key-protected tunneling
- Access management procedures for research group members
- Education: How to protect access keys, how to stop virtual machines to manage cost etcetera
Results
Our end-result is a template for starting, operating, and shutting down a secure computing environment.
Encryption
- Data are encrypted in transit by means of secure socket layers, i.e. using https connections directly to S3 buckets.
- Transport Layer Security (current) and Secure Sockets Layer (predecessor) are both referred to as SSL
- The Wikipedia page provides a good overview
- Similarly data are moved to and from attached EBS volumes using SSL via an S3 endpoint: Data signals are routed entirely within the AWS cloud structure.
- S3 buckets are assigned a policy whereby they do not receive / ingress data unless these data are requested to be encrypted.
-
Similarly EBS attached volumes are required to be encrypted.
- AWS Key Management
Secure Computing Environment (VMs)
Logging
Training and best practices for research team members
Additional facets of data security
Access Control
For both AWS and Azure public clouds, Identity and Access Management (IAM) controls access to cloud services and resources. The account administrator creates users and groups, assigns permissions and monitors access.