Amazon Web Services (AWS) for Sensitive and Restricted Data

Amazon Web Services platform is permitted for Restricted & Sensitive data, with a risk assessment of the individual use case by Cybersecurity, and the implementation of the controls and processes identified in the risk assessment (see below for detail).

Please note that Google Cloud Platform (GCP) for Sensitive and Restricted Data is the preferred provider for Restricted & Sensitive data workloads on campus. GCP provides many of the same services as AWS and has additional campus support and tooling specific to restricted data. Should you choose to proceed with AWS as your platform of choice, you will be taking on additional responsibilities for providing appropriate security to your account.

The account owner still maintains the responsibility to achieve & maintain the appropriate security controls per campus policy. The cloud team can advise and consult on best practices.

  • When requesting an account, the account owner should indicate that they are using Sensitive or Restricted data, to be provided an account with additional security in place (a "high-risk" account).
  • The campus AWS IaaS Platform has been assessed by the Cybersecurity Risk Management Framework, to inform roles and responsibilities in the Shared Responsibility Model.   

  • This assessment focused on the platform level and the controls and security posture shared among all high-risk accounts, as well as evaluation of UW contracts with AWS

  • A Cybersecurity Cloud Assessment for Restricted Data is necessary to ensure the security of the data, as well as the customers' planned application and architecture within their individual account.    This assessment may require some additional time and investment since AWS is not the preferred provider for restricted and sensitive data. The public cloud team can advise and consult on your planned service use and architecture.

  • University of Wisconsin has a Business Associates Agreement (BAA) that governs & protects the vendor's limits regarding access and use of your data (if you use a UW account). This agreement is focused on HIPAA data.

  • Amazon provides physical security of the data center (often referred to as "security OF the cloud") in the Shared Responsibility Model

  • Use of UW Single Sign on provides Multi Factor Authentication (MFA) & meets authentication best practices.

  • The account owner needs to implement their own logging and incident response process (The public cloud team plans to implement centralized enhancements to this process in the future)

  • Use of services that are considered HIPAA eligible by Amazon is also highly recommended, and knowledge of the best practices documented by Amazon will help with this process.    AWS also provides a landing page for security best practices.   

See Also:

If you have any questions, feedback or ideas please Contact Us

Commonly Referenced Docs:

UW Madison Public Cloud Team Events
Online Learning Classes for Cloud Vendors
What Data Elements are allowed in the Public Cloud




Keywords:data elements classification restricted sensitive internal public security baa amazon web services AWS   Doc ID:115304
Owner:Steve T.Group:Public Cloud
Created:2021-12-17 14:30 CDTUpdated:2022-01-27 12:52 CDT
Sites:Public Cloud
Feedback:  0   0