Data protection – and more – with AWS

Four (not so) secret ingredients to allow processing of sensitive data

25. April 2023John Mathew George

Compliance and AWS Cloud – how?

The run to the cloud continues. Workloads on AWS – sure! Workloads with sensitive data on AWS? … wait … so far a no-go for most enterprises. Those who want to implement innovations and leverage business potential in new markets need the cloud. But they also must meet regulatory requirements. A European dilemma. How can it be solved?

Digital boom in healthcare


The healthcare environment in Germany has been pepped up in recent years. Digitalization and its importance for the healthcare sector play a significant role in this. Under the acronym of DiGAs (short for digital health applications), a new market with new business opportunities is emerging.

In addition to established providers of healthcare services, new digital companies with skills in software development also sense their chance to establish themselves permanently on the market–with web services or mobile apps for diagnosis and therapy. First movers have already seized the opportunity and listed their DiGAs at the Federal Institute for Drugs and Medical Devices (BfArM). So far, doctors are able to prescribe a good 30 apps and web services to their patients. And health insurance companies reimburse the costs for it. The new DiGAs support, for example, patients with mental illnesses, metabolic diseases, or cardiovascular diseases.

Tool of choice: the cloud

New apps and web services? Whenever new applications are discussed these days, the cloud seems to appear. It offers a wide range of possibilities for development and operation of these solutions. Cloud-native methods such as containers and DevOps offer a range of options for agile development and innovation. Developers can also use additional services from the cloud ecosystems, for example from AWS, so as not to reinvent the wheel. And if the app takes off, the platform simply scales with the higher demand. Last, but not least, start-ups can easily cope with the financial risk because the pay-as-you-consume principle avoids high investments by only incurring operating costs. There is no need to manage the platform. This allows you to focus fully on the enterprise’s own value add. A dream, …

Oops, wait … compliance …


... which shatters so easily. Personal data requires special protection in Germany; when it comes to social data and health data, the bar is even higher. As reasonable as the use of a US public cloud is from a technical point of view, as a DiGA operated app it is not possible to confront the hurdles for approval in the German health market. In addition to a certificate of conformity for security and functionality, the BfArM also expects a certificate of compliance with the IT baseline protection criteria according to ISO/IEC 27001 since April 2022. Moreover, the goal of the approval hurdle race has not yet been reached: In January 2023, the providers must ensure the data security of their applications is checked by the Federal Office for Information Security to comply with Section 139e of the Social Security Code (SGB) V. This dynamic market with business options is only open to those who meet the regulations. Verifiably.

What is “cloud security”? 

But what are the specific requirements? Data security covers a multitude of concepts. AWS offers – in addition to a high level of basic protection of the cloud itself – a wealth of services that cover all phases of data security: from preventive protection to the detection of and response to incidents up to the restoration of services. From a purely technical point of view, all tools are there for users to secure their services on AWS. But regulatory requirements go beyond that. Ultimately, all compliance discussions lead to the following questions: Where is my data? Who has access to them? And how can I control that? This not only requires technical solutions, but also the administrative “external environment” must be right. In the case of the personal data processed by DiGAs, this means: They must remain locally and virtually in EEA.

Four components for the secret sauce

So far, complex projects have been necessary to ensure this. But from the point of view of a provider who carries out projects of this type … many of the tasks needed to meet compliance requirements come up very often. So why not bundle the best practices and turn the countless projects into one product? A product that provides a solid foundation for data confidentiality on AWS and that allows any AWS user to quickly adopt a state-of-the-art security framework. With Data Protection as a Managed Service we have created such a product. It rests on four pillars that meet all relevant security requirements.

This includes:

  • A Trusted Landing Zone that takes into account the specifications of the Well-Architected Framework and brings a set of essential security mechanisms for prevention and detection. This includes least privilege access and security controls such as Identity & Authentication Management, Service Control Policies and Guard Duty, but also Threat and Incident Detection.
  • Data residency in the European Economic Area (EEA). Technical controls prevent data from leaving the EEA – including attestation to authorities.
  • Data confidentiality is achieved by encrypting data – during storage, transport and processing. For the latter, AWS offers Confidential Computing with Nitro.
  • Support from European staff. This is where a European AWS partner comes in – like T-Systems.

Where are the keys?

A nice and complete package with basic security according to current best practice standards, data storage in Europe and management by European staff. Plus, encryption. And yet one question remains unanswered: Where are the keys?

Encryption is an important standard topic for security in the cloud. For convenient encryption usage, cloud providers offer key management systems on their platforms. The integration makes using encryption simple. But the simplicity has a drawback: By storing the cryptographic keys on the platform, the employees of the platform potentially have access to the keys. It's a bit like giving a stranger the PIN of your debit card. To eliminate this risk, it is better to store keys separately, outside the platform. The external key management (EKM) excludes the cloud provider's access to keys.

Such an extra package for security complements the possibilities of AWS and simultaneously opens up the possibility for companies to offer digital innovations even in regulated environments. Workloads with sensitive data on AWS? Previously a "no go" for many companies can become reality with such a package – not only for DiGAs.

White paper: Security and compliance with AWS

Security concerns when using AWS? The white paper shows how to use AWS compliantly.

About the author

John Mathew George

Lead Security Architect for AWS, T-Systems International GmbH

Show profile and articles
Do you visit t-systems.com outside of Denmark? Visit the local website for more information and offers for your country.