1

[With apologies for a long, rambling question. I'm hoping to spark some discussion/suggestions from folks much more knowledgeable than I am. If this really isn't appropriate for SO, please give me a hint where to ask this sort of question.]

I have an ASP.NET MVC 4 app. I'm using an Azure web role to host it (for now, at least). My app, which is a specialized medical interview, collects sensitive information from users and produces a report that is viewable by, and deliverable to (via an encrypted PDF file attached to an unencrypted email) doctors and patients. The sensitive data is retained for 24 hours to allow doctors to come back and retrieve reports, after which time the records are deleted (which, I know does not actually remove the data from persistent storage).

So I'm starting to think about what I need to worry about with regards to security boundaries to keep the confidential data confidential. I'm new to this whole web programming thing, although I'm a very experienced desktop app developer.

The first, obvious security boundary I need to worry about is the communication layer between the server and the users. I have a valid, properly configured SSL certificate and all of the sections of the website that deal with logged-in users (which includes the interview and reporting workflow) operate over an HTTPS endpoint.

I am assuming/hoping that Azure has its SSL implementation correct and that there is nothing that I can or should do to harden the host itself.

For user convenience, I do allow visitors to browse to http://mywebsite.com, and I redirect to a page marked with [RequiresHttps] if and when they are logged in. I understand that this HTTP-to-HTTPS redirection is vulnerable to an SSLStrip man-in-the-middle attack, in which the server sees a secure HTTPS connection but the vigilant user would notice that the URL is HTTP and not HTTPS. I plan to keep this convenience feature, but I will mitigate it by employing an extended validation certificate, which gives most users a happy, green address bar. I'll put something on the main logged-in-user page that reminds the user to verify the green address bar.

I'll figure out how to configure ASP.NET so that all of my cookies are encrypted.

I've enabled Remote Desktop (in the Azure deployment wizard), so that opens up a portal that can be attacked if someone can figure out my username and password. C'est la vie.

The next security boundary I need to worry about -- and this is where I need help -- is protecting sensitive data in the event that an unauthorized person gains access to the database. My knowledge of database administration is pretty much limited to copying and pasting connection strings and writing simple SQL queries.

I'm using Entity Framework and Azure SQL Databases for all of my database stuff. I encrypt the sensitive data in the data entities using a key baked into my code. Presumably, the database itself is encrypted and someone who just got hold of the database files (the Azure SQL Databases interface is accessible via a web connection, but only from trusted IP addresses) would need to figure out my SQL username and password to pull the data out.

Someone could presumably trick my app into revealing sensitive information. My workflow only allows a logged in user to read and write his own records. In order for an attacker to access the encrypted sensitive data, they would either need to get my encryption key or figure out a way to call into my code. I have not obfuscated the .NET code; I assume that my executables are secure. I also assume that my clear-text web.config, which contains my database credentials, is secure. Are these good assumptions?

So, that's as far as my beginner brain has taken me down the security path. Any comments or suggestions? Have I made any incorrect assumptions or overlooked anything obvious?

Improve this question
1
  • Given that yours is a health care application, Please check the Azure trust Center for compliance details when you can host your application on Azure. I work for Cloud System Integration Company and the above is one among the top 5 we ask before we look into application / tech. Commented Mar 10, 2013 at 19:44

2 Answers 2

Reset to default
1

A lot of this is non-Azure-related. Let me address a few points from the Windows Azure perspective.

Storing the data: I'd suggest moving your encrypted pdf's to blob storage. You can then provide a link to the encrypted pdf, rather than attaching the encrypted file itself. Plus, you can make the blob (which stores the pdf) private so nobody can get to it. Then, create a Shared Access Signature, essentially a special signed URL with time-limited permissions. You can then, say, set a 24-hour read window. Provide this link via email, and for the next 24 hours, it could be downloaded and (with proper password) decrypted. After 24 hours, the link stops working. You can also delete the blob at that point (and yes, it will be gone).

With RDP, you need to choose a very good password. Other than RDP, I don't see how someone can get to your web role instances.

With Windows Azure SQL Database, I'd advise against making it accessible to the outside world. Just limit access to Windows Azure services. Windows Azure SQL Database does NOT encrypt data, nor does it support encrypted fields. You'd need to do the encryption yourself.

The MUCH BIGGER QUESTION you need to answer: Is it ok for you to store medical information in the cloud? Are you violating any type of compliance or legal regulation by doing so? You'll need to do your homework on this and figure it out. Data-in-the-clear is something that raises concerns, compliance-wise (I'm not a lawyer so I won't give any advice here). With Windows Azure, you can get a signed BAA which means you can achieve HIPAA compliance with your app, if you're using Windows Azure Compute and Storage. Currently Windows Azure SQL Database does not fall within the HIPAA compliance window. See the Windows Azure Trust Center for more information about compliance.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The important thing in the security is smart configuration and trust. These are two different things and both are required for any architecture.

Coming back to technology.

Azure Cloud Services : You said you are going to use SSL, https based site. This is the first set up of security and also the effective. Apart from this make sure, you follow the best practices.

Azure SQL Databases : You can protect / secure the Azure SQL Databases using the firewall rules. As you are going to connect the database to Azure Cloud Services, you can just allow the Microsoft Azure Services alone i.e. accessible only from cloud. So the entire database is completely sealed to external world. During the setup or maintenance you can enable your local IP to work with database and then again you can remove that access and restore to cloud only mode. There is no encryption facility by default for Azure. Also have a good strong password.

Remote Desktop : Use the security certificate for the shorter duration. Don't do any changes to your app via the RD, do a clean redeploy. If do any modifications to your app via RD all the changes would be discarded during any of the data Center activities as the fabric controller may pull the instance down and relaunch again in different place.

There are lot of certifications and compliance implemented for Azure. This is indeed world class cloud offering.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.