Amazon Healthcare businesses rely on dozens of third-party software-as-a-service (SaaS) applications to help scale their business quickly. These organizations require continuous audit log ingestion and central data normalization to power threat detection, investigation, and incident response in preferred security analytics solutions. Amazon Healthcare Security (Amazon HealthSec) enables businesses to secure first-party and third-party SaaS applications with access to sensitive information by quickly detecting and responding to security incidents, such as record injection into a software tenant or data exfiltration. Amazon HealthSec achieves this while maintaining comprehensive security across SaaS applications.
Securing SaaS applications requires repetitive manual engineering effort from Amazon HealthSec. The audit log schema and application programming interface (API) for each SaaS application varies and calls for a custom integration that takes days to weeks to complete, and requires ongoing management and maintenance. Amazon Healthcare businesses have individual tenants for some SaaS applications, and Amazon HealthSec must monitor each tenant separately. To address these challenges, Amazon HealthSec integrates their security monitoring system with AWS AppFabric to connect with SaaS applications, and automatically normalize audit logs in the Open Cybersecurity Schema Framework (OCSF), and output logs to a central location. OCSF is an open-source, vendor-agnostic security schema that improves observability and helps reduce operational effort and cost for cybersecurity teams. AppFabric is HIPAA eligible and enables Amazon HealthSec to manage fewer API integrations containing sensitive data subject to HIPAA.
In this blog, we discuss how Amazon HealthSec simplifies their audit log ingestion and monitoring system with AWS AppFabric, while meeting the Amazon Healthcare business regulatory requirements and the high security bar of their customers.
Previous integration process for third-party SaaS applications
Before integrating with AppFabric, onboarding a third-party SaaS application to the Amazon HealthSec centralized logging system was a manual process. After identifying an application with accessible audit logs, Amazon HealthSec would meet with the application’s vendor to dive deep into the technical architecture and APIs necessary to retrieve the audit logs. Multiple sessions were required to discuss the source log schema and identify the development work needed to transform the audit logs into a common schema. Amazon HealthSec developers would then build a custom log shipping pipeline within their centralized logging system to connect the third-party application, normalize the audit logs, and aggregate them into a central location.
Each third-party log source required a separate dataset within the log shipping pipeline, allowing independent processing, transformation, and schema mappings. Amazon HealthSec developers maintained an AWS Cloud Development Kit (CDK) stack that established the services involved in the log shipping pipeline. This stack set the appropriate permissions and configurations that allowed the pipeline to output data to a central location for an individual third-party log source.
Amazon HealthSec repeated all of these steps for each SaaS application, leading to redundant engineering efforts lasting days to weeks as characterized by the visual below.
Figure 1 Custom integrations for multiple audit log sources
Evaluating simpler log shipping methods
Amazon HealthSec evaluated several log shipping options, including Amazon Kinesis Data Firehose, direct writes to an Amazon Simple Storage Service (Amazon S3) bucket, and AWS AppFabric. Writing directly to Amazon S3 proved difficult to maintain as it required the ingestion service to know details of the output bucket’s partitioning scheme and required
granting many different services write permissions to the bucket. Kinesis Data Firehose offers an abstraction layer between the source and the output destination, doesn’t require the ingestion services to know anything about the output destination configuration, and reduces the write permissions needed on the output destination to fewer services. However, Kinesis Data Firehose alone doesn’t solve for the manual development required to normalize schema. HealthSec connected AppFabric to their SaaS applications because AppFabric automatically normalizes data and send the transformed logs through Kinesis Data Firehose.
Onboarding process improvements
Amazon HealthSec integrates AWS AppFabric into their audit log ingestion pipeline because of AppFabric’s supported SaaS applications and ability to automatically handle multiple integrations for Amazon HealthSec. AppFabric simplified the onboarding process by eliminating the need for elaborate architectural and schema discussions with SaaS application vendors including Slack, Okta, and Google Workspace, and allows Amazon HealthSec to scale to other AppFabric supported SaaS applications easily. AppFabric also eliminates the development effort required to handle the differences between SaaS application schemas by normalizing SaaS audit logs into a standard schema.
Amazon HealthSec architecture with AWS AppFabric
Amazon HealthSec already has the infrastructure it needs to load normalized audit logs into a security data lake and monitoring system. The team leverages the existing infrastructure and expands the CDK stack to include AppFabric as a source for SaaS application datasets in a security data lake. The CDK deployment creates Kinesis Data Firehose streams for SaaS applications. Amazon HealthSec adds these streams to AppFabric as output destinations and uses Splunk, a security observability platform supported by AppFabric, for security analytics, monitoring, and alerts.
Figure 2 Amazon HealthSec SaaS application data pipeline with AppFabric
Amazon HealthSec continues to use its existing security data lake and monitor its infrastructure with minimal modifications while preserving its investment. AWS AppFabric helps the team reduce SaaS application onboarding timelines from months to hours, a 2300% increase in speed. The service also backfills missing data after an issue arises with SaaS application credentials. Today, Amazon HealthSec uses AppFabric with Google Workspace, Okta, and Zendesk, and plans to expand to more AppFabric supported SaaS applications.
Amazon HealthSec uses AppFabric to ingest and normalize audit logs from multiple SaaS applications to save time and engineering effort associated with SaaS application security. AppFabric is HIPAA eligible, allowing Amazon HealthSec to use the service with data within the scope of HIPAA. The Amazon HealthSec team added AppFabric to the existing infrastructure with minimal modifications to reduce the engineering time required to ingest audit logs from a SaaS application. To get started, visit the AWS AppFabric page in the AWS console.