Microsoft Azure has achieved a HITRUST certification for the IaaS and several PaaS services that they offer. However, the only controls you can fully inherit from Azure are data center security and certain media protections. Deploying on Microsoft Azure alone does not make one HITRUST compliant. The customer is still responsible for securing their workload on top of Azure as laid out in the Azure HITRUST Shared Responsibility Matrix attached.
Project Hosts Fills the Gap
Project Hosts provisions your whole environment including using hardened gold images consistent with Center for Internet Security standards for windows and Linux operating systems. Project Hosts take ownership of all networking, including subnet segregation, network security group management, vulnerability scanning, etc. We control all infrastructure components allowing software vendors to focus on developing their applications to meet customer requirements. By deploying on Project Hosts’ cloud, customers can leverage the PH toolset and security team whereas deploying on Azure alone would require the customer to manage these tools themselves and dedicate personnel to configure and monitor the tools. Below is a non-exhaustive list of the tools utilized and managed by Project Hosts to secure your workload in a compliant manner and perform ongoing continuous monitoring services.
These services include:
Managing Access Control and Authentication (Active Directory, Azure Active Directory, ADFS etc.)
Implementing and monitoring Azure Network Security Groups (firewall Rules) around all subnets dedicated to the mission partner
Auditing/ reviewing audit logs and alerts (Azure Log Analytics, Azure Defender, Azure Sentinel. These are monitored 24/7 by the PH SOC team.)
Monitoring systems for availability and performance issues/ proactively taking action (Zabbix, Application insights)
Monthly vulnerability scanning (Nessus for OS/DB scans, Acunetix for Web App scans, Qualys for container image scanning)
Patch and vulnerability management (WSUS, Linux Package Manager, Nessus)
Configuration Management (PH Inventory (proprietary inventory tool running to ensure no unauthorized servers, PaaS services or overly permissive firewall rules), PH Change Control tool, Activity Monitoring, SELinux, AppArmor, AppLocker)
Malware prevention and Intrusion prevention using Host Based Security System Tools (Sophos EndPoint/ HIPS, Azure Defender for Cloud)
Dedicated Incident Response and Analysis Team (PH ISMS Tool, ticketing system)
Contingency and Disaster Recovery Planning and recovery team (For typical deployments PH will perform all DR activities for the customer, including periodic tests)
Provides Monthly Application-level scan results and findings/ recommendations for remediations to the partner.
By providing these services the only controls the customer is responsible for are, authorizing their users for the environment, maintaining users in the Project Hosts User Portal, developing their application, remediating vulnerabilities, approving changes to the system, security awareness training, and troubleshooting application-level issues the end-user may have. If you are interested in how Project Hosts meets these controls and the processes in place Project Hosts can provide you with our HITRUST Policies and Procedures, Incident Response Plan, Information System Contingency plan, Rules of Behavior, and the GDPR addendum for customers with that requirement. We can also set up a call with one of our security team members to address any other questions or concerns.