Security Concerns about Cloud Computing in Healthcare. Kate Borten, CISSP, CISM President, The Marblehead Group

Transcription

1 Security Concerns about Cloud Computing in Healthcare Kate Borten, CISSP, CISM President, The Marblehead Group

2 Agenda What is cloud computing? Advantages Security concerns Suggestions 2009 The Marblehead Group 2

3 Wikipedia definition Cloud computing is a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the cloud that supports them. The concept generally incorporates combinations of the following: Infrastructure as a service (IaaS) Platform as a service (PaaS) Software as a service (SaaS) Other recent technologies that rely on the Internet to satisfy the computing needs of users. Cloud computing services often provide common business applications online that are accessed from a web browser, while the software and data are stored on the servers The Marblehead Group 3

4 Wikipedia definition (cont d) The term cloud is used as a metaphor for the Internet, based on how the Internet is depicted in computer network diagrams and is an abstraction for the complex infrastructure it conceals. The first academic use of this term appears to be by Prof. Ramnath K. Chellappa (currently at Goizueta Business School, Emory University) who originally defined it as a computing paradigm where the boundaries of computing will be determined by economic rationale rather than technical limits. Thank you, Wikipedia (wikipedia.org) 2009 The Marblehead Group 4

5 More on what it is Sun Microsystems calls cloud computing the next generation of network computing Another step toward virtualization of the IT infrastructure and framework for the real business to take place Essentially whatever you can have on your local network, you can get from a cloud provider applications, data storage, etc. Capacity and performance on demand ( selfservice ) 2009 The Marblehead Group 5

6 Cloud types Public clouds run by 3 rd party; provide resources for multiple customers; typically in a secure colocation facility Public cloud can contain a virtual private cloud a bit like a virtual private network (VPN) running over the public Internet Some 3 rd party cloud providers can also set up and manage an exclusive private cloud for a customer Hybrids various combinations of public/private 2009 The Marblehead Group 6

7 Advantages of cloud computing Cloud provider sets up architecture and support so you don t have to make the investment (financial, resource) Especially helpful for short term and temporary projects such as testing an app on a new platform or running an app temporarily Especially helpful for SMBs Easier scalability faster run time and response time 2009 The Marblehead Group 7

8 Advantages of cloud computing Pay as you go instead of big up-front costs, and as needed Possible advantages, esp. for SMBs: Potential for more robust monitoring and auditing capabilities Potential for better physical security than your organization can provide 2009 The Marblehead Group 8

9 Security Concerns 2009 The Marblehead Group 9

10 Responsibility You still have privacy & security responsibility for PHI and other legally protected information assets. You can outsource the processes, but you can t outsource ultimate responsibility. Like the CE:BA model, CEs are responsible for high-level decisions about what PHI is collected, how it is used, disclosed, and protected. BA helps achieve CE objectives The Marblehead Group 10

11 How can you take responsibility indirectly? You have high-level responsibility, but since you ve outsourced the processes, you have only indirect control over how processes are carried out. That requires due diligence in choosing a cloud provider and monitoring activity and the relationship 2009 The Marblehead Group 11

12 How to assess cloud provider s security? How do you assess the vendor s security? (their knowledge, commitment, and security practices) Especially if you find it a challenge to assess your own organization s actual security And you have limited time and resources to examine vendor policies and processes (and how far do you drill down anyway?) Isn t a contract good enough? Can t we take them at their word? 2009 The Marblehead Group 12

13 How do you handle breaches? If privacy/security regulatory violation or breach on cloud vendor s watch, will it be more difficult to unravel how & why? Will it be more difficult to identify individuals for notification? To mitigate? Is there a hidden cost if violation/breach is on vendor s watch your reputation? civil penalties? lawsuits? 2009 The Marblehead Group 13

14 How do you ensure availability? Depending on what services your organization is using, availability usually specified in the SLA Actually, colocation facilities likely to provide greater physical protection and technical redundancy and other disaster protections than our own facilities 2009 The Marblehead Group 14

15 Suggestions 2009 The Marblehead Group 15

16 Questions for the cloud provider Develop list of questions (some open-ended such as How do you ensure.? ) Be sure the answers are clear and you re satisfied For example: How do you ensure separation of our data from that of other customers (and the world)? Should be multiple steps/factors at multiple layers, and not prone to human error Using VLANs, strong port filtering.? Applicationlevel controls? 2009 The Marblehead Group 16

17 Questions (continued) How is user access controlled? Who authorizes access? Who manages the authentication server: vendor or our organization? (Critical security/privacy decisions think ChoicePoint) How customizable are access controls? Are they as rigorous as they need to be? (e.g., multifactor user authentication) Are they as granular as they need to be? (e.g., read-only access vs update) Who, representing the vendor, will have access? Why? How? Subcontracted (offshore?)? 2009 The Marblehead Group 17

18 Questions (continued) Processes for system hardening at every level? keeping up with security patches? Using encryption? In transit, at rest Meeting NIST standards Log monitoring? 2009 The Marblehead Group 18

19 Questions (continued) Analyze responses In many cases, we have to trust vendor answers Check with other customers 2009 The Marblehead Group 19

20 Use the SLA Ensure SLA has terms that protect your organization Availability Physical access controls Alternate site Technical access/redundancy Perform site visit if appropriate Use the SLA (or other contract) to reinforce explicit privacy/security commitments 2009 The Marblehead Group 20

21 Business risk In the end, this is a business risk decision If cloud computing is advantageous to your organization, look for a trusted vendor, weigh the privacy & security risks, and mitigate the risks through due diligence and contract language (and keep monitoring the relationship) The Marblehead Group 21

22 Questions? Kate Borten, CISSP, CISM President, The Marblehead Group 1 Martin Terrace Marblehead, MA Tel: kborten@marbleheadgroup.com 2009 The Marblehead Group 22