Cloudberry / Amazon S3 Encryption Question | HIPAA

[ViperCS]

Cloudberry backup has the ability to encrypt data before sending it to S3 for storage. However, S3 has built-in encryption available for in transit and at rest data. Should I still use the cloudberry encryption before sending the data to S3 or is the built-in S3 encryption sufficient for HIPAA?

I am personally leaning towards encrypting with cloudberry before transit but I am curious to see other opinions!

https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html

 

[skdmaster]

You should encrypt with Cloudberry for HIPAA compliance - all data in transit should be encrypted.

 

[Markverhyden]

Technically all your service providers must be able to provide a a signed BAA.

If there are no providers of a particular service that can provide a BAA then one falls back to best effort to meet HIPAA needs . In the link posted I did not notice where is said encrypted in transit. But if AWS can provide a BAA then it'll handle everything. If it was me I'd probably do it all with cloudberry if they can provide a BAA. Unless AWS can provide a backup agent with everything else.

 

[phaZed]

Like others have stated, data in transit should be encrypted.

 

[YeOldeStonecat]

Not only for the reason of transport, but I'd keep encryption within the native application...for the purposes of support and ease of management.