Background:
QPAIR understands governance can be a huge challenge for Life Sciences teams building cloud native applications. The governance challenges can be in the areas of cloud, data, compliance and quality. Lack of a proper governance strategy can adversely affect the cloud infrastructure increasing not only the risks but also the operational costs (people and infrastructure) overhead by multifold even at the cost of your business product or service. So QPAIR set out to tackle this challenge for Kaleido and developed a comprehensive methodology to not only develop the cloud governance strategy, but also integrate it into the continuous operations with a unique score-card methodology.
Problem:
With the Life science industry being regulated and many difference rules which need to be followed, Kaleido wanted to make sure they were compliant in their cloud operations. As working in the life science industry, you have to make sure you are HIPAA, HITRUST, and GxP compliant. Kaledio’s teams didn’t want to do things that are unsafe, insecure or expensive with their EC2 machines and other resources. Since legal compliance is very important in this industry, VPCs and future VPCs are compliant and regulated.
Solution:
QPAIR builds Security Strategy and processes based on the NIST Cybersecurity Framework, HIPAA & GxP requirements. The NIST CSF addresses the key domains required to manage cybersecurity incidents and to also protect sensitive information. QPAIR used AWS tags to identify classify AWS resources if they are HIPAA, GxP compliant etc. QPAIR’s custom code was used to identify resources compliance needs and actionable tasks that resources needed. QPAIR leveraged AWS resources like AWS Config rules to make sure all the resources were compliant over time. Solution included following AWS Config and Config Rules, AWS CodePipeline, AWS Lambda, and AWS CloudFormation.
- ● AWS Config (and Config Rules) – a fully-managed service for tracking AWS resource inventory and changes. With Config Rules, to ensure existing and new AWS resources conform to your company’s security policies and best practices.
● AWS CodePipeline – a fully-managed service for releasing software using Continuous Delivery.Used to orchestrate AWS Config and Config Rules changes to your AWS account.
● AWS CodeBuild – a fully-managed service for building and testing code. Used to build and deploy Config Rules artifacts to your AWS account.
● AWS Lambda – a fully-managed service for running your code in response toevents. Used to write custom Config Rules in your preferred programming language.
● AWS CloudFormation – a tool for creating and managing AWS resources with templates. Used to automate the entire AWS Config solution in code to achieve continuous compliance.
We have classified resources and mapped them with AWS config rules that are applicable to Life Sciences industry QPAIR also deployed custom solutions for high security and compliance requirements. “We have built a custom compliance monitoring solution that performs log forensics and alerts teams to respond proactively.” HIPAA & GxP were applicable because they are preparing for external audits.
Success Story:
Kaleido has now setup AWS Config as one its main compliance tool that can now be used to work with all regulations and able to continue daily operations. When they have to get audited, they will not have to worry about any regulations because the solution provided makes sure they are compliant in both HIPAA and GxP.
