Avatar of mario00
mario00
 asked on

AWS encription while data travels in private network Hipa compalice with AWS instances

Please see the graphic of our infrastructure. We need to look a solution that enable to encrypt the data while it travel thru the network .
We have java app Front end webservices , Business logic server c/C++ , oracle db at rest.
data need to be encrypted while it travels.
Please advice .
1-R-5zIESBdfm8wzHU_v0Evg.png
EncryptionAWSCloud ComputingJavaC

Avatar of undefined
Last Comment
Shalom Carmel

8/22/2022 - Mon
Ben McNelly

Looks like an interesting technical problem, however I just want to point out that HIPAA is mostly concerned with keeping people from outside from snooping on traffic, if you are using SSL secured traffic (https) to move data between AWS instances and things are on their own VLAN, where are you concerned about the data not being encrypted?
Shalom Carmel

  • Use SSL for all web services and SOAP interfaces between the application modules. That includes RPC over HTTPS. Do not use self-signed certificates anywhere, buy cheap wildcard certs instead.
  • If you plan to use other protocols like file transfer between your servers, choose secure protocols like ssh/sftp. There are sftp services for all operating systems, including windows.
  • Do not use shared folders to transfer data between application components
  • Use SSL or Oracle NNE to secure communications with Oracle RDS.
mario00

ASKER
Under the AWS BAA, you must identify each account that contains PHI as a HIPAA account. You may use any AWS service within that account; however, you may only process, store, or transmit PHI on eligible services. You can use services such as AWS Lambda, AWS OpsWorks, and Amazon EC2 Container Service (Amazon ECS) to orchestrate and schedule EC2 instances as long as the actual PHI is processed on EC2 and stored in S3 (or other eligible services). You must still ensure that EC2 instances processing, storing, or transmitting PHI are launched in dedicated tenancy and that PHI is encrypted at rest and in transit. Any application metadata stored in Lambda functions, Chef scripts, or task metadata must not contain PHI.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
Shalom Carmel

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
David Jones

I've done some OTP (One Time Token) and some fun encryption / decryption with AWS Lambda. Return an OTP Token based on key salt:
https://vyigudykbb.execute-api.us-east-1.amazonaws.com/prod/ViXiV-Lambda?method=OTP&key=123

Time (OTP) based Encryption system (not very secure but fun):
https://vyigudykbb.execute-api.us-east-1.amazonaws.com/prod/ViXiV-Lambda?method=ENC&CustID=123&txt=This%20is%20a%20Test
Outputs something like:
Encrypted: "5ea0d540fa0980c1dfb2a43ffd75" Secret: "25327332267627" Token: "166825"

To Decrypt you need the secret and OTP token, or the secret and the exact Millisecond the message is sent/processed to regenerate the token:
https://vyigudykbb.execute-api.us-east-1.amazonaws.com/prod/ViXiV-Lambda?method=DEC&CustID=123&txt=5ea0d540fa0980c1dfb2a43ffd75&secret=25327332267627&token=166825

Better encryption systems can be built with AWS Lambda though ;-)

BTW The reason I find this system fun is that it is tied to an OTP token, so every time you try to encrypt your text, it is different as long as 15-30 seconds has passed (new OTP Token). So if someone got the message within 30 seconds they generate an OTP token on their own system and can decrypt the message, but if it's longer than 30 seconds you must have the token or the time the message was created. The longer time ticks away from the time that OTP token was generated, the more the message gets garbled. It's not very secure because if you know the time the message is encrypted plus the OTP seed and you know the secret, you can decrypt the message by regenerating / reconstructing the OTP token, but I find it amusing.
Shalom Carmel

relevant answer, no response