Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013
-
Upload
gerry-miller -
Category
Technology
-
view
61 -
download
2
description
Transcript of Implementing Bullet-Proof HIPAA Solutions on AWS (SEC306) | AWS re:Invent 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Implementing Bulletproof HIPAA Solutions on AWS
Gerry Miller, CTO - Cloudticity
Keith Brophy, CEO – Ideomed
Mark Welscott, Director – Spectrum Health
November 15, 2013
Convergence of technology, storage,
connectivity, medical advances
Mark Welscott, Director – Spectrum Health
Keith Brophy, CEO - Ideomed
Gerry Miller, CTO - Cloudticity
The Three Big Problems We Solved
The Three Big Problems We Solved
The Three Big Problems We Solved
Architecture Overview
CorporateInternalFirewall
WindowsFirewall
Corp server auth and ACLs across all internal datacenters
VPC Security Layers
Internet
CorporateVPN
Firewall
AmazonRouting
Rules
Solution Specifics
CloudHSM Configuration
Encryption of Data at Rest
Securing Database via TDE
Amazon CloudHSM
SQL ...
sp_configure ‘show advanced options’, 1 ;
GO
RECONFIGURE ;
GO
sp_configure ‘EKM provider enabled’, 1 ;
GO
RECONFIGURE ;
GO
CREATE CRYPTOGRAPHIC PROVIDER EKM_Prov
FROM FILE = “C:\PROGRAM FILES\LunaSA\EKM\LunaEKM.DLL” ;
GO
...
Securing Sensitive Info from Devs
Custom Protected Config Provider ...
public override XmlNode Encrypt(XmlNode node)
{
var encryptedData = "";
var stringToEncrypt = node.OuterXml;
for (var i = 1; stringToEncrypt.Length > 0; i++)
{
var encryptTheseBytes = stringToEncrypt.Substring(0,
Math.Min(MaxBlockSize, stringToEncrypt.Length));
var encryptedBytes = EncryptString(encryptTheseBytes);
encryptedData += "<Block" + i + ">"
+ encryptedBytes + "</Block" + i + ">";
stringToEncrypt = (stringToEncrypt.Length > MaxBlockSize) ?
...
Unencrypted Configuration <secureAppSettings xmlns:xdt="http://schemas.microsoft.com/XML-Document-
Transform" xdt:Transform="Replace">
<add key=”ClientSecret" value=”xgR2%%f" />
<add key="MessageAttachmentsKey"
value=”D7sdlj0GGjhadjkj77sd8jlaj9aihaf0993j=" />
<add key="MessageAttachmentsIV" value=”hhGJfl87JJhhsl+8sj==" />
</secureAppSettings>
Encrypted Configuration <secureAppSettings xmlns:xdt="http://schemas.microsoft.com/XML-Document”
configProtectionProvider="LunaSAProtectedConfigurationProvider"
xdt:Transform="Replace">
<EncryptedData>
<Block1>Gsk2WVr8b9R6gN49c11RTzlHtOSL2QsGX3vGXVIqGYCuBKQh=</Block1>
<Block2>Hhhj9Ljjd90jJjhf99shjoljjlJUIUYRJjj87fHHgdkri77a=</Block2>
<Block3>HHDG99jsjJJDLKL99LKJhoijsdfiOIH847jJHYETQKmfkgiU=</Block3>
<Block4>88HHJjfhk9773HhfyUirKIOPjustUhf886djNNjfoe9Hjdfk=</Block4>
</EncryptedData>
</secureAppSettings>
Process Automation & Governance
Automated Build & Deployments
AWS CloudFormation Manages Environments
Things We Learned
Please give us your feedback on this
presentation
As a thank you, we will select prize
winners daily for completed surveys!
SEC306