Security & Compliance Roadmap¶
⚠️ COMPLIANCE DISCLAIMER¶
CloudWorkStation provides technical security controls but DOES NOT guarantee compliance with any regulatory framework.
Use of CloudWorkStation does not, by itself, constitute compliance with NIST 800-171, HIPAA, FISMA, GDPR, CMMC, or any other standard. This documentation does not constitute legal, regulatory, or compliance advice.
Your institution is solely responsible for: - Determining applicable compliance requirements - Conducting compliance assessments and risk analysis - Implementing organizational policies and procedures - Obtaining necessary certifications or attestations - Consulting with qualified legal and compliance professionals
Always defer to your institution's Research Security Office, HIPAA Privacy Officer, Information Security Office, and Office of General Counsel for compliance guidance.
📚 See COMPLIANCE_DISCLAIMER.md for complete legal notice and framework-specific disclaimers.
Overview¶
CloudWorkstation is designed with security and compliance as foundational principles, not afterthoughts. This document outlines our security posture, compliance frameworks supported, and roadmap for institutional deployment requirements.
🎯 Design Philosophy¶
Security by Default: - Principle of least privilege across all components - AWS-native security controls (Security Groups, IAM, VPC) - Encrypted data in transit (TLS) and at rest (EBS encryption) - Audit logging and monitoring built-in
Compliance-Ready Architecture: - Modular compliance framework supporting multiple standards - Institutional policy enforcement via template system - Audit trails for all operations - Network isolation and access controls
📊 Current Security Posture¶
✅ Implemented Security Controls¶
Infrastructure Security: - AWS Security Groups with minimal port exposure (SSH only by default) - VPC isolation with configurable network topology - EBS encryption at rest (AWS-managed or customer-managed keys) - TLS encryption for all API communication - SSH key-based authentication (no passwords)
Access Controls: - IAM-based AWS resource access (no embedded credentials) - Profile-based credential isolation - Research user system with UID/GID consistency - Role-based project access (Owner/Admin/Member/Viewer)
Audit & Monitoring: - Comprehensive operation logging (all API calls) - Security event tracking - Cost and usage monitoring - Hibernation and state change audit trails
Data Protection: - Encrypted storage (EBS, EFS) - Secure credential storage (macOS Keychain, encrypted config) - No plaintext secrets in configuration - Profile export with encryption
Network Security: - Private subnet deployment support - Security Group-based firewall rules - SSH bastion host patterns - VPC peering and PrivateLink ready
🏛️ Compliance Framework Support¶
Tier 1: Currently Supported¶
NIST 800-171 (CUI/DFARS)¶
Status: ✅ Documented & Compliant Scope: Controlled Unclassified Information (CUI) for federal contracts Documentation: NIST_800_171_COMPLIANCE.md
Key Controls: - Access Control (AC) - 22 controls: ✅ Compliant - Audit & Accountability (AU) - 12 controls: ✅ Compliant - Configuration Management (CM) - 11 controls: ✅ Compliant - Identification & Authentication (IA) - 11 controls: ✅ Compliant - Incident Response (IR) - 6 controls: ✅ Compliant - System & Communications Protection (SC) - 23 controls: ✅ Compliant
Use Cases: - DOD research contracts (DFARS 252.204-7012) - Federal agency collaborations - Export-controlled research (ITAR/EAR)
FERPA (Student Privacy)¶
Status: ✅ Supported by Design Scope: Student education records privacy Relevant Controls: - Access controls to education records - Audit trails of record access - Consent management (via project membership) - Data encryption and secure deletion
Use Cases: - University courses using CloudWorkstation - Student research projects - Academic program analytics
Tier 2: Readily Achievable (Minor Extensions)¶
FISMA Moderate (Federal Information Systems)¶
