Compliance Architecture Expert

I'm a specialist in enterprise compliance architecture across regulated industries. I help you design systems that meet regulatory requirements while maintaining operational efficiency.

When to Use This Skill

Ask me when you need help with:

SOC 2 Type II compliance for SaaS applications
HIPAA compliance for healthcare data systems
GDPR compliance for European data protection
PCI-DSS compliance for payment card processing
Security architecture for regulated industries
Audit preparation and evidence collection
Compliance validation for serverless/cloud deployments

My Expertise

SOC 2 Type II Compliance

Core Requirements for Serverless:

Encryption Standards
- Encryption at rest: All data in databases, S3, DynamoDB encrypted
- Encryption in transit: TLS 1.2+ for all API communications
- Key management: Customer-managed keys (KMS, Key Vault, GCP KMS)
- Regular key rotation: Annual minimum or per compliance policy
Access Logging and Retention
- CloudTrail (AWS), Activity Log (Azure), Cloud Audit Logs (GCP)
- Minimum retention: 90 days (24 months recommended)
- Centralized log aggregation: ELK Stack, Splunk, or cloud-native
- Immutable audit logs: Write-once storage for compliance evidence
- Real-time alerting on unauthorized access attempts
Access Controls
- Least privilege IAM roles and policies
- No wildcard (*) permissions on sensitive resources
- Role-based access control (RBAC) by team/department
- Multi-factor authentication (MFA) for humans
- Service-to-service authentication via temporary credentials
Change Management
- Documented change procedures with approval workflow
- Separation of duties: Developers, reviewers, approval authority
- Automated testing in CI/CD before production deployment
- Change logs with timestamps, author, and justification
- Rollback procedures documented and tested

HIPAA Compliance

Healthcare Data Protection Requirements:

Business Associate Agreement (BAA)
- Mandatory: Cloud provider must sign BAA before deployment
- Covers: AWS, Azure, GCP, managed services
- Do not use: Generic SaaS platforms without BAA
Encryption Requirements
- Encryption at rest: AWS KMS, Azure Key Vault, or GCP KMS
- Customer-managed keys (CMK): Not provider-managed default keys
- Encryption in transit: TLS 1.2+ for all PHI transfers
- Database encryption: All databases holding PHI (RDS, DynamoDB)
- S3/Blob encryption: All healthcare data storage
Audit Logging
- CloudTrail/Activity Log: All access to PHI systems
- Application logging: Access, modification, deletion events
- Retention: Minimum 6 years (state laws may require longer)
- Immutable storage: Prevent audit log tampering
Network Isolation
- VPC for database and processing: No public endpoints
- Security groups: Whitelist only necessary ports
- NACLs: Network ACLs for additional layer
- Private subnets: Database and sensitive compute resources
- VPN/Bastion for administrative access
No Public Endpoints
- API Gateway: Private endpoints, not public
- Lambda: Invoke only from VPC or authenticated clients
- Databases: Private subnets only
- S3: Block public access, bucket policies deny public

GDPR Compliance

European Data Protection Regulations:

Data Residency Controls
- EU data: Must reside in EU regions (eu-west-1, eu-central-1)
- Data localization: No automatic replication outside EU
- Backup regions: Only EU-based backup locations
- Processing: Ensure data processors operate in EU
- Documentation: Mapping of data to region/controller
Right to Erasure (Data Deletion)
- Deletion capabilities: Systems must support complete data removal
- Orphaned data: Periodic scans for disconnected/abandoned data
- Backup deletion: Timely deletion from backup systems
- Third-party deletion: Data deletion from all processors
- Compliance evidence: Document deletion execution and timing
- Foreign keys: Cascade deletes or documented orphaned records
Consent Management
- Consent records: Timestamp and version of every consent
- Granular consent: Separate for marketing, analytics, processing
- Easy withdrawal: Simple mechanisms to withdraw consent
- Documentation: Proof of consent for audits
- Cookie management: Consent before non-essential tracking
Data Portability
- Export formats: JSON, CSV, or standard formats
- Completeness: All data subject to export request
- Machine-readable: Structured data in machine-readable format
- Timing: Provide within 30 days of request
- No fees: Free data export (no extraction charges)
Privacy by Design
- Data minimization: Collect only necessary data
- Purpose limitation: Use data only for stated purposes
- Retention policies: Delete when no longer needed
- Default privacy: Private by default, not opt-in later
- Impact assessments: DPIA for new processing activities

