Companies that handle health data are automatically subject to HIPAA regulations. Attempting to build the technical controls on top of the existing infrastructure is frequently more complicated than a lift-and-shift into a new AWS organization built with compliance in mind. Companies need to architect their infrastructure to meet these standards from the ground up.

To achieve HIPAA compliance on AWS, you will need to follow these steps:

1. Review the AWS HIPAA Compliance^[1]https://aws.amazon.com/compliance/hipaa-compliance/ page to understand the AWS shared responsibility model and the specific AWS services covered by HIPAA.
2. Sign a Business Associate Agreement (BAA) with AWS. This contract outlines the responsibilities of both AWS and the customer concerning HIPAA compliance.
3. Follow the AWS HIPAA Implementation Guide ^[2]https://docs.aws.amazon.com/whitepapers/latest/architecting-hipaa-security-and-compliance-on-aws/architecting-hipaa-security-and-compliance-on-aws.html to configure your AWS environment in a way that is compliant with HIPAA requirements. This includes setting up appropriate access controls, data encryption, and other security measures.
4. Conduct regular audits to ensure your AWS environment complies with HIPAA requirements.
5. If you are storing or processing electronically protected health information (ePHI) on AWS, you must follow additional requirements, such as implementing access controls and conducting risk assessments.
6. Finally, carefully review and follow all applicable laws and regulations related to HIPAA compliance. This includes federal and state laws that may apply to your organization.

HIPAA is not prescriptive on how the technical controls are implemented. Instead, HIPAA defines a set of high-level expectations, but it’s up to the responsible party (e.g. Customer) to assert what controls are in place for each safeguard.

Our AWS reference architecture for terraform has a Foundational Security & Compliance pillar that addresses the implementation of the technical controls for HIPAA compliance. Choose one of our Jumpstart or Enterprise tracks to implement it.

For further details on our implementation, see AWS HIPAA Compliance for Healthcare Companies (Healthtech).

Organizations that store client information in the cloud (e.g. cloud service providers, SaaS providers) benefit from a SOC 2 report that proves a client’s data is protected and kept private from unauthorized users. No particular industry requires these reports, but businesses often require them in financial services, including banking, investment, insurance, and security. If you are a technical service provider, a Publicly traded company, a startup setting its sights on IPO/SPAC, or a company working with other enterprises, then there is a good chance that either a client or business partner will require a SOC audit. Companies need to architect their infrastructure to meet these standards from the ground up.

SOC2 Considerations

What makes SOC2 unique is that it doesn't prescribe what technical controls are required. Instead, SOC2 defines a set of high-level expectations, but it’s up to the responsible party (e.g. Customer) to assert what controls are in place for each pillar.

1. Logical and physical access controls
2. System operations
3. Change management
4. Risk mitigation

The typical approach to addressing these controls is using a combination of one or more of the compliance standards such as CIS, HITRUST, NIST, ISO27001, etc. Organizationally, this is a decision that has both technical and procedural impacts.

The Technical Benchmark Framework should satisfy the vast majority of requirements for SOC2, which means most likely selecting more than one framework.

Cloud Posse’s strategy is to deploy AWS SecurityHub and enable the AWS Config Conformance Packs containing the security controls to meet the operational best practices of a given compliance framework, then remediate all the findings. A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed across an AWS organization. With AWS Config we can evaluate whether your AWS resources comply with standard best practices of a given technical benchmark. Cloud Posse has all the Terraform modules to accelerate this implementation.

Since Security Hub, GuardDuty, and AWS Config are regional AWS services, we must deploy them to all enabled regions. Security Hub and GuardDuty Administrator accounts will need to be deployed first. On top of that, the region designated as the Global Collector Region needs to be deployed afterward.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard created by a consortium of major card brands including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

PCI DSS applies to companies that store, process, or transmit cardholder data (CHD), such as merchants, processors, acquirers, issuers, and service providers. The PCI DSS is mandated by the card brands and administered by the Payment Card Industry (PCI) Security Standards Council (SSC).

