I'm looking for ways to make the Mongo storage used by Spark.Net HIPAA compliant. Does using MongoDB SSL Transport to encrypt data on wire and using Gazzang for data at rest good enough? Are there other options for data at rest while still allowing for indexing certain properties in JSON?
Given HIPAA compliance has a number of privacy and security requirements, I would assume you are also getting some professional advice on how to comply. There are physical and technical requirements that extend beyond the database software, but encryption of data in motion and at rest will tick some of the boxes.
I will add the disclaimer that "I am not a lawyer or a HIPAA expert", so you'll have to research/confirm the specific compliance details for your use case.
Encryption of data in motion
The default binary distributions of MongoDB currently do not include SSL support. You can either build from source with SSL support, or get a commercial license for MongoDB Enterprise.
You should ensure the SSL mode is set to requireSSL and enable certificate validation with x.509 certificates.
I believe you need to use a Federal Information Processing Standard (FIPS) compliant encryption algorithm. FIPS mode is currently only supported in MongoDB Enterprise.
Encryption of data at rest
MongoDB (as at 2.6) does not have built-in support for encryption of data at rest, however there are a number of third party partner solutions which currently include:
BitLocker Drive Encryption
Vormetric Data Security Platform
IBM Guardium Data Encryption
The above solutions can be used to transparently encrypt the data directories used by MongoDB, so you still have full access to query and indexing functionality.
It's likely that some of the data you store may have more stringent requirements (eg. around privacy or redaction of specific fields) so there may be some additional application logic to implement.
Related information
The MongoDB Security Architecture white paper goes into more detail on security & auditing options.
The Security section of the MongoDB manual includes some specifics on best practices and configuration.
Related
Prototyping a project with Mongo & Spring Boot and thinking it does a lot of what I want. However, I really need to have encrypted data-at-rest, which would seem to indicate I have to purchase the enterprise version. Since I don't have a budget yet, I am wondering if there is another alternative that people have found useful? I think DynamoDB can be used in a local & test environment. Or it viable to encrypt the data at the application level and still have great performance for my CRUD operations?
I've done application level encryption with DynamoDB before with some success. My issues where not really with DynamoDB but with the encryption in the application.
First, encryption/decryption is very expensive. I had to increase the number of servers I was using by over double just to handle the extra CPU load. Your milage may very. In my case, I was using Node.js and the servers suddenly switched from being I/O bound to being CPU bound.
Second, doing encryption/decryption application side adds a lot of complexity to your app. You will almost certainly need to parallelize the encryption/decryption to minimize the added latency that it will cause. Also, you will need to figure out a secure way of sharing the keys.
Last, application level encryption will make some DynamoDB operations unavailable to you. For example, conditions probably won't make sense anymore for encrypted values.
Long story short, I wouldn't recommend application level encryption regardless of the database.
DynamoDB now supports what they call Server-Side Encryption at Rest. Personally I think that name is a little confusing but from their perspective, your application is the client and DynamoDB is the server.
Amazon DynamoDB encryption at rest helps you secure your application
data in Amazon DynamoDB tables further using AWS-managed encryption
keys stored in AWS Key Management Service (KMS). Encryption at rest is
fully transparent to the user with all DynamoDB queries working
seamlessly on encrypted data. With this new capability, it has never
been easier to use DynamoDB for security-sensitive applications with
strict encryption compliance and regulatory requirements.
Blog post about DynamoDB encryption at rest
You simply enable encryption when you create a new table and DynamoDB
takes care of the rest. Your data (tables, local secondary indexes,
and global secondary indexes) will be encrypted using AES-256 and a
service-default AWS Key Management Service (KMS) key. The encryption
adds no storage overhead and is completely transparent; you can
insert, query, scan, and delete items as before. The team did not
observe any changes in latency after enabling encryption and running
several different workloads on an encrypted DynamoDB table.
I am writing an application to be used potentially by doctors to keep in notes about patients (my app is not targeted for doctors but other professions don't need such strict rules).
My app is written in nodejs and only the backend can access the database with an authenticated user account and following all common security practices such as firewall rules etc.
I read about HIPAA compliance but most of them don't apply because no user specifically has access to the database unless it's coming from the API of the backend for which of course you need to authenticate against my app with SSL.
How can I be confident that doctors can use my app? Is there any authentication test/certificate etc?
The mongodb website has a great example of Hippa compliance standard,I think the following will help you:
https://www.mongodb.com/blog/post/making-hipaa-compliant-applications-mongodb
AWS based applications can be made HIPAA compliant by referring the following detailed documentation of AWS https://aws.amazon.com/compliance/hipaa-compliance/
There is a nicely written whitepaper by AWS available at the above mentioned link
I'am evaluating OrientDB for a SaaS-CRM project and really expect to use it.
Since data security is a key factor, I'd like the OrientDB development team to answer my questions.
In version 2.2, is it possible to encrypt clusters/databases by orientjs api( and/or sql api, db functions), and totally independent of java api? if true, then how can I do?
Encrypting fields/attributes of records is on your schedule? If so,When will come to release?
If I do not express clearly, pls forgive me:-)
Many thanks.
Hanks
Do you mean encrypt records? OrientDB provides encryption at
storage level, but once records are sent to node.js driver, they are
decrypted. If you want such encryption it's not supported out of the box, sorry. You can still use SSL to encrypt data of your connection in case and this is provided out of the box.
It's a feature request, but it's not on our roadmap for the next
year unless we find a sponsor for it.
I created a mongodb database with this description
http://docs.mongodb.org/manual/tutorial/enable-authentication-without-bypass/
created database
created admin-user
run mongodb with --auth parameter
that works fine.
but how can I really protect the database files from anonymous access?
When someone would take my database-file and run mongodb without --auth parameter he would have access to the whole database.
Is there a way to protect the database file itself so I can't just run mongodb without --auth?
Best regards
Tobias
Encrypting data files is only part of an overall security strategy - if someone has access to copy any files from your computer or a backup, they may also be able to snag your encryption keys from the same source. The MongoDB manual has a Security section which covers general best practices including access control, network exposure, auditing, and a high level checklist.
If you want to encrypt your MongoDB data files you will need to look into a solution for "encryption at rest".
As at MongoDB 2.6, there is no built-in support for data encryption but there are a number of open source as well as commercial solutions available.
The broad categories of encryption at rest are application level or storage encryption (which can be used independently or together, depending on your requirements). Encryption will add some performance overhead for disk I/O, so you should consider this in your testing & evaluation of a suitable solution for your requirements.
A few examples of encryption at rest solutions are:
LUKS (Linux Unified Key Setup)
Windows Bitlocker Drive Encryption
For more information on supported options, have a read of the Encryption at Rest section of the MongoDB security documentation.
I have a chrome extensions that, for now, uses storage.sync as a data store.
I am trying upgrade to a more robust data store (cloudant, iriscouch) so I can expand what the extension can do.
The problem I am facing is that none of the free cloud store options I have seen (cloudant, iriscouch, mongolab) support cors (or in case of mongolab - free tier is not enough)
So I have fewquestions:
Is there a free nosql cloud store option that fully supports cors?
If not, is there a free proxy that I can use. I have tried http://www.corsproxy.com/ but it only seems to support GET so it's not enough for me.
How would you solves this problem for free and without hosting anything on my own hardware.
Thank you!
Cloudant will have CORS support from January 2014. Iris Couch also supports CORS, just not via a UI - you have to modify the configuration via the CouchDB API.
Couchappy supports CORS and PouchDB, and introduces a selective domain security feature, which allows fine-grained security(https only or both https+http) on a per-domain basis.