Over the last quarter, we released a number of new features and updates for the Enclave deployment platform. We also began helping customers deployed on AWS to manage their organization’s security and compliance using Gridiron.
Yesterday, on a brief webinar, our team reviewed the updates to the Enclave platform and showed how Gridiron helps software developers build and maintain strong security management programs.
In case you missed it, you can download the slide deck and get the transcript in our resources section, or watch the full event below. We also provide a quick recap in this blog post.
New for Enclave
We intend for Enclave to be the best platform for developers to deploy regulated and sensitive software products. This quarter, we focused on improving Enclave in three ways: security and compliance, database self-service, and general usability improvements.
Security and Compliance
We launched new ways to secure apps and meet compliance goals while improving the security of Enclave itself.
We’ve previously detailed these improvements on our blog. Here’s the list:
We launched a few small improvements that should make developers’ lives easier when deploying with Enclave:
We now protect against runaway SSH sessions when your session gets disconnected
Memory management restarts apps in pristine containers when they exceed memory limits
Enclave Log Drains now integrate with Sumo Logic and Logentries as an alternative to rolling your own ELK stacks
Gridiron is our suite of tools that helps developers build and maintain strong security management programs. Gridiron makes the administrative side of protecting data easy and helps to prepare you for regulatory audits as well as customer security reviews.
In the webinar, we gave a short talk-through of how Gridiron approaches security management. This starts with the Gridiron Data Model: an API that integrates data from your business, our experience working with hundreds of customers in securing sensitive data, and industry-wide security standards provided through NIST Guidance, vulnerability and attack databases and shared intel.
Gridiron ingests data about your business through a series of straightforward and relevant questions that are easy to answer but have important implications for your internal security program.
Gridiron uses that data to create deliverables that help you show security and compliance as well as improve your business operations.
Getting started with Gridiron
If you’d like to improve your organization’s security and compliance and simplify the process for working through customer security reviews and regulatory audits, please get in touch. For a limited time we’re offering early access pricing for customers who have deployed on AWS.
Register Now for July 2017 Aptible Product Update Webinar
Our next product update webinar will be hosted on July 25, 2017 at 11am Pacific / 2pm Eastern.
Please register now.
All registrants will receive a webinar recap and the recording shortly after the conclusion of the webinar.
Are Aptible customers affected by Cloudbleed?
No, not by virtue of using Aptible. Aptible does not use Cloudflare, and as such, our services and customer environments were not affected by the Cloudbleed vulnerability disclosed yesterday.
That said, if you use or used Cloudflare, you may be affected. You can read Cloudflare’s official description of Cloudbleed here.
If I used Cloudflare to cache PHI, what should I do?
Activate your incident response plan and talk to your lawyer immediately, unfortunately. You may be required to conduct mitigation, and breach and/or security incident notifications, by HIPAA or your business associate contracts.
Cloudbleed is one issue. Another issue is that if you were using Cloudflare to cache PHI though their CDN without a BAA, you may have been in breach of the HIPAA rules before this.
Some have suggested that Cloudflare might not be a HIPAA business associate because of an exception to the definition of business associate known as the “conduit” exception. Cloudflare is almost certainly not a conduit. HHS’s recent guidance on cloud computing takes a very narrow view:
The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.
OCR hasn’t clarified what “temporary” means or whether a CDN would qualify, but again, almost certainly not, as data storage is a critical, non-incidental component of CDN functionality.
What if I used Cloudflare to cache PII?
Again, activate your incident response plan and talk to your lawyer. HIPAA is just one of many data privacy regulations. Many states require companies to report breaches of personally identifiable information belonging to residents of that state.
What if I used Cloudflare for data aside from PHI or PII?
We encourage you to be safe and rotate all credentials that might have passed through Cloudflare from your app, such as session cookies, API keys, and user passwords.
What else should I do?
We encourage you to rotate your passwords for any service that used Cloudflare between September 22, 2016, and February 18, 2017. Cloudflare has not released a list of services affected. You can find one security researcher’s list of Cloudflare DNS customers (which is likely overinclusive) here.
The Aptible Update Webinar Series is a new quarterly presentation that covers recent features and changes to the Enclave deployment platform and Gridiron security management products.
We hosted the first Update Webinar on October 25. In it, we covered:
- Deploying from Private Docker Registries: How to configure a private container deployment pipeline
- Advanced Memory Management: How to plan for and easily manage container memory issues
- New ALB Endpoints: More resilient zero-downtime deployments
- HTTP Health Checks: Smart, safe app container routing
- Platform Events: How to get more from the Enclave API and your logging
- Container Metrics: Live telemetry and dashboards for monitoring
- Working with Database Backups: On-demand backups and restoration
- Two-factor Authentication: Securing your Aptible accounts
The next Aptible Update Webinar will be on January 25, 2017, at 11am PST/2pm EST.
Webinars are recorded and made available for viewing if you cannot attend the live session.