Attempting to build the technical controls on top of the existing infrastructure is frequently more complicated than a lift-and-shift into a new AWS organization built with compliance in mind. Companies need to architect their infrastructure to meet these standards from the ground up. While PCI/DSS is prescriptive on what technical controls are needed and provides Cloud Computing
Guidelines^[1]https://listings.pcisecuritystandards.org/pdfs/PCI_SSC_Cloud_Guidelines_v3.pdf, but not on how they are implemented. It is up to the responsible party (e.g. SaaS Company) must assert what controls are in place for each safeguard.

PCI DSS v.3.2.1^[2]https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf consists of 12 requirements spread across six objectives.

Our blueprint deploys AWS SecurityHub, then enables Security Hub’s PCI DSS v3.2.1 standard^[3]https://aws.amazon.com/blogs/security/how-to-use-the-aws-security-hub-pci-dss-v3-2-1-standard/ and the conformance packs required to meet PCI/DSS operational best practices ^[4]https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-pci-dss.html. Together, these provide a helpful framework to meet PCI/DSS requirements, given its broad scope of security controls. A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed across an AWS organization. With AWS Config we can evaluate whether your AWS resources comply with the standard best practices of a given technical benchmark. Cloud Posse has all the pre-existing Terraform modules to accelerate this implementation.

Our AWS reference architecture for terraform has a Foundational Security & Compliance pillar that addresses the implementation of the technical controls for PCI/DSS compliance. Choose one of our Jumpstart or Enterprise tracks to implement it.

Our reference architecture is ideally suited for businesses seeking to migrate from Aptible to AWS but needs some help.

Aptible is a platform that helps organizations deploy and manage applications on the cloud in a secure and compliant manner. It provides tools and services for building, testing, and deploying cloud-native applications and monitoring and securing those applications. Aptible is focused on helping organizations meet regulatory requirements, such as HIPAA and GDPR, and provides a range of compliance-related features, such as audit logs and secure infrastructure. Aptible is often used by organizations in regulated industries, such as healthcare and finance, to help them achieve and maintain compliance with various regulations.

Reasons to Migrate to AWS

There are several reasons why companies might outgrow Aptible or want to migrate from Aptible to Amazon Web Services (AWS):

1. Cost: Aptible is a cloud platform, so you pay for the resources you use. As your company grows and your usage increases, the cost of using Aptible can become more expensive than other options, such as running your applications directly on AWS.
2. Feature set: Aptible is a specialized platform focused on compliance and security. If your company's needs go beyond these areas, you may consider a more comprehensive platform like AWS that offers a broader range of features and services.
3. Customizations: Aptible provides tools and services for building, deploying, and managing applications on the cloud. If you want more control over your infrastructure and the ability to customize it to meet your specific needs, you may consider running your applications directly on AWS.
4. Integrations: If you are using other AWS services or want to take advantage of AWS's integrations with other platforms and tools, you may find it easier to run your applications directly on AWS.

The decision to migrate from Aptible to AWS (or any other platform) will depend on your specific business needs and priorities. It's important to carefully evaluate your options and consider factors like cost, feature set, customization, and integration before deciding.

How to Migrate to AWS

Since you're already operating on Aptible, your applications are easy to migrate because they follow the 12-Factor App pattern. But where you'll need the most help is ensuring your infrastructure remains compliant with the security benchmarks (e.g. SOC2, HIPAA, HITRUST, PCI/DSS, etc). We support the full suite of AWS security-oriented compliance tools like AuditManager, SecurityHub, GuardDuty, Macie, Inspector, Firewall Manager, and more.

You may also need help with the CI/CD and observability areas. These need considerable attention when moving to AWS. We've got you covered.

We support migrations from Aptible to AWS via our Enterprise DevOps Accelerator service. Our Foundational Platform pillar will deliver a platform of either ECS Fargate or EKS (Kubernetes), and when coupled with our Foundational Release Engineering will provide a solid process for CI/CD including build/test, preview environments (aka Review Apps), and release promotion to development, staging, and production environments with approval gates. Our Foundational Site Reliability Engineering (SRE) pillar established the essential observability tier. Our Foundational Security and Compliance pillar will lay the foundation to achieve benchmark compliance (e.g. HIPAA, HITRUST, PCI/DSS, SOC2 Type II, etc).