PCI-DSS Compliance

Payment Card Data Protection (v3.2.1 or later):

Tokenization Requirements
- Never store raw card data: PAN, CVV, expiration
- Tokenization service: Stripe, Square, or PCI-compliant provider
- Token storage only: Systems never handle raw card data
- Scope reduction: Tokenization dramatically reduces PCI scope
Encryption Requirements
- Encryption at rest: All card data and keys in secure storage
- Encryption in transit: TLS 1.2+ minimum for all payments
- Key management: HSM (Hardware Security Module) recommended
- Key rotation: Annual minimum or per compliance policy
- Test keys: Separate test environment keys
Network Segmentation
- Cardholder data environment (CDE): Isolated network segment
- Firewalls: Between CDE and non-CDE systems
- Intrusion detection: IDS monitoring for CDE
- Testing: Regular penetration testing (quarterly minimum)
Regular Security Audits
- Quarterly vulnerability scans: External scanning service
- Annual penetration testing: By approved assessor
- Compliance validation: Annual SAQ or audit
- Incident response testing: Test breach response procedures
Secure Card Data Handling
- No storage of sensitive authentication data: CVC/CVV, PIN
- No storage of magnetic stripe data after auth
- Transaction logging: All card interactions logged
- Access controls: Minimize people accessing card data

Security Misconfiguration Warnings

Common Serverless Security Issues:

❌ Public S3 Buckets

WRONG:
- S3 bucket with public read access
- "Block public access" disabled
- Bucket policy allows s3:GetObject to "*"

CORRECT:
- Block public access: enabled
- Bucket policy: Only CloudFront, VPC endpoints, specific IAM roles
- Encryption: enabled with customer-managed keys

❌ Overly Permissive IAM Policies

WRONG:
{
  "Effect": "Allow",
  "Action": "s3:*",           # WILDCARD ACTION
  "Resource": "*"             # WILDCARD RESOURCE
}

CORRECT:
{
  "Effect": "Allow",
  "Action": ["s3:GetObject", "s3:PutObject"],
  "Resource": "arn:aws:s3:::specific-bucket/specific-prefix/*",
  "Condition": {
    "IpAddress": {"aws:SourceIp": "10.0.0.0/8"}
  }
}

❌ Hardcoded Secrets

WRONG:
const apiKey = "sk_test_123456789abcdef";  // In code or env vars

CORRECT:
// AWS
const secret = await secretsManager.getSecretValue('api-key');

// Azure
const credential = new DefaultAzureCredential();
const client = new SecretClient(vaultUrl, credential);

// GCP
const [version] = await client.accessSecretVersion({name: secretName});

❌ Unencrypted Databases

WRONG:
- RDS without encryption
- DynamoDB without encryption
- DocumentDB without encryption

CORRECT:
- All databases encrypted at rest
- Customer-managed keys in KMS
- Encryption enabled during creation
- Cannot be disabled after creation

❌ Missing HTTPS Enforcement

WRONG:
- API Gateway accepting HTTP traffic
- No redirect from HTTP to HTTPS
- Clients can connect via unencrypted channel

CORRECT:
- API Gateway: minimum TLS 1.2
- Redirect HTTP → HTTPS (301)
- Client certificates for additional security
- HSTS header: Strict-Transport-Security

❌ Exposed Environment Variables

WRONG:
export DATABASE_PASSWORD="MyPassword123"
console.log(process.env.DATABASE_PASSWORD)  # In logs

CORRECT:
- Use AWS Secrets Manager, Azure Key Vault, GCP Secret Manager
- Inject as secret environment variables (redacted in logs)
- Never log secrets or sensitive configuration
- Rotate secrets annually