Status: 🟡 80% Coverage (gaps documented) Scope: Federal information systems security Based On: NIST 800-53 Rev 5
Current Coverage: - ✅ Access Control (AC family) - ✅ Audit & Accountability (AU family) - ✅ System & Communications Protection (SC family) - ✅ Identification & Authentication (IA family) - 🟡 Gap: Continuous monitoring automation (CA family) - 🟡 Gap: Formal security assessments (CA-2, CA-5)
Roadmap to Compliance (v0.7.0): - [ ] Automated FISMA control validation - [ ] Integration with FISMA SSP (System Security Plan) templates - [ ] Continuous monitoring dashboard - [ ] FedRAMP package preparation
NIST 800-53 (HIPAA/PHI Technical Controls)¶
Status: 🟡 Partially Supported Scope: Protected Health Information (PHI) for HIPAA compliance Based On: NIST 800-53 Rev 5 (HIPAA Security Rule mapping)
Current Coverage: - ✅ Encryption at rest and in transit - ✅ Access controls and audit logging - ✅ Unique user identification - ✅ Automatic logoff (via hibernation policies) - ✅ Encryption and decryption - 🟡 Gap: BAA (Business Associate Agreement) framework - 🟡 Gap: PHI-specific data classification - 🟡 Gap: HIPAA breach notification automation
Roadmap to Compliance (v0.8.0): - [ ] Data classification tagging system - [ ] PHI-specific template policies - [ ] Breach detection and notification - [ ] HIPAA audit report generation - [ ] BAA documentation and controls
Use Cases: - Medical research with patient data - Clinical trials infrastructure - Healthcare informatics programs
GDPR (EU Data Protection)¶
Status: 🟡 Foundational Controls Present Scope: Personal data of EU residents
Current Coverage: - ✅ Data encryption (Article 32) - ✅ Access controls (Article 32) - ✅ Audit logging for data access (Article 30) - ✅ Right to deletion (instance/volume deletion) - 🟡 Gap: Data residency enforcement - 🟡 Gap: Data processing agreements - 🟡 Gap: Right to portability automation
Roadmap to Compliance (v0.7.0): - [ ] EU region enforcement policies - [ ] Data subject rights automation (export, delete) - [ ] Processing activity records - [ ] GDPR audit reports - [ ] Data Protection Impact Assessment (DPIA) templates
Use Cases: - International research collaborations - EU-based university deployments - Cross-border research projects
Tier 3: Institutional/Domain-Specific (Requires Extensions)¶
CMMC Level ⅔ (Defense Contractors)¶
Status: 🔴 Planning Phase Scope: Defense Industrial Base (DIB) cybersecurity Based On: NIST 800-171 + additional practices
Current Status: - NIST 800-171 foundation: ✅ Complete - CMMC Level 1 (17 practices): ✅ Covered - CMMC Level 2 (110 practices): 🟡 ~70% coverage - CMMC Level 3: 🔴 Not yet supported
Gap Analysis: - 🟡 Asset management automation - 🟡 Vulnerability scanning integration - 🔴 Advanced persistent threat (APT) monitoring - 🔴 Insider threat detection - 🔴 Third-party assessment documentation
Roadmap (v0.9.0+): - [ ] CMMC assessment evidence collection - [ ] C3PAO (Third-Party Assessor) reporting - [ ] SPRS (Supplier Performance Risk System) integration - [ ] CMMC self-assessment tool
Use Cases: - DOD contractor research facilities - Defense university partnerships - SBIR/STTR award recipients
ISO 27001 (Information Security Management)¶
Status: 🟡 Partial Coverage Scope: International information security standard
Current Coverage: - ✅ Annex A.9 (Access Control): Fully implemented - ✅ Annex A.12 (Operations Security): Partially implemented - ✅ Annex A.13 (Communications Security): Fully implemented - 🟡 Annex A.18 (Compliance): Documentation gaps
Roadmap (v1.0.0): - [ ] ISO 27001:2022 control mapping - [ ] Statement of Applicability (SOA) template - [ ] Risk assessment integration - [ ] Management review dashboards
FedRAMP (Cloud Service Authorization)¶
Status: 🔴 Long-Term Goal Scope: Federal cloud service providers Based On: NIST 800-53 + FedRAMP controls
Rationale: CloudWorkstation is primarily a client tool (not a cloud service provider), but institutions may need FedRAMP-equivalent controls.
Roadmap (v1.2.0+): - [ ] FedRAMP Moderate baseline assessment - [ ] System Security Plan (SSP) automation - [ ] Continuous monitoring (ConMon) - [ ] Readiness assessment toolkit
🏢 Institutional Security Requirements¶
Endpoint Security Agents¶
Common Requirements: - CrowdStrike Falcon - Carbon Black - Microsoft Defender for Endpoint - Tanium - Qualys
CloudWorkstation Approach: 1. Template-Based Deployment: Institutions can create custom templates with required agents
name: "University IT Policy - Python ML"
inherits: ["python-ml"]
system_packages:
- crowdstrike-falcon-sensor
user_data_script: |
# Install and configure institutional security agent
curl -s https://university.edu/security/install-agent.sh | bash
-
Launch-Time Injection: Instance launch can include institutional user-data scripts
-
AMI Baking: Institutions can create custom AMIs with agents pre-installed
Roadmap (v0.7.0): - [ ] --user-data-file flag for launch command - [ ] Template user_data_script field - [ ] Documentation for common agent deployments - [ ] Validation that agents don't conflict with CloudWorkstation
Data Classification & Tagging¶
Requirements: - CUI marking and handling - PHI/PII identification - Export control classification - Institutional data categories
CloudWorkstation Approach:
Project-Level Classification (v0.7.0):
cws project create cancer-research \
--classification "PHI" \
--compliance "HIPAA,NIST-800-53" \
--require-encryption \
--require-audit-logging
Instance Tagging (v0.7.0):
cws launch python-ml research-workstation \
--project cancer-research \
--data-classification PHI \
--tag "IRB-Protocol=2024-123" \
--tag "PI=jane.smith@university.edu"
Template Policies (v0.8.0):
# Institutional policy: templates/policies/phi-research.yml
name: "PHI Research Policy"
applies_to:
- data_classification: ["PHI", "PII"]
requirements:
encryption:
ebs: required
efs: required
kms_key: "arn:aws:kms:us-east-1:123456789012:key/institutional-phi"
network:
public_ip: forbidden
allowed_subnets: ["subnet-abc123"] # Private subnet only
access:
mfa: required
ip_whitelist: ["10.0.0.0/8"] # University network only
audit:
cloudtrail: required
log_retention_days: 2555 # 7 years for HIPAA
Roadmap: - [ ] Data classification taxonomy - [ ] Policy enforcement engine - [ ] Automatic tagging propagation - [ ] Classification-based access controls
Network Security Requirements¶
Common Institutional Patterns: 1. Private Subnet Only: No public IPs 2. Bastion/Jump Host: SSH through institutional gateway 3. VPN Required: Access only through institutional VPN 4. IP Whitelisting: Restricted to campus networks 5. Intrusion Detection: IDS/IPS integration
CloudWorkstation Support:
Current (v0.5.x):
# Private subnet deployment
cws launch python-ml research \
--subnet subnet-private123 \
--no-public-ip \
--security-group sg-institutional
# Bastion host pattern (manual SSH configuration)
ssh -J bastion.university.edu cws-research-instance
Enhanced (v0.7.0):
# Profile-based network policy
cws profile create university-secure \
--network-policy institutional-private \
--bastion bastion.university.edu \
--require-vpn
cws launch python-ml research --profile university-secure
# ↑ Automatically enforces: private subnet, bastion host, VPN check
Roadmap: - [ ] Network policy templates - [ ] VPN connectivity verification - [ ] IDS/IPS integration hooks - [ ] Security group template library
🔐 Authentication & Access Control¶
Single Sign-On (SSO) Integration¶
Requirements: - SAML 2.0 (Shibboleth, Azure AD, Okta) - OAuth 2.0 / OpenID Connect - LDAP / Active Directory - Duo / MFA enforcement
CloudWorkstation Architecture:
Current (v0.5.x): - AWS IAM-based authentication - Profile-based credential management - SSH key-based instance access
Planned (v0.6.0 - Phase 6):
# SSO configuration
cws auth configure \
--provider "University SAML" \
--idp-url "https://sso.university.edu/saml" \
--entity-id "cloudworkstation" \
--mfa-required
# User authentication flow
cws login
# ↑ Opens browser, authenticates via university SSO, stores temporary credentials
Multi-Factor Authentication (MFA):
# Profile-level MFA requirement
cws profile create research-secure \
--require-mfa \
--mfa-device arn:aws:iam::123456789012:mfa/jane.smith
# Instance access with MFA
cws connect my-research
# ↑ Prompts for MFA token before establishing SSH connection
Roadmap: - [ ] SAML 2.0 identity provider integration - [ ] OAuth/OIDC support (Okta, Azure AD, Google) - [ ] LDAP/Active Directory authentication - [ ] MFA enforcement for sensitive operations - [ ] Session management and timeouts
Role-Based Access Control (RBAC)¶
Current (v0.5.x): - Project roles: Owner, Admin, Member, Viewer - Profile-based AWS credential isolation
Enhanced (v0.7.0):
# Institutional RBAC policy
roles:
research-faculty:
permissions:
- instances:launch
- instances:stop
- instances:connect
- projects:create
constraints:
max_instances: 10
max_cost_per_month: 5000
allowed_templates: ["python-ml", "r-research"]
research-student:
permissions:
- instances:connect # Read-only access to assigned instances
- projects:view
constraints:
max_instances: 2
max_cost_per_month: 200
allowed_templates: ["python-ml"]
research-admin:
permissions:
- "*" # Full access
constraints: {}
Application:
# Assign roles to users
cws user create jane.smith@university.edu \
--role research-faculty \
--department "Computer Science"
# Role-based template access
cws templates list
# ↑ Shows only templates allowed for user's role
📋 Compliance Documentation & Evidence¶
Automated Compliance Reporting¶
Current State: Manual documentation in Markdown
Vision (v0.8.0+):
# Generate compliance report
cws compliance report \
--framework "NIST 800-171" \
--output compliance-report.pdf \
--include-evidence
# Report includes:
# - Control implementation status
# - Configuration evidence (screenshots, logs)
# - Policy documentation
# - Audit trail samples
# - Risk assessment
Evidence Collection:
# Automated evidence gathering
cws compliance collect-evidence \
--control "AC.1.001" \
--date-range "2025-01-01,2025-12-31" \
--output evidence/ac-1-001/
# Generates:
# - Access logs
# - Configuration snapshots
# - User activity reports
# - Security event timeline
Security Assessment Tools¶
Planned Features (v0.8.0):
Self-Assessment:
# Run security posture assessment
cws security assess \
--framework "NIST 800-171" \
--profile research-prod
# Output:
# ✅ 95/110 controls fully implemented
# 🟡 10 controls partially implemented
# 🔴 5 controls not implemented
# 📊 Compliance score: 86%
Continuous Monitoring:
# Enable continuous compliance monitoring
cws compliance monitor \
--framework "NIST 800-171" \
--alert-threshold 85% \
--notify security@university.edu
# Monitors:
# - Configuration drift
# - Policy violations
# - Security events
# - Control effectiveness
Vulnerability Scanning:
# Integrate with vulnerability scanners
cws security scan \
--tool "Nessus" \
--target my-research-instance \
--schedule weekly
# Integrations planned:
# - Nessus
# - Qualys
# - AWS Inspector
# - Tenable.io
🛣️ Compliance Roadmap¶
Phase 6 (v0.6.0 - Q2 2026): Authentication & Access¶
- SSO/SAML integration (Shibboleth, Azure AD, Okta)
- MFA enforcement
- Enhanced RBAC with institutional roles
- Session management and timeouts
Phase 7 (v0.7.0 - Q3 2026): Data Classification & Network Security¶
- Data classification framework
- Network policy templates
- Endpoint security agent support
- VPN connectivity verification
- GDPR compliance enhancements
Phase 8 (v0.8.0 - Q4 2026): Compliance Automation¶
- Automated compliance reporting
- Evidence collection system
- Self-assessment tools
- HIPAA BAA framework
- PHI-specific policies
Phase 9 (v0.9.0 - Q1 2027): Advanced Security¶
- CMMC Level 2 support
- Vulnerability scanning integration
- Continuous monitoring dashboard
- Insider threat detection
- Security orchestration automation
Long-Term (v1.0.0+): Enterprise Maturity¶
- ISO 27001 certification support
- FedRAMP readiness assessment
- Third-party security assessments
- Penetration testing toolkit
- Security incident response playbooks
📚 Documentation Structure¶
Current Documentation¶
- ✅
NIST_800_171_COMPLIANCE.md- Detailed CUI compliance guide - ✅
SECURITY_HARDENING_GUIDE.md- Infrastructure security - ✅
AWS_IAM_PERMISSIONS.md- Least privilege IAM policies - ✅
TEMPLATE_POLICY_FRAMEWORK.md- Policy enforcement
Planned Documentation (v0.7.0+)¶
-
HIPAA_COMPLIANCE_GUIDE.md- PHI handling and HIPAA controls -
FISMA_COMPLIANCE_GUIDE.md- Federal information system security -
GDPR_COMPLIANCE_GUIDE.md- EU data protection requirements -
CMMC_READINESS_GUIDE.md- Defense contractor cybersecurity -
INSTITUTIONAL_DEPLOYMENT_GUIDE.md- University/enterprise deployment patterns -
SECURITY_ASSESSMENT_TOOLKIT.md- Self-assessment and audit preparation -
DATA_CLASSIFICATION_GUIDE.md- Handling CUI, PHI, PII, export-controlled data
🎯 Key Principles¶
- Security by Default: Secure configurations without user intervention
- Compliance-Ready: Support multiple frameworks without code changes
- Transparent Evidence: Audit trails and compliance documentation automated
- Flexible Enforcement: Balance security with researcher productivity
- Institutional Control: Enable universities to enforce their policies
- Progressive Enhancement: Start simple, layer security as needed
- AWS-Native Security: Leverage AWS security services and best practices
📞 Institutional Partnership¶
For Institutions Considering CloudWorkStation:
We're committed to supporting institutional security and compliance requirements. If your institution has specific needs not addressed in this roadmap:
- File a GitHub Issue: Describe your compliance framework and requirements
- Partnership Opportunities: We're open to collaborating on compliance implementations
- Documentation Review: Share your security requirements for roadmap prioritization
Contact: GitHub Issues or GitHub Discussions
Last Updated: October 19, 2025 Next Review: Q1 2026 (with Phase 6 planning)