I'm looking for input regarding compliance requirements for data encryption over carrier WAN circuits (MPLS, L2 VPN, etc.).
One particular customer is demanding encryption for their MPLS connectivity (due to HIPAA compliance reqs), but they also have dedicated P2P optical circuits between a couple locations, as well some data center interconnect (DCI) between a hosting provider for data replication. While MPLS is multi-tenant by nature, their P2P optical circuit is not (at least their wave/lambda isn't) - same for the DCI. HIPAA states a requirement for “encryption for all data in transit.” I’ve seen a lot of fluidity in satisfying compliance reqs in the past (especially with PCI), where some partial effort in a particular req will be sufficient to check the box. That said, there’s no wiggle room on what’s in quotes here, so I’m looking for any input regarding whether these reqs might also apply to links that are not “multi-tenant” by nature, such as the dedicated optical circuit.
This largely boils down to equipment (router/firewall sizing), but if there were some relaxed requirements for non-MPLS WAN circuits to still satisfy the HIPAA checkbox, that's what we're looking for.
Thank you
If you do, then you might choose a hardware of software implementation.
Normally TLS encryption is sufficient + there may be requirements for a certain level of cipher to use.
Refer to any HIPAA or MIL specs or any other specs required by both producers + consumers using the line.
The main point about HIPAA is it's easy to secure a line + becomes very difficult to control outside the line.
For example, let's say someone sends an email over a HIPAA encrypted line, from one end to the other. If the email must leave the HIPAA encrypted connection to reach it's final destination, then you'll configuring your outgoing MTA to only connect to other MX records which enforce Opportunistic TLS connections... In other words, you must ensure your email only moves between MTAs as encrypted.
If there's ever a chance of additional delivery past the MX endpoint, then you'll use S/MIME to actually encrypt the message.
Figuring out every detail of any encryption compliance is complex.
There is no... one size fits all solution... Each enterprise + related workflow is best analyzed, then infrastructure built to support all compliance guidelines.
Tip: None of this requires point to point networks. For example, if you use HTTPS + IMAP4S + S/MIME with strong ciphers, you'll accomplish compliance easily... in a few hours, rather than weeks or months of tooling.