I'm currently evaluating encrypting data in-transit for an Oracle SE2 12.1 Amazon RDS instance in accordance with HIPAA requirements.
Specifically, I'm considering the use of Oracle Native Network Encryption [1,2] (the alternative option being Oracle SSL [3,4]). I'm trying to piece together the documentation from Oracle, Amazon, HIPAA, NIST, etc. to determine the appropriate HIPAA-compliant approach.
From Amazon's HIPAA Whitepaper [5]:
Connections to Amazon RDS for Oracle containing PHI must use transport encryption and evaluate the configuration for consistency with the Guidance. This is accomplished using Oracle Native Network Encryption and enabled in Amazon RDS for Oracle option groups.
From the HIPAA Guidance [6]:
Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.
Based on this doc, it seems that the Oracle network encryption must be FIPS 140-2 validated. However, I'm not certain whether the Oracle network encryption meets this criteria; I haven't quite been able to confirm this from the Oracle/FIPS/other docs.
In particular, I've found the following Oracle 12.1 documentation related to FIPS 140-2:
The FIPS 140-2 cryptographic libraries are designed to protect data at rest and in transit over the network.
Oracle Database uses these cryptographic libraries for Secure Sockets Layer (SSL), Transparent Data Encryption (TDE), and DBMS_CRYPTO PL/SQL package.
To configure Transparent Data Encryption and the DBMS_CRYPTO PL/SQL package program units to run in FIPS mode, set the DBFIPS_140 initialization parameter to TRUE.
You can configure the SSLFIPS_140 parameter for Secure Sockets Layer.
However, given the documentation, I'm not sure that these FIPS parameters apply to the Oracle native network encryption, nor whether they are necessary.
- Is Oracle native network encryption [1,2] HIPAA/FIPS compliant?
- If so, is any configuration required or is it compliant by default?
- Are there certain encryption algorithms that are/are not compliant?
[1] http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.NetworkEncryption.html
[2] http://docs.oracle.com/cd/E11882_01/network.112/e40393/asoconfg.htm#ASOAG9581
[3] http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.Oracle.Options.SSL.html
[4] http://docs.oracle.com/cd/E11882_01/network.112/e40393/asossl.htm#ASOAG9689
[5] https://d0.awsstatic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf
[6] https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html
Best Answer
SSLFIPS_140
is used for SSL-based encryption. That is not related to native network encryption.https://docs.oracle.com/database/121/DBSEG/asoappe.htm#DBSEG1061
This parameter is available since version 12.1.
https://docs.oracle.com/database/121/DBSEG/asoappe.htm#DBSEG9828
Could not find a list specifically for native encryption, but you can set the algorithms based on the above. After setting the above parameter, if you choose an algorithm that is not compliant, you can not connect to the database and will receive the below error: