A staggering eighty-one percent (81%) of data breaches involve stolen or weak credentials. While two-factor authentication is now a foundational part of any identity security initiative, hackers are increasingly bypassing two-factor authentication methods.
Recently, a leader in identity governance and access management software came up with a new approach to help companies stay one step ahead of hackers in preventing unauthorized access. Their approach analyzes multiple factors of the authentication request so that two-factor authentication is only required if risks are detected. This process is called adaptive authentication or risk-based authentication and improves security while reducing user disruptions and improving usability. Their software has attracted over 1500 global customers and protects more than 150 million identities for companies across healthcare, government, financial services, and retail.
The company’s IdP product was originally offered as an on-premises appliance that customers installed in their own datacenters. In 2017, due to a combination of customer demand, competitive pressures, and a desire for improved agility, the company decided to deliver its appliance as a cloud-based SaaS offering.
Selecting a Cloud Platform and Partner
As a first step, the software company was interested in building a proof-of-concept (POC) on the cloud for one of its healthcare customers that had strict HIPAA compliance requirements. If the project was successful, it would then migrate additional customers to the cloud. However, the company had little experience in public cloud platforms. They decided to find a cloud partner with experience in complex healthcare projects, who could also help them choose the right cloud platform.
The company ultimately chose Logicworks, an AWS Premier Consulting Partner with 25 years of experience in complex healthcare IT workloads. Logicworks’ AWS services are annually audited for HIPAA compliance and were HITRUST CSF Certified in 2018.
The company chose AWS due to the maturity of its HIPAA compliance program. A large percentage of AWS’ services were covered by their Business Associate Agreement (BAA), making it easier to architect a HIPAA compliant solution. Logicworks also highlighted the reliability of AWS’ solutions for Windows and SQL Server.
Architecting a HIPAA Compliant POC
Logicworks began the project with multiple in-depth engineering conversations with the company’s internal team in order to understand the application’s requirements and build a comprehensive strategy. The company has customers across all compliance domains and regions, and their product is usually the first point of access for their customers’ end users. They needed a solution flexible enough for geographically diverse clients, and low latency and high availability was critical.
They also has a large on-premise customer base who will be rapidly onboarding to this new SaaS offering in conjunction with new end customers. They needed to securely and reliably spin up new infrastructure similar or identical to existing infrastructure without requiring a lot of manual work.
Once Logicworks gathered requirements, they put together an initial architecture diagram. In order to achieve HIPAA compliance on AWS, Logicworks implemented several critical security and governance configurations, including: a Bastion host in the Hub (Management) VPC, detailed AWS CloudWatch monitoring, multi-factor authentication, central authentication, CIS-hardened machine images, and ecryption using AWS Key Management Service.
In addition, Logicworks integrated Alert Logic’s Intrusion Detection System (IDS) and log management system as well as Trend Micro’s antivirus. Logicworks manages these 3rd party relationships and ensures that this software is installed on all instances with ePHI.
The application architecture is such that separate application tiers must be launched for each new customer while the database tier (Microsoft SQL Server) is multi-tenanted. The Dev and Stage VPC will be shared for all clients as well as a pilot light DR region, including data replication.
After the architecture was approved, Logicworks built the POC environment and the company tested their application on the new infrastructure. The company delivered the software to its customer and then engaged Logicworks to manage the environment on an ongoing basis as part of its Managed AWS Service.
AWS Service Catalog and Post-POC Migrations
After the successful completion of the POC project, the software company engaged Logicworks to build a self-service catalog of AWS resources that would enable them to quickly and easily replicate its existing environment so they can onboard new customers and transition existing on-premises customers easily. Building out AWS resources manually was too time-consuming.
AWS Service Catalog is a relatively new AWS service that allows you to control access to a group of Products (pre-configured AWS CloudFormation templates). Logicworks built and customized the AWS CloudFormation templates to meet their baseline requirements. Logicworks also set up AWS Service Catalog to ensure only users with the correct permissions could launch and modify Products.
The end result is a catalog of AWS resources pre-configured for the company’s exact specifications with their software ready to be installed. In just a few hours, they can spin up new AWS resources and deliver its software to customers. This represents a significant gain in efficiency over onboarding customers to their on-premises appliance, where you’re at the mercy of the clients’ limitations.
Ongoing 24×7 Support
Logicworks provides ongoing monitoring, ticket support, and general maintenance support for all of the company’s AWS infrastructure. This allows the the software company’s team to focus on more complex projects and leave daily AWS maintenance to Logicworks.
The company also has access to Logicworks Pulse, a central management platform that provides access to billing, notification, security, and ticket support. This central platform helps them to get real-time data on the cost and security of their AWS environment.
The two companies communicate effectively due to their Service Delivery Manager, who coordinates questions, projects, and tickets to ensure that everything’s running smoothly. She acts like a portal to all of Logicworks and acts like air traffic control when there are a lot of moving pieces.
As a result of migrating to AWS with Logicworks, the company has been able to offer their IdP software as a reliable SaaS product, ensuring that they can continue to lead the market in adaptive authentication.
The security of their AWS environment has been one of their biggest gains. From native security tools to Logicworks’ automated controls, they are confident that their SaaS product meets the highest security standards.
The custom automation Logicworks built has led to a significant decrease in customer onboarding time from several weeks to just 2-3 days. They are confident when they create new AWS resources using AWS Service Catalog all of their security and compliance requirements are baked-in. The end result is a very consistent, secure environment that scales.
Over the course of the last year, the software company has continued to onboard new and existing customers to AWS and plans to expand their cloud usage. As their team continues to deliver innovative authentication solutions, they know that the underlying infrastructure is ready to scale to meet their needs.
Logicworks, the leader in compliant cloud solutions, provides end-to-end cloud strategy, operations, security services to clients in the finance, healthcare, and SaaS industries. Logicworks is an AWS Premier Consulting Partner and Microsoft Gold Certified Partner, and one of the only cloud partners in the world to have achieved HIPAA, HITRUST CSF, PCI-DSS Level 1, SOC1, and SOC2 certification. Our customers include MassMutual, Pitney Bowes, Orion Health, and other top companies that demand the highest standards of agility and governance.