mario00
asked on
AWS encription while data travels in private network Hipa compalice with AWS instances
Please see the graphic of our infrastructure. We need to look a solution that enable to encrypt the data while it travel thru the network .
We have java app Front end webservices , Business logic server c/C++ , oracle db at rest.
data need to be encrypted while it travels.
Please advice .
1-R-5zIESBdfm8wzHU_v0Evg.png
We have java app Front end webservices , Business logic server c/C++ , oracle db at rest.
data need to be encrypted while it travels.
Please advice .
1-R-5zIESBdfm8wzHU_v0Evg.png
Ben McNelly
Looks like an interesting technical problem, however I just want to point out that HIPAA is mostly concerned with keeping people from outside from snooping on traffic, if you are using SSL secured traffic (https) to move data between AWS instances and things are on their own VLAN, where are you concerned about the data not being encrypted?
- Use SSL for all web services and SOAP interfaces between the application modules. That includes RPC over HTTPS. Do not use self-signed certificates anywhere, buy cheap wildcard certs instead.
- If you plan to use other protocols like file transfer between your servers, choose secure protocols like ssh/sftp. There are sftp services for all operating systems, including windows.
- Do not use shared folders to transfer data between application components
- Use SSL or Oracle NNE to secure communications with Oracle RDS.
ASKER
Under the AWS BAA, you must identify each account that contains PHI as a HIPAA account. You may use any AWS service within that account; however, you may only process, store, or transmit PHI on eligible services. You can use services such as AWS Lambda, AWS OpsWorks, and Amazon EC2 Container Service (Amazon ECS) to orchestrate and schedule EC2 instances as long as the actual PHI is processed on EC2 and stored in S3 (or other eligible services). You must still ensure that EC2 instances processing, storing, or transmitting PHI are launched in dedicated tenancy and that PHI is encrypted at rest and in transit. Any application metadata stored in Lambda functions, Chef scripts, or task metadata must not contain PHI.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I've done some OTP (One Time Token) and some fun encryption / decryption with AWS Lambda. Return an OTP Token based on key salt:
https://vyigudykbb.execute-api.us-east-1.amazonaws.com/prod/ViXiV-Lambda?method=OTP&key=123
Time (OTP) based Encryption system (not very secure but fun):
https://vyigudykbb.execute-api.us-east-1.amazonaws.com/prod/ViXiV-Lambda?method=ENC&CustID=123&txt=This%20is%20a%20Test
Outputs something like:
Encrypted: "5ea0d540fa0980c1dfb2a43ff
To Decrypt you need the secret and OTP token, or the secret and the exact Millisecond the message is sent/processed to regenerate the token:
https://vyigudykbb.execute-api.us-east-1.amazonaws.com/prod/ViXiV-Lambda?method=DEC&CustID=123&txt=5ea0d540fa0980c1dfb2a43ffd75&secret=25327332267627&token=166825
Better encryption systems can be built with AWS Lambda though ;-)
BTW The reason I find this system fun is that it is tied to an OTP token, so every time you try to encrypt your text, it is different as long as 15-30 seconds has passed (new OTP Token). So if someone got the message within 30 seconds they generate an OTP token on their own system and can decrypt the message, but if it's longer than 30 seconds you must have the token or the time the message was created. The longer time ticks away from the time that OTP token was generated, the more the message gets garbled. It's not very secure because if you know the time the message is encrypted plus the OTP seed and you know the secret, you can decrypt the message by regenerating / reconstructing the OTP token, but I find it amusing.
https://vyigudykbb.execute-api.us-east-1.amazonaws.com/prod/ViXiV-Lambda?method=OTP&key=123
Time (OTP) based Encryption system (not very secure but fun):
https://vyigudykbb.execute-api.us-east-1.amazonaws.com/prod/ViXiV-Lambda?method=ENC&CustID=123&txt=This%20is%20a%20Test
Outputs something like:
Encrypted: "5ea0d540fa0980c1dfb2a43ff
To Decrypt you need the secret and OTP token, or the secret and the exact Millisecond the message is sent/processed to regenerate the token:
https://vyigudykbb.execute-api.us-east-1.amazonaws.com/prod/ViXiV-Lambda?method=DEC&CustID=123&txt=5ea0d540fa0980c1dfb2a43ffd75&secret=25327332267627&token=166825
Better encryption systems can be built with AWS Lambda though ;-)
BTW The reason I find this system fun is that it is tied to an OTP token, so every time you try to encrypt your text, it is different as long as 15-30 seconds has passed (new OTP Token). So if someone got the message within 30 seconds they generate an OTP token on their own system and can decrypt the message, but if it's longer than 30 seconds you must have the token or the time the message was created. The longer time ticks away from the time that OTP token was generated, the more the message gets garbled. It's not very secure because if you know the time the message is encrypted plus the OTP seed and you know the secret, you can decrypt the message by regenerating / reconstructing the OTP token, but I find it amusing.
relevant answer, no response