HIPAA Cloud: AWS Security At Rest

Yuri Subach
Aug 8, 2017 · 3 min read

AWS requires customers to encrypt PHI stored using HIPAA eligible services. Encryption guarantees that data will be unusable to unauthorized individuals in case of storage breach (like physical access to a disk with PHI). Assuming decryption key was not breached.

Data encryption in the storage (“at-rest”) can be implemented using the following appoaches (or combination in some cases).

  • SSE (server-side encryption): mechanism provided by AWS services, uses AES-256 GCM algorithm. The easiest way to utilize storage encryption on AWS platform.
  • Application level encryption: implemented using application framework or by intergating third-party solutions. Gives more flexibility in terms of authorization model and encryption algorithms.

AWS Key Management Service (AWS KMS) is a managed service that makes it easy to manage and control encryption keys used to encrypt your PHI. It’s integrated with other AWS services that provide SSE capabilities. Also you can use it as a centralized key store for all your applications.

AWS KMS does not need to be HIPAA eligible service if it’s used to manage keys for applications running on top of other HIPAA eligible services. Essentially PHI never reaches AWS KMS service itself because it stores only encryption keys. However AWS KMS has strong security and quality controls, built-in highly availability, durability and scalability. Therefore AWS KMS is highly recommended for deployments having HIPAA security compliance requirements.

SSE (server-side encryption) using AWS KMS outlined on the following diagram:

Yellow color means that data stored there will be encrypted. AWS KMS is used for encryption keys generation and distribution to services. Currently SSE (server-side encryption) available for:

  • Amazon Elastic Block Store (Amazon EBS)
  • Amazon Simple Storage Service (Amazon S3)
  • Amazon Glacier
  • Amazon Simple Queue Service (SQS)
  • Amazon Relational Database Service (Amazon RDS) [MySQL, Oracle, PostgreSQL]
  • Amazon Aurora
  • Amazon DynamoDB
  • Amazon Redshift
  • Amazon Elastic MapReduce (Amazon EMR)
  • AWS Snowball
  • AWS Directory Services
  • Amazon WorkDocs
  • Amazon WorkSpaces

Application level encryption using AWS KMS outlined on the following diagram:

Again yellow color shows where data will be encrypted. In this scenario application uses AWS KMS to get encryption key and performs encryption. Then encrypted data is sent to EBS volume for storage. Here standard encryption available for EBS (and other services) may not be used because data is already unreadable upon leaving the application.

Application level encryption requires more effort if compared to standard SSE implementation. But it has more flexibility, for example you may want to have encryption performed for each user of your application using separate keys. If this level of granularity is not required, then standard SSE provided by AWS will be enough.


Originally published at dekses.com

Dekses

Publications about distributed systems and databases, security, cloud platforms, API and web development and performance.

Yuri Subach

Written by

Director / Senior Consultant at Dekses

Dekses

Dekses

Publications about distributed systems and databases, security, cloud platforms, API and web development and performance.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade