When you are creating a HIPAA compliant system on cloud service like AWS / EC2 / S3, you have to carefully examine the different levels of data security provided by the Cloud Service provider
At a minimum level, the following should be ascertained:
i) Where is the Cloud provider’s data center physically located. In some countries, HIPAA restricts Protected Health Information ( PHI ) to be stored on servers located outside of the country.
ii) Whether the cloud provider contractually obligated to protect the customer’s data at the same level as the customer’s own internal policies?
iii) Cloud provider’s Backup and Recovery policies
iv) What are the provider’s policies on data handling/management and access control? Do adequate controls exist to prevent impermissible copying or removal of customer data by the provider, or by unauthorized employees of the company?
v) What happens to data when it is deleted? This is very important as customers will be storing data on virtual Machines. Also What happens to cloud hardware when the hardware is replaced?
In this blog we are only looking at the different security levels to be taken by the application developer to make sure that a web application built on AWS / EC2 using Windows Server 2008 / .NET / MSSQL / IIS 7 / is HIPAA compliant. The basic requirement is to encrypt all the data at rest and transit
1. Encrypting Data in transit between the user ( clients ) and the server ( Webserver )
SSL over HTTP ( HTTPS )
Steps used to Implement SSL on IIS are the following:
[bash]
1.Open IIS Manager.
2.Click on the server name.
3.Double-click the “Server Certificates” button in the “Security” section
4.Click on self-signed certificate
5.Enter certificate name and click ok
6. Select the name of the server to which the certificate was installed.
7. From the “Actions” menu (on the right), click on “Bindings.” This will open the “Site Bindings” window
8. In the “Site Bindings” window, click “Add” This will open the “Add Site Binding” window
9. Under “Type” choose https. The IP address should be the IP address of the site , and the port over which traffic will be secured by SSL is usually 443. The “SSL Certificate” field should specify the certificate that was installed in step 5.
10.Click “OK.” . SSL is now installed .
[/bash]
2 ) Encrypting Data at Rest ( Document Root )
EFS with IIS
You can use EFS ( Encrypted File System ) in Windows 2008 Server to automatically encrypt your data when it is stored on the hard disk.
Encrypt a Folder:
[bash]
1. Open Windows Explorer.
2. Right-click the folder that you want to encrypt , and then click Properties.
3. On the General tab, click Advanced.
4. Under Compress or Encrypt attributes, select the Encrypt contents to secure data check box and then click OK.
5. Click OK.
6. In the Confirm Attribute Changes dialog box that appears, use one of the following steps:
i) If you want to encrypt only the folder, click Apply changes to this folder only, and then click OK.
ii) If you want to encrypt the existing folder contents along with the folder, click Apply changes to this folder, subfolders and files, and then click OK.
[/bash]
The folder becomes an encrypted folder. New files that you create in this folder are automatically encrypted
3 ) Encrypting MSSQL Database ( Data at Rest )
TDE ( Transparent Data Encryption )
TDE is a new feature inbuilt in MSSQL Server 2008 Enterprise Edition . Data is encrypted before it is written to disk; data is decrypted when it is read from disk. The “transparent” aspect of TDE is that the encryption is performed by the database engine and SQL Server clients are completely unaware of it. There is absolutely no code that needs to be written to perform the encryption and decryption .So there is no need for changing any code ( Database Queries ) in the Application .
STEPS
i) Create a Master Key
A master key is a symmetric key that is used to create certificates and asymmetric keys. Execute the following script to create a master key:
[bash]
USE master;
CREATE MASTER KEY
ENCRYPTION BY PASSWORD = ‘Pass@word1’;
GO
[/bash]
ii)Create Certificate
Certificates can be used to create symmetric keys for data encryption or to encrypt the data directly. Execute the following script to create a certificate:
[bash]
CREATE CERTIFICATE TDECert
WITH SUBJECT = ‘TDE Certificate’
GO
[/bash]
iii) Create a Database Encryption Key and Protect it by the Certificate
[bash]
1.Go to object explorer in the left pane of the MSSQL SERVER Management Studio
2.Right Click on the database on which TDE Requires
3.Click Tasks and Navigate to Manage Database Encryption
4. Select the encrytion algorithm (AES 128/192/256) and select the certificate you have created
5.Then Mark the check Box for Set Database Encryption On
[/bash]
You can query the is_encrypted column in sys.databases to determine whether TDE is enabled for a particular database.
[bash]
SELECT [name], is_encrypted FROM sys.databases
GO
[/bash]
4 ) Encrypting Data in transit between the Webserver and the MSSQL Database
MSSQL secure connection using SSL
i) Creating a self-singned cert using makecert
[bash]
makecert -r -pe -n “CN=YOUR_SERVER_FQDN” -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 c:\test.cer
[/bash]
ii) Install this cert
[bash]
Copy c:\test.cer into your client machine, run c:\test.cer from command window, select “Install Certificate”. -> click “Next” -> select “Place all certificates in the following store” –> click “Browser” -> select “Trusted Root Certification Authorities” -> select OK and Finish
[/bash]
iii) Open SQL Server Configuration Manager
[bash]
Expand SQL Server Network Configuration, right-click “Protocols for MSSQLSERVER” then click “properties”. On the “Certificate” tab select the certificate just installed . On the “Flags” tab, set “ForceEncryption” YES.
[/bash]
Now SSL is ready to be used on the server. The only modification needed in the .NET code is connection string. It will be
[bash]
connectionString=”Data Source=localhost;Initial Catalog=mydb;User ID=user1;Password=pas@123;Encrypt=true;TrustServerCertificate=true”
[/bash]