Datica Academy

Google Cloud SQL Guide - How to configure GCP Cloud SQL to comply with HIPAA and HITRUST

Ryan Rich

Chief Product Officer

October 2, 2018

This guide is intended to give developers an easy to understand, step by step run book to configuring their Google Cloud SQL instance to be HITRUST CSF ready. In the following sections we’ll walk through the requirements, controls, and configurations for GCP Cloud SQL.

Disclaimer: while utilizing these guides can provide alignment with HITRUST, it is still your responsibility as an organization to complete an audit and obtain certification.

Step 1: The Business Associate Agreement (BAA)

Google Cloud Platform requires users to contact their account manager to get a BAA signed. From Google:

“Execute a Google Cloud BAA. You can request a BAA directly from your account manager.”

Only once you’ve signed the BAA and subsequently configured your SQL database to be compliant should you start accepting PHI.

More on BAAs can be found in the Datica Academy.

Rule Header
HIPAA § 164.308 N/A: GCP does not provide an API to the BAA

Step 2: Working with VPC networks

Before we jump into creating our SQL instance, first we’re going to create a new VPC and subnet. Creating a network and a subnet is very simple with GCP. Follow these steps.

  1. In the left side navigation find “VPC network” under the “Networking” heading
  2. Above the table of default networks, click the “Create VPC network” button
  3. Fill out the name, and description fields and then select “Subnet creation mode” under the “Subnets” section
  4. In the box titled “New subnet” fill out a name
  5. The region should be the same region as the database
  6. For the IP address range, you should use a standard private VPC network address range
  7. For “Private google access” which indicates: “ …whether VMs in this subnet can access Google services without assigning external IP addresses “ select “Off
  8. Set flow logs to “On
  9. Set “Dynamic routing mode” to “Regional
  10. Click “Create
Related Control(s) API Reference
HITRUST 0805.01m1 Organizational.12 subnetworks , networks

Step 3: Creating the database

Now that we have a network and subnet, we can create our database. To do that, click the menu button in the top left and follow these steps:

  1. Select “SQL
  2. At the following prompt, select “Create instanceCreating a Cloud SQL instance
  3. Make a selection for “MySQL” or “PostgreSQLChoosing database type
  4. Enter the information for “Instance ID”, “Default user password”, “Location”, “Region” and “Zone
  5. Select the “Show configuration options” link
  6. Under “Set Connectivity” select “Private IP” (enable the API if you haven’t already)
  7. Under “Private IP” select the VPC we just created in the previous step Private IP decisions
  8. If “Public IP” is checked be sure to uncheck it
  9. In the “Enable auto backups and high availability” section, select “Automate backups
  10. In the same section under “Availability” select “High availability (regional)
  11. Next, under the “Set maintenance schedule” section be sure to select the window and timing that’s appropriate for your internal policy
  12. Then click “Create

Step 4: High availability

In the previous step where we created our database, we were able to setup high availability across multiple regions. This aids in both disaster recovery and business continuity for your organization. If a region within GCP goes down, high availability will ensure that your data is still accessible from another region.

For more information on high availability from the GCP, see this article.

Related Control(s) API Reference
HITRUST 1616.09l1 Organizational.16 Databases: get, BackupRuns
HITRUST 1618.09l1 Organizational.45 Databases: get, BackupRuns
HITRUST 1619.09l1 Organizational.7 Databases: get, BackupRuns
HITRUST 1620.09l1 Organizational.8 Databases: get, BackupRuns
HITRUST 1668.12d1 Organizational.67 Databases: get, BackupRuns
   

Step 5: Database access & encryption

When we created the database in step 3, we selected “Private IP” and unselected “Public IP”. This restricts traffic to the instance only to approved networks. This is important because it forces all traffic to be encrypted and authenticated.

More information on Private IP can be found here.

Connecting over SSL/TLS

From Google:

“If you are connecting using private IP, configuring SSL/TLS is optional; private services access traffic stays within Google’s network at all times.”

SSL/TLS options

You can see in the screenshot above that all incoming connections must use SSL and also that we haven’t set up a certificate yet, which is covered in the guide below. For the purposes of this guide, SSL/TLS is not optional. To enforce a secure connection, follow this guide.

Related Control(s) API Reference
HITRUST 0605.10h1 System.12 Instances, Databases: get
HITRUST 0630.10h2 System.6 Instances, Databases: get
HITRUST 0805.01m1 Organizational.12 Instances, Databases: get
HITRUST 0806.01m2 Organizational.12356 Instances, Databases: get
HITRUST 0805.01m1 Organizational.12 Instances, Databases: get
HITRUST 0806.01m2 Organizational.12356 Instances, Databases: get
HITRUST 0814.01n1 Organizational.12 Instances, Databases: get
HITRUST 0816.01w1 System.1 Instances, Databases: get
HITRUST 0835.09n1 Organizational.1 Instances, Databases: get
HITRUST 0859.09m1 Organizational.78 Instances, Databases: get

Enabling Encryption

From Google:

“Cloud Storage always encrypts your data on the server side, before it is written to disk, at no additional charge.”

For more information on encryption from GCP, please see this guide.

Related Control(s) API Reference
HITRUST 0903.10f1 Organizational.1 Instances
HITRUST 1132.01v2 System.3 Instances
HITRUST 1903.06d1 Organizational.3456711 Instances

Step 6: Backups

In step 3 when we created our database, we selected “Automate backups” in the “Enable auto backups and high availability” section. These backups are available and should be configured according to your internal compliance policy. Using the GCP APIs you can set and retrieve configuration information about your instance.

Example response:

{
  "kind": "sql#backupRun",
  "id": long,
  "selfLink": string,
  "instance": string,
  "description": string,
  "windowStartTime": datetime,
  "status": string,
  "type": string,
  "enqueuedTime": datetime,
  "startTime": datetime,
  "endTime": datetime,
  "error": {
    "kind": "sql#operationError",
    "code": string,
    "message": string
  }
}
Related Control(s) API Reference
HITRUST 1616.09l1 Organizational.16 Instances, BackupRuns
HITRUST 1618.09l1 Organizational.45 Instances, BackupRuns
HITRUST 1619.09l1 Organizational.7 Instances, BackupRuns
HITRUST 1620.09l1 Organizational.8 Instances, BackupRuns
HITRUST 1668.12d1 Organizational.67 Instances, BackupRuns

Step 7: Patching

In step 3 when we created our database, we selected our maintenance window by setting a specific day and time for updates. Using the Instances API, we can expect a response like the following:

"maintenanceWindow": {
  "kind": "sql#maintenanceWindow",
  "hour": integer,
  "day": integer,
  "updateTrack": string
}
Related Control(s) API Reference
HITRUST 0701.07a1 Organizational.12 Instances
HITRUST 0707.10b2 System.1 Instances
HITRUST 0708.10b2 System.2 Instances
HITRUST 0709.10m1 Organizational.1 Instances
HITRUST 0720.07a1 Organizational.4 Instances
HITRUST 0723.07a1 Organizational.8 Instances

Step 8: Logging & Monitoring

Using stackdriver in the GCP console, we can see that logging and monitoring are on by default and are tracking events in the “operations” tab. However, this still doesn’t get us all the way to HITRUST alignment. For auditing, we’re going to be using Google Cloud Audit Logging.

Cloud Audit panel

Fortunately Cloud Audit Logging is on by default, and can be accessed at console.cloud.google.com/home/activity. If you navigate to that page, you’ll see a log of activity, with options in the right menu to filter based on certain criteria.

Cloud Audit logging

Related Control(s) API Reference
HITRUST 1204.09aa1 System.3 Stackdriver Monitoring API

Wrapping up

Using this guide, developers can ensure their new GCP Cloud SQL instance is ready to comply with the HITRUST CSF. Maintaining these configurations for all new infrastructure, updating them for new versions of HITRUST and providing proof — a digital papertrail — is an incredible amount of work. Having a partner like Datica can mean the difference between an audit taking 4 months, or 4 weeks.

For more information on Datica’s products and services. Check out these helpful links:

Related Academy Articles