BECOME A SMARTER CLOUD CONSUMER
Ripping through the Rhetoric to Find Your Cloud & Control Your Risk
Kurt Hagerman
Expert in attaining and maintaining compliance standards, including PCI, HIPAA, ISO 27001, among others. Has conducted hundreds of security reviews and audits across a number of industries including the payment space, healthcare, financial services and higher education.
Industry Leadership
• Cloud Security Alliance SME
Council
• ISACA
• CSA
• ISSA
So, you’ve decided to
explore the cloud for your
PHI but are worried about
Have you done your research
and come away confused about
how various cloud vendors
communicate about HIPAA
compliance?
It’s understandable given
SECURITY
•
Outrageous statements being made
•
They sound good but ring hollow
•
What do they actually mean to you, the
cloud consumer, and how will your
vendor’s stance affect your
compliance?
Are you Confused? Frustrated?
I know I am.
SNAKE OIL, ANYONE?
•
Vendors trivialize HIPAA
compliance
•
Vendors over simplify the
requirements to sell their
services as a “silver bullet”
CONSIDER THE CLOUD MODELS
Security~You Security~ThemIaaS
PaaS
Infrastructure as a Service Infrastructure as a Service Infrastructure as a Service Platform as a Service Platform as a ServiceSaaS
Software as a Service Infrastructure as a Service Platform as a Service Software as a ServiceYour responsibilities, and those of
your cloud vendor, vary based on
the model used by the vendor.
Providers: AWS, Azure, Rackspace, SoftLayer, etc.
• Typically only provide security for the
underlying infrastructure
• Any compliance attestations only apply to
underlying infrastructure with no leverage available to customers
• Vendors forced into signing BAAs, but
theirs are typically weak based on the lack of security provided to the customer
• Customer owns nearly 100 percent of the
compliance responsibility
INFRASTRUCTURE AS A SERVICE (IAAS)
IaaS
Infrastructure as a Service Infrastructure as a ServiceProviders: AWS (Elastic Beanstalk), Salesforce (Force.com), IBM SmartCloud, CloudFoundry, HP Helion, etc.
• Provide development tools and other
building blocks for applications and secure these services
• Compliance attestations apply to the
service with limited leverage available
to customers
• Will sign BAAs, but typically provide little
liability protection based on limited security provided to the customer
• Customer owns a majority of the
compliance responsibility
PLATFORM AS A SERVICE (PAAS)
PaaS
Infrastructure as a Service Platform as a Service Platform as a ServiceProviders: Salesforce, Box, Epic, Allscripts, Athena, etc.
• Own the entire stack up through the
application
• Any compliance attestations apply to
the entire service with significant available to customers
• BAAs are typically stronger based on
security provided to customer data and contain reasonable liability language
• Customer owns very little of the
compliance responsibility (at least for the HIPAA security rule)
SOFTWARE AS A SERVICE (SAAS)
SaaS
Software as a Service Infrastructure as a Service Platform as a Service Software as a Service•
IaaS and PaaS are fairly close in
terms of the split of responsibility
between customer and vendor
(PaaS more difficult to parse)
•
Significant shift from PaaS to SaaS
in terms of vendor responsibility
•
Risk to your organization
increases from IaaS to SaaS
• Do you know what your vendor is really doing for you?
• Do they provide information on the specific security controls that are included with their service?
• Have they mapped their services and security controls to the HIPAA/HITECH requirements?
• Does your vendor use third parties to provide services to you?
• Have they (and their third parties) been independently assessed?
• Do you know who to call when something goes wrong?
• What about the privacy and breach rule?
• How do I manage a compliance program with multiple vendors all providing my “cloud services”?
Identifying the division of responsibility between you and your cloud vendor
Ensuring the services your vendor is providing are properly mapped to your risk assessment
Getting the evidence you need for your audit
Obtaining objective attestation documentation from the vendor for the controls they have full or partial responsibility for
Monitoring ongoing compliance of your vendors
Receiving support from vendor during a breach event
SIX COMPLIANCE CHALLENGES
1
2
3
4
5
6
BE A SMARTER CLOUD CONSUMER
You need to deal with vendors who
will be transparent about what they
do and how it assists you in
mitigating risk and addressing
compliance requirements.
CAVEAT EMPTOR
Your Vendor Should:
• Provide a clear, concise explanation of the specific security controls they include in their service and how these directly assist you in meeting your compliance obligations
• Articulate the boundaries between their responsibility and yours
• Provide documentation that backs up assertions about being “HIPAA Compliant,” including independent audit reports that clearly state:
- the scope of the assessment - the control framework used
WHAT ABOUT BUSINESS ASSOCIATE AGREEMENTS?
Many vendors say they are “business associate-friendly”
and that they will sign a BAA.
• Does their BAA include language that clearly states what services
they are providing and what responsibility they are taking for security incidents?
Thank You
Questions?
Kurt Hagerman
Email kurt.hagerman@firehost.com