Back to Portfolio

Xperlock Secure Landing Zone Deployments

Establishing multi-account cloud governance, automated compliance trackers, and isolated virtual networks matching strict HIPAA, NIST 800-53, and NIST 800-171 controls.

Project Summary

Role: Lead Cloud Architect
Frameworks: Control Tower & Config Rules
Compliance: HIPAA / NIST 800-53 / NIST 800-171
Deployments: ACTRI, UCSD, UCR, UCI, ENACT
6+
Landing Zones Built
100%
HIPAA / NIST Audits Passed
Xperlock
Security Blueprint

Background & Business Challenge

Healthcare systems, clinical translation research centers, and pharmaceutical agencies operate under heavy regulatory pressure. Designing architectures that support healthcare analytics, user collaboration, and data sharing while preserving audit readiness (e.g. HIPAA compliance) is a significant technical hurdle.

The challenge: Multiple research groups across the University of California system (UCSD Health, UCI Health, UC Riverside, ACTRI) possessed fragmented AWS setups. Accounts lacked centralized access controls, unified logging, and standard network boundaries. There was an urgent need to build a secure, repeatable, multi-account governance framework that enforces security guardrails automatically.

Solutions Architecture

We created and implemented the Xperlock Secure Landing Zone blueprint. The design structures the AWS accounts into distinct Organizational Units (OUs) managed by AWS Control Tower, incorporating centralized logging, IAM Identity Center (SSO), and custom AWS Config Rules to audit security settings automatically.

AWS Organizations Root (Central Billing & SCPs)

Core Services OU

  • Management Account
  • Log Archive (S3 / Glacier)
  • Security Tooling (GuardDuty / Security Hub)

Healthcare Workloads OU

  • ACTRI (Research Compute)
  • UCSD Health Account
  • UCR Compliance Sandbox
  • CIPRA.ai Product Engine

DCE Student Sandbox OU

  • Disposable Student Sandboxes
  • Lambda Account Purger
  • SCP Budget Guardrails
  • AWS Control Tower & Service Catalog Vending: Allows automated, rapid deployment of new HIPAA-compliant accounts with standard security settings and network templates already configured.
  • HIPAA Config Conformance Packs: Configured AWS Config checks to identify non-compliant resources (e.g. unencrypted S3 buckets, public databases) and trigger automated Lambda remediation to isolate them.
  • VPC Endpoint Isolation & Private Repositories: Implemented strict private networks using VPC endpoints. Deployed private PyPI and RCRAN package mirrors inside HIPAA boundaries, blocking internet access but facilitating research packages.

Notable Extensions

During the rollouts, custom integration modules were engineered to support specific requirements:

ENACT secure utilities

Developed a custom Active Directory Password Reset App integrated into secure VPC boundaries and built IAM-governed cross-account SFTP transfers using AWS Transfer Family.

Disposable Cloud Sandbox (DCE)

Designed serverless Lambda lifecycle tasks for UC Irvine to automate account generation and cleanup, applying SCP guardrails to prevent budget overflows during student exercises.

Technologies Used

AWS Organizations Control Tower AWS Config Security Hub KMS Encryption IAM Identity Center (SSO) AWS Directory Service AWS Transfer Family Terraform Python Automation