Establishing multi-account cloud governance, automated compliance trackers, and isolated virtual networks matching strict HIPAA, NIST 800-53, and NIST 800-171 controls.
| Role: | Lead Cloud Architect |
| Frameworks: | Control Tower & Config Rules |
| Compliance: | HIPAA / NIST 800-53 / NIST 800-171 |
| Deployments: | ACTRI, UCSD, UCR, UCI, ENACT |
Healthcare systems, clinical translation research centers, and pharmaceutical agencies operate under heavy regulatory pressure. Designing architectures that support healthcare analytics, user collaboration, and data sharing while preserving audit readiness (e.g. HIPAA compliance) is a significant technical hurdle.
The challenge: Multiple research groups across the University of California system (UCSD Health, UCI Health, UC Riverside, ACTRI) possessed fragmented AWS setups. Accounts lacked centralized access controls, unified logging, and standard network boundaries. There was an urgent need to build a secure, repeatable, multi-account governance framework that enforces security guardrails automatically.
We created and implemented the Xperlock Secure Landing Zone blueprint. The design structures the AWS accounts into distinct Organizational Units (OUs) managed by AWS Control Tower, incorporating centralized logging, IAM Identity Center (SSO), and custom AWS Config Rules to audit security settings automatically.
During the rollouts, custom integration modules were engineered to support specific requirements:
Developed a custom Active Directory Password Reset App integrated into secure VPC boundaries and built IAM-governed cross-account SFTP transfers using AWS Transfer Family.
Designed serverless Lambda lifecycle tasks for UC Irvine to automate account generation and cleanup, applying SCP guardrails to prevent budget overflows during student exercises.