By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What NHS security standards can be applied to data in transit?

0

We are required to send an email containing PII and we wish to adhere to NHS data in transit standards of encryption. What would be the set up to enable this and are there 3rd party integrations that can be used.

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
AWS Transit GatewaySecurityEncryption
Language
English
rePost-User-5661702
asked 2 years ago274 views
2 Answers
0

Hi there,

From your query, I understand that you are looking to send an email containing PII and you wish to adhere to the NHS data standards while data is in transit still maintaining encryption standards and also looking to confirm the set up necessary, if both AWS architecture and any 3rd party integrations could be used.

Please do correct me if I misunderstood your query.

This is very feasible with the AWS architecture and 3rd party with Microsoft Outlook, with Amazon Work Mail you can managed business email securely. Amazon Work Mail can also be integrated with Microsoft Outlook and also support native iOS and Android email applications. You can use S/MIME (Secure/Multipurpose Internet Mail Extensions) to enable users to send signed or encrypted email both inside and outside of your organization, controlling both the keys that encrypt your data and the location in which your data is stored.[1]

That been said, you can also increase your posture while adhere to NHS standards with the use of an IPsec VPN and a Direct Connect link to a VPC. The IPsec is a protocol suite for securing IP communications by authenticating and encrypting each IP packet of a data stream between the sender and receiver, with the use of an Amazon VPC you can configure an IPsec VPN connection to your own VPC. Establishing an internet key exchange (IKE) security association between your Amazon VPC,VPN gateway, and another network gateway using a pre-shared key as the authenticator.[3]

Lastly, you can also configure an AWS Direct Connect (DX) which is a direct logical connection between the customer’s environment to the end users system. This create an entirely private link eliminating the risk of data in transit being intercepted by threat actors.[4]

I hope you found the above information helpful

References: [1]Amazon WorkMail - Enabling signed or encrypted email https://docs.aws.amazon.com/workmail/latest/adminguide/enable_encryption.html

[2] Configure Certificate Autoenrollment https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731522(v=ws.11)?redirectedfrom=MSDN

[3] AWS Site-to-Site VPN https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-prerequisites

[4] How do I establish an AWS VPN over an AWS Direct Connect connection https://aws.amazon.com/premiumsupport/knowledge-center/create-vpn-direct-connect/

AWS-User-7012053
answered 2 years ago
0

Hello,

NHS's security principles for data in transit protection recommends using TLS (version 1.2 or higher) or IPsec or TLS VPN Gateway.[1] In addition to the information provided above, regarding IPSec VPN, and AWS Direct Connect (DX), if you are using our AWS Simple Email Service, it does come packaged with many recommended features that should be used to secure data:

  • Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3[2]
  • Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3.
  • Use MFA with each account
  • Setup API and user activity logging with AWS CloudTrail.
  • Use AWS encryption standards, along with all default security controls within AWS Services.
  • If you require FIPS 140-2 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint.

Specifically with encryption of data in transit, Amazon SES by default uses opportunistic TLS. This means that Amazon SES will always attempt to make a secure connection to the email server that is receiving the email. The email will be sent unencrypted if the connection is unable to be established, but you are able to change the setting so that the email is only sent if a secure connection is established.[3]

References: [1] NHS Cloud security - good practice guide - Appendix A detailed advice and guidance https://digital.nhs.uk/services/cloud-centre-of-excellence/cloud-security-good-practice-guide/8.-appendix-a---detailed-advice-and-guidance [2] Amazon SES - Data Protection in Amazon Simple Email Service https://docs.aws.amazon.com/ses/latest/dg/data-protection.html [3] Amazon SES - Amazon SES to receiver https://docs.aws.amazon.com/ses/latest/dg/security-protocols.html

Bobby_S
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content