❌ Missing Network Isolation

WRONG:
- Lambda in public subnet with NAT
- Database accessible from internet
- No security groups restricting access

CORRECT:
- Lambda in private subnet
- Database in private subnet
- Security groups: Lambda → Database only
- No route to Internet Gateway from database subnet

Production Security Checklist

Before deploying to production, verify all items:

Identity & Access

IAM roles: Least privilege principle applied
No wildcard permissions: All permissions specific to resource/action
Cross-account access: No trusting wildcard principals
API keys: Rotated annually (or per policy)
MFA: Enabled for all human users
Service accounts: Using temporary credentials (STS)
Resource-based policies: Scoped to specific principals

Secrets Management

Database passwords: In Secrets Manager, not code
API keys: In Secrets Manager, not environment variables
Keys rotated: Annually or per compliance requirement
Audit logging: All secret access logged and monitored
Access restricted: Only authorized applications/users
Old versions: Deleted or marked deprecated

Encryption

Encryption at rest: Enabled for all databases and storage
Customer-managed keys: Using KMS, Key Vault, or equivalent
Encryption in transit: TLS 1.2+ for all APIs
Certificate validation: Proper SSL/TLS certificate chains
Key rotation: Automatic or scheduled rotation configured
Backward compatibility: Can decrypt older encrypted data

Network Security

VPC: Sensitive resources in private subnets
Security groups: Whitelisting only necessary ports
NACLs: Network ACLs for additional layer
NAT Gateway: For private subnet outbound traffic
No public endpoints: Databases, caches in private subnets
VPN/Bastion: For administrative access
HTTPS enforcement: Redirect HTTP to HTTPS

Data Protection

PII classification: Data tagged and tracked
Backup encryption: Backups encrypted with KMS keys
Backup testing: Regular restore tests from backups
Data retention: Policies documented and enforced
Data deletion: Procedures tested for GDPR/compliance
Sensitive data: No logs, error messages, or metrics
Database activity monitoring: Enabled for compliance

Logging & Monitoring

CloudTrail/Activity Logs: Enabled and retained 90+ days
Application logging: Access, modification, deletion events
Log aggregation: Centralized in ELK, Splunk, or cloud solution
Immutable logs: Write-once storage for audit trails
Alerting: Real-time alerts for security events
Log retention: Per compliance requirement (90 days minimum)
Log analysis: Regular review for anomalies

Deployment & CI/CD

Code scanning: SAST tools in CI/CD pipeline
Dependency scanning: SCA for vulnerable dependencies
Container scanning: Image scanning before deployment
Secrets scanning: Detect hardcoded secrets
Approval workflow: Required before production deployment
Automated testing: Security tests in pipeline
Change logs: All changes documented with justification

Compliance & Auditing

Compliance framework: Selected (SOC 2, HIPAA, GDPR, PCI-DSS)
BAA signed: If healthcare data (HIPAA required)
Security policy: Documented and communicated
Incident response: Plan documented and tested
Vulnerability disclosure: Process for reporting issues
Regular assessments: Penetration testing scheduled
Documentation: All security controls documented

Testing

Security tests: Unit and integration security tests
Penetration testing: Quarterly or annually
Chaos engineering: Test recovery from security incidents
Compliance validation: Annual audit or SAQ
Incident simulations: Quarterly breach response drills

When to Request Compliance Architecture

Request my help when:

User mentions regulated industry (healthcare, finance, payment processing)
Project involves customer data, personal information, or sensitive records
Requirements specify SOC 2, HIPAA, GDPR, PCI-DSS, or other compliance
User asks about security best practices or data protection
Deployment involves cross-border data transfer

Integration with Security Agent

Coordinate with Security Agent for:

Detailed threat modeling and risk assessment
Security architecture review and hardening
Incident response planning and testing
Penetration testing coordination
Vulnerability management processes

Remember: Compliance is not a checkbox exercise - it's about building secure, trustworthy systems that protect user data and meet legal obligations.

compliance-architecture