Gajus - Fotolia
The history of HealthCare.gov has been riddled with security issues, but it recently moved to AWS. What specifically, if anything, about AWS could improve HealthCare.gov security?
Healthcare.gov security has certainly made the news in the past. Moving the site to Amazon Web Services (AWS) obviously improved the scalability and availability, but it also allowed the Centers for Medicare and Medicaid Services (CMS) to take advantage of security features of the Amazon cloud.
Using a cloud provider allows customers -- including the CMS -- to share security responsibilities. For example, Amazon is responsible for securing the physical infrastructure of its service. The same economies of scale that drive down the cost of computing and storage services also benefit security practices. Policies, procedures and monitoring protocols can all scale as additional physical infrastructure is brought online.
Amazon is also responsible for some levels of network security, particularly those related to Internet and cross data center traffic. Customers begin to assume responsibility for network security at the level of logical isolated networks. AWS offers virtual private clouds (VPCs), which can be thought of as virtual networks within the AWS network. Each VPC is logically isolated from other VPCs, so no traffic moves between them unless explicitly configured to do so. VPCs are configured with a range of IP addresses, a set of subnets, routing tables, network gateways and other security settings.
A best practice in the AWS environment is to treat infrastructure as software. Open source configuration tools such as Chef and Puppet complement AWS services, including OpsWorks and Cloud Configuration. These tools and services allow architect and system administrators to define sets of resources in configuration files, such as servers, load balancers and block storage devices. These files are used to automatically deploy resources as demand dictates.
AWS security features, such as identity management and key management services, are popular among customers. Identity management services enable the use of groups, roles, users and privileges to limit access to services and resources. Key management services help securely store cryptographic keys and implement associated best practices like key rotation.
While each of the individual AWS security features, along with low-level network and physical security features, can incrementally improve security, the tight integration of all these services is perhaps one of the most important reasons why running applications in an IaaS cloud, such as AWS, can offer levels of security for lower costs than implementing comparable levels on premises.
Ask the Expert:
Want to ask Dan Sullivan a question about cloud security? Submit your questions now via email. (All questions are anonymous.)
This SearchCloudSecurity tutorial offers AWS security best practices
Learn more about HealthCare.gov's security woes and the lessons enterprises can learn from them
Dig Deeper on Cloud Computing Infrastructure as a Service (IaaS) Security
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading