Healthcare organizations are rapidly adopting container technology to drive innovation. In this session, join Horizon Blue Cross Blue Shield of New Jersey and ClearDATA to learn about how to integrate Amazon ECS into your deployment pipeline while maintaining compliance for healthcare workloads, how to harden container environments for sensitive workloads, and how to leverage AWS tooling and microservices to provide new views and analysis for data stored in on-premises data centers.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
Adopting Microservices in Healthcare:
Building a Compliant DevOps Pipeline
on Amazon ECS
A a r o n F r i e d m a n , A W S
J o h n F i s c h e r , H o r i z o n B l u e C r o s s B l u e S h i e l d o f N e w J e r s e y
M a t t F e r r a r i , C l e a r D A T A
A d a m G r e e n f i e l d , C l e a r D A T A
H L C 3 0 2
N o v e m b e r 2 7 , 2 0 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security and Compliance Are Job Zero
Leverage security
enhancements from 1M+
customer experiences
Benefit from AWS
industry leading
security teams 24/7,
365 days a year
Security infrastructure
built to satisfy military,
global banks, and other
high-sensitivity
organizations
Over 50 global
compliance
certifications and
accreditations
“Healthcare institutions don’t have
the time and resources to devote to
cybersecurity that an established
cloud provider might have.”
Lee Kim – Director, Privacy and
Security, HIMSS North America

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared Responsibility Model for Security
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Network
Security
Identity &
Access
Control
Customer applications & content
You get to define
your controls IN
the cloud
AWS takes care
of the security
OF the cloud
You Inventory
& AWS
Config
Data
Encryption

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Aligning to Global Frameworks

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
HIPAA Eligible Services for Every
Application
Compute Storage Database Managed
Big Data
Archiving Data
Warehousing
Networking

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Reinforce Your Security Posture
Virtual Private Cloud
Isolated cloud resources
Web Application
Firewall
Filter Malicious Web
Traffic
AWS Shield
DDoS protection
AWS Certificate Manager
Provision, manage, and
deploy SSL/TSL certificates
AWS Key
Management Service
Manage creation and
control of encryption keys
AWS CloudHSM
Hardware-based key
storage
Server-Side
Encryption
Flexible data encryption
options
AWS IAM
Manage user access and
encryption keys
SAML Federation
SAML 2.0 support to
allow on-premises identity
integration
Directory Service
Host and manage
Microsoft Active Directory
Organizations
Manage settings for
multiple accounts
Service Catalog
Create and use
standardized products
AWS Config
Track resource inventory
and changes
AWS CloudTrail
Track user activity and
API usage
Amazon CloudWatch
Monitor resources and
applications
Amazon Inspector
Analyze application
security
AWS Artifact
Self-service for AWS’
compliance reports
Networking Encryption Identity & Management Compliance

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Move Fast, Stay Secure
Do one
thing wellIndependent
Decentralized
Black box
Polyglot
You build it, you run it

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
JOHN FISCHER
Enterprise Architect,
Horizon Blue Cross Blue Shield of
NJ
MATT FERRARI
CTO, ClearDATA
ADAM GREENFIELD
Senior Director of Enterprise
Architecture, ClearDATA
Meet the Speakers

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How We Got Here

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What We Need to Accomplish

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ClearDATA
HEALTHCARE
Exclusive
CLOUD
SECURITY
Experts
CERTIFIED
Experience
• BAA with the most coverage of any
leading provider
• Incorporates existing infrastructure
BAAs into a single BAA
ENHANCED
BAA

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Extending the AWS Shared Responsibility Model
AWS Global
Infrastructure
Availability Zones
Regions
Edge
Locations
AWS Foundation Services
Compute Storage Database Networking
Network Traffic
Protection
Server-Side
Encryption
Client-Side Data
Encryption
Operating Systems, Network & Firewall Configurations
Platform
Customer Data
Applications Identity & Access Management
AWS Global
Infrastructure
Availability Zones
Regions
Edge
Locations
AWS Foundation Services
Compute Storage Database Networking
Network Traffic
Protection
Server-Side
Encryption
Client-Side Data
Encryption
Operating Systems, Network & Firewall Configurations
Customer Data
ClearDATA
Platform
Applications Identity & Access Management
Amazon Web Services Infrastructure ClearDATA Managed Cloud

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What We’ve Done—Containers

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What We’ve Done—Containers

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What We’ve Done—Dashboard
CloudWatch
Bucket
Consuminator
Trigger Lambda
Amazon
ECS
Dash Api
Ava
Consuminator
Queue
DashTrigger
Lambda
Amazon
ECS Task
Dash
Queue
Cmdb
Snapshot Api
Image
Builder Api
Twistlock
Bucket
CloudWatch
Package
Consumer
Heartbeat
Log injection
CDHP
Interfaces
Dash
Trigger
Dynamo
Tables
Summary

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What We’ve Done
Development Integrated
Testing
Performance
Testing
Production
virtual private
cloud
• Authentication
• Scanning
• Logging
• Monitoring
Amazon ECS
EC2 compute
container
Technologies

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Our Approach
Integration is the center of the solution
Supports a hybrid mode and lends to a phased migration to the
cloud
Horizon
Digital
Integration
Platform
1API Dev &
Mgmt. Tools
HA TA EOS
ERROR
Handling
Health
Metr ic
Gener at or
Env. Aware
Configuratio
n Client
Rx F/W
Databas e
Connectors
Perfor mance
Tracing
Engine
Caching
Client F/W
Unit Tes ting
F/W
Expectation
As sert ionF/
W
Embedded
MockH TTP
Server
Dependency
Mgmt.
Domain
Validation
DSL
CLISuppor t
Logging As pects
Inst rumentation
and Enhanced
Debugging
Support
API
Registr ation
Fault
Isolation
Circuits
Transaction
Mgmt.
Service
Dis covery
Service Logic
Dom ain
Objects(s)
Endpoints
Secur it y
Filt er
Request
Tracking
Idempotent
F/W
Request D ispatcher
R ep re se nta ti on a l
Da ta B in d in g
Cus tom DAO
AMQP
HTTP Client
F/W
ORM
MVC Frameworks with res tful capabilities
Port Bindings
Dependency
Mgmt
Environment
Def init ions
3
DevOps
CA Svc Virt Sonar CheckMarx Other
ECRNexusJenkins
Bit Bucket
Server
5
2
Cache &
Integration
API
Dedicated
NoSQL DB
File
Processors
(E)
Processor
e4e3e2e1
e4e3e2e1
EntityChangeEvents
Batch
Events
File
Processors
(T.L)
Data Store
Extract Data
Hosting &
Platform
4
Compute Service
Network Tools
Apps &
Servers
RDS
No SQL
API
Analytics
Log &
Monitor
Security
Storage Service

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What We’ve Done—Horizon Architecture
Availability Zone 1 - US-East-1A Availability Zone 2 - US-East-1B Availability Zone 3 - US-East-1C
Internet
gateway
Production VPC (Region: US-East-1 / VPC ID: vpc-xxxxxxx /
DHCP Option Set: dopt-xxxxxxx / CIDR: 192.168.0.0/20)
Public Subnet – 192.168.9.0/24 Public Subnet – 192.168.10.0/24
router router
Public Subnet – 192.168.8.0/24
Public Subnet – 192.168.0.0/24 Public Subnet – 192.168.1.0/24 Public Subnet – 192.168.2.0/24
S3 – data
storage
API Gateway
(SaaS)
Inbound API Calls
(HTTPS)
VPC peering
(Management - vpc-xxxxxxx)
Outbound API Calls
(HTTPS)
Horizon internal networkAD / DNS CyberArk DataPower Managed File
Transfer
SMTP SplunkArcsight VDI / PC
Horizon DMZ
SSO
VPC peering
(ClearDATA - vpc-xxxxxxx)
CloudWatch
CloudTrail
api-elb-ext
SSO Calls
(HTTPS)
AD + LDAP
Prod ECS nodes
api-elb-int
Prod RabbitMQ
Node 1
Prod MongoDB
Routing Server 1
api-elb-ext
Prod ECS nodes
api-elb-int
Prod RabbitMQ
Node 2
api-elb-ext
Prod ECS nodes
api-elb-int
Prod RabbitMQ
Node 3
Trading Partners / Apps
3rd
-Party APIs
Ex: Salesforce, ServiceNow
DirectConnect
Customer Gateway
Palo Alto firewall
EC2 Container
Service (ECS)
Key
Management
Service (KMS)
Identity & Access
Management
(IAM)
spk-elb-ext spk-elb-ext spk-elb-ext
rmq-elb-int
Splunk Heavy-
Weight Forwarder
rmq-elb-int
Splunk Heavy-
Weight Forwarder
Prod MongoDB
Routing Server 2
Prod MongoDB
primary data node
Prod MongoDB
primary config srv
Prod MongoDB
Routing Server 3
Prod MongoDB
Routing Server 4
Prod MongoDB
secondary data node
Prod MongoDB
sec. config srv
rmq-elb-int

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What We’ve Done—DevOps Process Model
1
2
3
4 5 6
7
8
9

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lessons Learned
• AWS available services list will be consumed quickly
• Partner with Security Governance and Operations teams from start
• Level of effort to own engineering/security
• Explicit planning required for high availability and DR
• Use same tools/processes used on-premises

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Horizon
• Enterprise Content Management
• Big Data
• Migration Legacy Systems
• Multi-region DR
What’s Next

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
ClearDATA
C2 – ClearDATA Compliance
What’s Next

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
ClearDATA is independent from and not affiliated with Horizon Blue Cross Blue Shield of New Jersey.
Horizon Blue Cross Blue Shield of New Jersey is an independent licensee of the Blue Cross Blue Shield
Association.