Leading CRM Provider Improves Configuration Checks on AWS Resources to Comply with HIPAA Framework

Published on June 16, 2023

Challenge

A globally-recognised CRM provider engaged Protiviti to assist them in determining methods to better protect customer data while complying with each customer's unique regulatory requirements. The client needed an efficient method to perform configuration checks on AWS resources to ensure it would remain compliant with the HIPAA framework so that it could grow its footprint in the healthcare industry.

Client Snapshot:

Profile 

This leading CRM provider has built its globally recognised brand by earning the trust of its customers through transparency, security, compliance, privacy and performance to deliver the industry's most trusted infrastructure.

Client Situation 

The client needed to more effectively protect customer data and comply with each customer’s regulatory requirements.

Work Performed 

Protiviti worked with the client to implement AWS Config, manage AWS Config rules, conformance packs, and aggregators to build a comprehensive solution.

Outcome/Benefits 

Provided a master list of all in-scope resources that can enable or disable encryption at rest. Identified risk areas across 50+ AWS resources to be adjusted prior to declaring a HIPAA self-certification.

Solution

The first major concern involved checking encryption across all services. To do so, Protiviti leveraged AWS Config to deploy rules that perform resource checks consistent with HIPAA’s stringent requirements. Protiviti also implemented a custom conformance pack to package desired rules and deploy them across all relevant regions and production accounts within the client’s AWS environment.

Utilising AWS

Throughout the engagement, Protiviti utilised AWS Config, managed AWS Config rules, conformance packs, and aggregators to build a comprehensive solution. The conformance pack consisted of 27 AWS managed rules and covered 16 services utilised by the client, allowing them to easily package rules for deployment. In addition, an aggregator was configured to centralise results from all production accounts and regions to one location.

Protiviti also developed custom AWS Config rules with AWS Lambda to perform more complex checks on AWS IAM resources to ensure least privilege and company policies are being followed. Lastly, Protiviti leveraged Amazon CloudTrail and CloudWatch to log and monitor API calls to AWS Config.

Outcome

Protiviti provided the client with a master list of all in-scope resources that can enable or disable encryption at rest. The project team also identified risk areas across 50+ AWS resources to be adjusted and re-reviewed prior to declaring a HIPAA self-certification. This process saved the client’s GRC and engineering teams 6000+ hours to perform sampling of various AWS resources across all services in use.

The client's GRC and engineering teams saved 6000+ hours in sampling AWS resources across all its conformance pack services.
Loading...