Automated Safeguards for Azure: Staying Safe in the Cloud

by Matt Ferrari
Co-founder and Former CTO
ClearDATA

ClearDATA recently announced the launch of our offering for the Microsoft Azure Cloud. As we also do for our customers on AWS, we build and deploy automated safeguards to help our customers remain compliant after the time of provision. We’ve been working with beta customers on Azure and are excited to bring this to market, so any Microsoft customers can take advantage of the benefits.

With Automated Safeguards for Azure Virtual Machines, ClearDATA gives customers direct access to the Azure console and Azure APIs and CLIs while programmatically establishing their environment to adhere to regulatory frameworks, like HIPAA, GDPR, GxP, etc. We started with the infrastructure, but will be quickly expanding into PaaS-based services with automated safeguards for Azure SQL and others to follow.

These safeguards allow customers to use their own tools and processes while still safely deploying sensitive workloads by automating data backup, log back up validation, virus scanning, intrusion protection, and storage volume encryption. I’ll cover this more in-depth below but know that as Azure broadens its offering, we’ll be right there to provide new safeguards to help keep our customers compliant. Safeguards save IT time, reduce human errors and help protect our customers in the cloud.

1. Azure Managed Virtual Machine Images

ClearDATA has hardened images that are the foundation upon which our customer apps are built and are secured by CIS standards. It’s important to note that because of our healthcare-exclusive expertise, we build our hardening standards with the assumption that every workload might contain PHI/PII. This drives a culture of compliance, security, and privacy, and protects all workloads, whether they contain PHI/PII or not.

Our customers deploy their applications on these hardened images which allows them to be sure they are building application environments that are hardened and well suited for handling data as they use operating systems like Windows or Linux distribution. The images receive regular security updates, so the customer can keep their infrastructure space safe. Every time a major CIS update is released, images are refreshed by ClearDATA. This restricts unapproved appliances and images that aren’t hardened and therefore should not be used for sensitive data such as PHI.

2. Azure Virtual Machine Backups

The safeguard for Azure Backup Vault enrolls Azure Virtual Machines automatically into a backup schedule when deployed. The daily back up uses a snap shot and retains it for 30 days; or can be customized to an interval specified by our customer. In the event a customer needs to restore data, they can either pull it themselves or have their 24/7 support team at ClearDATA handle it. This makes sure the customer’s machines are backed up daily, which meets both HIPAA and HITRUST requirements. Additionally, back up snap shots can show success and failure trends over time which can be found in the ClearDATA Compliance Dashboard, giving the customer a constant view into their compliance posture. The trends view proves back-ups are happening which is meant to protect PHI or other sensitive workloads from environmental loss or data loss. This is important if ever faced with an audit and you need visible proof.

3. Automated Log Archiving

The safeguard for Azure’s Log Analytics and Diagnostics enforces critical system logs to be archived outside of the virtual machine instance at least daily; and retained for a period of at least six years – a critical timeline for audit data to be preserved in order to support investigations, as well as queries and audits from inside the organization. You can see the status of this in the Compliance Dashboard via the log backup check.

4. Host Based Security Services

A fourth Safeguard for Azure Virtual Machines is Automated Deployment of Host Based Security Services (that’s another name for what many of you know as intrusion prevention and virus scanning). This utilizes Azure Virtual Machines as well as a third-party platform that’s part of the ClearDATA Azure rollout known as Trend Micro Deep Security which provides additional layers of protection against malware and network attacks while enabling autoscaling of security. With this, ClearDATA automatically deploys Host Based Security Services across all virtual machine instances, which include intrusion protection, antivirus, and log inspection. These services are key to meet HIPAA requirements because you must use electronic measures to secure PHI.

In addition to deploying these services in a compliant manner, we also provide a current and historic view of a customer’s Azure environment as it relates to intrusion protection and virus scanning by taking the information gathered from this safeguard and displaying its status in our Compliance Dashboard.

5. Automated Enrollment of Patching

Customers who use Azure Operations Management Suite or Azure Automation Accounts as features can automatically enroll in patching on a monthly basis if they use infrastructure-as-a-service (IaaS). Patch management is predictable, it has minimal impact on the customer’s environment, they can schedule change windows, and ultimately make sure their environment is patched at all times to meet the criteria they have for internal audits and internal HIPAA requirements.

6. Automated Disk Encryption

When an account is set up, there are safeguards in place within Azure Disk Encryption that ensure every disk is encrypted, every disk is secure, every disk is compliant, and that their data is encrypted at rest. Additionally, Automated Storage Account encryption is set as the automatic default. Often times, these things are neglected or forgotten due to human error during the setup process.

In Closing… the Compliance Dashboard

Our work is focused on helping you maintain compliance throughout the lifecycle of your healthcare application. Not only do we put automated safeguards in place to manage your compliance, but we also give you ongoing visibility via our Compliance Dashboard, showing your up-to-date compliance posture by way of checks in the dashboard. So, while the safeguards are in place, you can also see the status of your environment for the following checks:

• Hardened Images
• Trends and Changes in State of Compliance
• Data Center Security
• Data Backup Status
• Persistent Disk Encryption
• Patching
• Intrusion Detection
• Virus Scanning

Learn more about Automated Safeguards for Azure in this customer story: Azure, ClearDATA, & BehaVR.

Thank you for subscribing!