SoftServe在Envi评估期间识别平台安全问题

Overview Envi, located in Aliso Viejo, California,a subsidiary of Inventory OptimizationSolutions (IOS), is an independent softwarevendor (ISV) that creates web-basedhealthcare facility supply chain solutionsusing the internet as a communicationsand procurement medium, and providesaccess to collaborative inventorymanagement tools. strategies. The assessment’s mainobjective was to improve Envi’s securityposture and ensure their platform wasin full compliance with Health InsurancePortability and Accountability Act (HIPAA)security requirements. To protect their expanding business, a keyEnvi strategy is to make their platformas secure as possible, which includesperforming regular assessments andquickly addressing any vulnerabilities tomeet any new digital threats. This long-term SoftServe client requesteda cloud security assessment of thecompany’s AWS infrastructure, and todetect any issues and offer risk mitigation Project Planning and Assessment SoftServe assembled a project team of Center of Excellence security experts, whoconducted a kick-off meeting with Envi representatives to better understand the scopeand context of the assessment. Then, multiple tests were performed on the Envi AWSconfiguration, based on: AWS Well-ArchitectedFramework:Security Pillar HIPAA StandardsSet (Security Rule) Cloud SecurityAlliance CloudControls Matrix(CSA CCM) CIS Amazon WebServices FoundationBenchmark v1.40 Assessment Workflow ADDITIONAL INFO: SVC- Auxiliary Envi system self-hosted servicesASG- Auto-scaling groupElastiCache and S3 are not available outside VPC Arrows show information flow, coloring does not matterVPC- AWS Virtual Private CloudWSCF- Windows Server Failover Cluster AWS Services Used in the Assessment •AWS RDS•AWS S3•AWS VPC•AWS Inspector •AWS API Gateway•AWS Certificate Manager•AWS CloudWatch•AWS CloudTrail•AWS SES SoftServe choseAmazon Inspectoras an important tool in this assessment because as anautomated security assessment service, it helps improve the security and compliance ofapplications deployed on AWS. We used AWS Inspector to scan the dedicated set of AWS EC2 instances and containerimages in AWS ECR for software and network vulnerabilities. Based on the scan resultscontaining information about any discovered vulnerabilities, we were quickly able to locateand patch threats to protect applications and prevent data breaches. Third-Party Applications or Solutions Used in the Assessment Open-source tools, such as ScoutSuite and Kali Linux Results SoftServe also delivered a detailed reportthat identified risks and weaknesses inEnvi’s current architecture. Based onEnvi’s business goals, SoftServe madesecurity recommendations for thearchitecture to improve Envi’s securityposture and to be more preparedfor HIPAA compliance activities. SoftServe’s team discovered a totalof22 high-severityand29 medium-severity vulnerabilities. A list ofidentified risks and weaknesses with clearrecommendations on how to mitigatethem was compiled and presented to theclient, along with a HIPAA compliancemapping table that illustrated SoftServe’sassessment findings as compared withHIPAA Security Rule requirements. Conclusion “This annual AWS HIPAA assessmentextends our security complianceprogram, helps us maintain highstandards, and facilitates our continuousimprovement program. It also allowsus to fulfill Envi’s commitment toconfidentiality, availability, and theintegrity of our customer’s data.” Following this successful cloud securityassessment, Envi has instituted an annualAWS HIPAA Assessment conductedby SoftServe and was able to: •Earn trust from their customersby fulfilling their commitment toconfidentiality, availability, andintegrity of customer’s data. Said one Envi teammember •Reduce risk from compliance withall applicable laws, regulations,and industry standards. ABOUT SOFTSERVE We are a digital authority made up of advisors, engineers, and designerswho deliver innovation, quality, and speed to elevate and accelerate ourclients’ digital journeys. Our approach is built on a foundation of empathetic, human-focusedexperience design that ensures value and continuity from concept torelease. WE IDENTIFY WHERE YOU ARE.WE PREPARE YOU FOR THE ROAD AHEAD.WE TAKE YOU WHERE YOU NEED TO GO. Visit ourwebsite,blog,LinkedIn,Facebook, andTwitterpages. NORTH AMERICAN HQ 201 W 5th Street, Suite 1550Austin, TX 78701+1 866 687 3588 (USA)+1 647 948 7638 (Canada) EUROPEAN HQ 30 Cannon StreetLondon EC4M 6XHUnited Kingdom+44 333 006 4341 info@softserveinc.comwww.softserveinc.com