AWS modernization migrations involve moving existing applications or workloads to the cloud. Companies already operating on Amazon Web Services (AWS), can re-platform to take better advantage of the scalability, reliability, and cost-effectiveness of the AWS cloud.

Replatforming on AWS using Kubernetes or ECS can help you modernize your application by taking advantage of the scalability, reliability, and cost-effectiveness of the AWS cloud. It can also make it easier to manage and operate your application, as both Kubernetes and ECS provide features like self-healing, horizontal scaling, and automated rollouts and rollbacks.

AWS EKS (Kubernetes) is based on an open-source container orchestration system that allows you to deploy and manage containerized applications at scale. It provides out-of-the-box self-healing, horizontal scaling, and automated rollouts and rollbacks. Amazon Elastic Container Service for Kubernetes (EKS) is a managed Kubernetes service that makes it easy to deploy and run Kubernetes on AWS.

ECS is a fully managed container orchestration service that makes it easy to run, scale, and secure containerized applications on AWS. It is designed to be used with Docker containers and allows you to run applications on a scalable, high-performance infrastructure. If you want a simple and cost-effective way to run containers and don't need advanced features or customization options of EKS, ECS might be a better fit than EKS.

Engine Yard is a cloud platform that helps developers build, deploy, and manage applications on the cloud. It provides a range of tools and services for building and running applications, including a platform-as-a-service (PaaS) offering and support for popular open-source frameworks and languages like Ruby on Rails, Node.js, and Python. Engine Yard is focused on helping developers build and run applications quickly and efficiently. It provides automatic scaling, rolling deployments, and integrated monitoring and logging to make this easier. Engine Yard is often used by developers who want to build and deploy applications on the cloud but don't want to spend much time on infrastructure management.

Reasons to Migrate to AWS

There are several reasons why companies might want to migrate from Engine Yard to Amazon Web Services (AWS):

Costs: Engine Yard is a managed cloud platform, so you pay a premium for the resources you consume. As your company grows and your usage increases, using Engine Yard can become more expensive than other options, such as running your applications directly on AWS EKS or ECS.

Feature sets: AWS offers a wide range of products and services that can be used to build and run applications on the cloud. If you need more features or flexibility than what Engine Yard provides, you may want to consider moving to AWS.

Customizations: Engine Yard provides tools and services for building and running applications on the cloud. If you want more control over your underlying infrastructure and the ability to customize it to meet your specific needs, you may consider running your applications directly on AWS.

Integrations: If you are using other AWS services or want to take advantage of AWS's integrations with other platforms and tools, you may find it easier to run your applications directly on AWS.

The decision to migrate from Engine Yard to AWS will depend on your specific business needs and priorities. It's important to carefully evaluate your options and consider factors like cost, feature set, customization, and integration before deciding.

How to Migrate to AWS

Since you're currently operating on Engine Yard, your applications are easy to migrate because they follow the 12-Factor App pattern. But where you'll need the most help is ensuring your infrastructure continues to serve your developers with the ease of use of Engine Yard.

You may also need help with the CI/CD and observability areas. These need considerable attention when moving to AWS. We've got you covered.

We support migrations from Engine Yard to AWS via our Enterprise DevOps Accelerator service. Our Foundational Platform pillar will deliver a platform of either ECS Fargate or EKS (Kubernetes), and when coupled with our Foundational Release Engineering, will provide a solid process for CI/CD including build/test, preview environments (aka Review Apps), and release promotion to development, staging, and production environments with approval gates. Our Foundational Site Reliability Engineering (SRE) pillar established the essential observability tier. For companies with compliance needs (e.g. HIPAA, HITRUST, PCI/DSS, SOC2 Type II, etc), our Foundational Security and Compliance pillar will lay the foundation to achieve benchmark compliance.