BECOME A SMARTER CLOUD CONSUMER

BECOME A SMARTER CLOUD CONSUMER

Ripping through the Rhetoric to Find Your Cloud & Control Your Risk

Kurt Hagerman

Expert in attaining and maintaining compliance standards, including PCI, HIPAA, ISO 27001, among others. Has conducted hundreds of security reviews and audits across a number of industries including the payment space, healthcare, financial services and higher education.

Industry Leadership

•  Cloud Security Alliance SME

Council

•  ISACA

•  CSA

•  ISSA

So, you’ve decided to

explore the cloud for your

PHI but are worried about

Have you done your research

and come away confused about

how various cloud vendors

communicate about HIPAA

compliance?

It’s understandable given




SECURITY

•

  

Outrageous statements being made

•

  

They sound good but ring hollow

•

  

What do they actually mean to you, the

cloud consumer, and how will your

vendor’s stance affect your

compliance?

Are you Confused? Frustrated?

I know I am.

SNAKE OIL, ANYONE?

•

  

Vendors trivialize HIPAA

compliance

•

  

Vendors over simplify the

requirements to sell their

services as a “silver bullet”

CONSIDER THE CLOUD MODELS

Security~You Security~Them

IaaS

PaaS

Infrastructure as a Service Infrastructure as a Service Infrastructure as a Service Platform as a Service Platform as a Service

SaaS

Software as a Service Infrastructure as a Service Platform as a Service Software as a Service

Your responsibilities, and those of

your cloud vendor, vary based on

the model used by the vendor.

Providers: AWS, Azure, Rackspace, SoftLayer, etc.

•  Typically only provide security for the 


underlying infrastructure

•  _{Any compliance attestations only apply to}

underlying infrastructure with no leverage available to customers

•  Vendors forced into signing BAAs, but

theirs are typically weak based on the lack of security provided to the customer

•  Customer owns nearly 100 percent of the

compliance responsibility

INFRASTRUCTURE AS A SERVICE (IAAS)

IaaS

Infrastructure as a Service Infrastructure as a Service

Providers: AWS (Elastic Beanstalk), Salesforce (Force.com), IBM SmartCloud, CloudFoundry, HP Helion, etc.

•  _{Provide development tools and other}

building blocks for applications and secure these services

•  _{Compliance attestations apply to the}

service with limited leverage available


to customers

•  Will sign BAAs, but typically provide little

liability protection based on limited security provided to the customer

•  Customer owns a majority of the

compliance responsibility

PLATFORM AS A SERVICE (PAAS)

PaaS

Infrastructure as a Service Platform as a Service Platform as a Service

Providers: Salesforce, Box, Epic, Allscripts, Athena, etc.

•  Own the entire stack up through the

application

•  _{Any compliance attestations apply to}

the entire service with significant available to customers

•  BAAs are typically stronger based on

security provided to customer data and contain reasonable liability language

•  Customer owns very little of the

compliance responsibility (at least for the HIPAA security rule)

SOFTWARE AS A SERVICE (SAAS)

SaaS

Software as a Service Infrastructure as a Service Platform as a Service Software as a Service

•

 

IaaS and PaaS are fairly close in

terms of the split of responsibility

between customer and vendor

(PaaS more difficult to parse)

•

 

Significant shift from PaaS to SaaS

in terms of vendor responsibility

•

 

Risk to your organization

increases from IaaS to SaaS

•   Do you know what your vendor is really doing for you?

•   Do they provide information on the specific security controls that are included with their service?

•   Have they mapped their services and security controls to the HIPAA/HITECH requirements?

•   Does your vendor use third parties to provide services to you?

•   Have they (and their third parties) been independently assessed?

•   Do you know who to call when something goes wrong?

•   What about the privacy and breach rule?

•   How do I manage a compliance program with multiple vendors all providing my “cloud services”?

Identifying the division of responsibility between you
 and your cloud vendor

Ensuring the services your vendor is providing are
 properly mapped to your risk assessment

Getting the evidence you need for your audit

Obtaining objective attestation documentation from the vendor for the controls they have full or partial responsibility for

Monitoring ongoing compliance of your vendors

Receiving support from vendor during a breach event

SIX COMPLIANCE CHALLENGES

1

2

3

4

5

6

BE A SMARTER CLOUD CONSUMER

You need to deal with vendors who

will be transparent about what they

do and how it assists you in

mitigating risk and addressing

compliance requirements.

CAVEAT EMPTOR

Your Vendor Should:

•   Provide a clear, concise explanation of the specific security controls they include in their service and how these directly assist you in meeting your compliance obligations

•   Articulate the boundaries between their responsibility and yours

•   Provide documentation that backs up assertions about being “HIPAA Compliant,” including independent audit reports that clearly state:

- the scope of the assessment - the control framework used

WHAT ABOUT BUSINESS ASSOCIATE AGREEMENTS?

Many vendors say they are “business associate-friendly”

and that they will sign a BAA.

•   Does their BAA include language that clearly states what services

they are providing and what responsibility they are taking for security incidents?

Thank You

Questions?

Kurt Hagerman

Email kurt.hagerman@firehost.com