I have no idea. Nobody ever asked for that and I am not from the US. Is there a short checklist, that I could read? I think that a lot of these rules are more on your side. For example: If you share user credentials or do not use https, there is nothing I can do for that.
At the Application end, fundamental requirement is to encryption of data while transportation and at the rest at the database level with required Physical accesses.
So most important here that Data is not encrypted when I access it through Squidex backend? Is there a way through which we can have the read encrypted data at rest(MongoDB level) or hide the Inspect tab of the record where data can be shown in text format?
I am looking for some basic checklists. I had a look to this one:
1. Transport Encryption
That is up to you to enable https and secure transport and out of the scope of Squidex. But to work properly in all cases you need https anyway. So this is usually covered. In other sources I have also read that encryption is needed on the storage level. This should also be covered by MongoDB: https://www.mongodb.com/products/capabilities/security/encryption. There was a feature request to allow encryption on the field level, but I am not sure how this should work, because someone needs the public key.
2. Backup and Storage Encryption
I would expect that Mongo Enterprise does that already. If you also store the assets in MongoDB you are covered here. If you use a custom backup solution you have to ensure encryption by yourself. Furthermore if you store the assets in another location like Azure blob storage or something similar.
3. Identity and Access Management
Most users use Squidex with SSO solution like Azure AD. If Azure AD is HIPAA compliant, then Squidex is probably compliant as well in this aspect. But I have also read that it is needed to log all login attempts, which is not the case in Squidex.
Furthermore Squidex provides a fine grained permission system, but not on the field level. You can use scripting to hide sensitive information from the user. But just hiding the inspection tab would not help here.
4. Integrity
I think this topic is partly covered. Because we create a new event for each change, we have a full history of every record. The article above also mentions signing, which I am not familiar with. But I am not sure if this is really needed.
To be on the safe side, it is needed to have an audit. I am not sure about the costs, but it is very likely out of budget at the moment at our side. Perhaps we can share costs or work on that together.
Thank a lot Sebastian for detailed reply. I know and already understand all the below points mentioned. Still I wanted to confirm about these things with you. I have some more on these points.
Completely Clear
Completely Clear. So Squidex should work with Encrypted MongoDB Enterprise without any issue. I am planning to have my own custom installation on my own server.
