HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Transcription

1 HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr. Lenny Michael Bonnes Dr.l.Mike.Bonnes@gmail.com

2

3 Contents Security Focus for critical areas within a cloud deployment... 3 Determine Risk tolerance... 3 Evaluate Assets... 3 Map the asset to potential cloud deployment model... 3 Domains:... 4 Security Content Automation Protocol... 4 Information security controls associated to implementation Access control... 5 Information access restriction... 5 Cryptographic key management... 6 Capacity... 6 System environment... 6 Data storage... 6 Information Backup... 7 Event Logging... 7 Management of technical vulnerabilities... 7 Security requirements analysis and specification... 7 Responsibilities and procedures... 8 Assessment of and decision on information security events... 8 Forensics Collection of evidence... 8 Businesses should:... 8 Interfaces and APIs forensic information will be provided through:... 8 Compliance... 9 Regulation of cryptographic controls... 9 Compliance with security policies and standards... 9 Technical Compliance Review... 9 Demarcation of responsibility... 9 Protection of Virtual Environment Cooperation of configurations between virtual and physical network Information security incident management Information security risk related cloud computing Threats to business unit... 11

4 Security Focus for critical areas within a cloud deployment This paper is put together to help Business focus on critical areas when moving to a cloud deployment. Determine Risk tolerance Identify the asset for the cloud deployment 1. Data 2. Applications/functions/process Determine either moving information into the cloud, or transactions/processing (partial functions) Determine the need to have data and applications reside in the same location or can only parts of functions to the cloud. Evaluate Assets How sensitive is the data? How important is the application/function/process For each asset think of these questions: How would we be harmed if the asset became widely public and widely distributed? How would we be harmed if an employee of our cloud provider accessed the asset? How would we be harmed if the application or function were manipulated by an outsider? How would we be harmed if the process or function failed to provide expected results? How would we be harmed if the asset were unavailable for a period of time? These questions are directed towards Confidentiality, integrity and availability requirements for the asset. Map the asset to potential cloud deployment model Determine deployment following options: Public Private, internal /on premises Private, external (dedicated or shared infrastructure) Hybrid have in mind the architecture where functions components and data will reside Map out data flow before deciding

5 Domains: Governance and Enterprise risk management; the ability of the businesses to govern and measure enterprise risk introduced by a cloud deployment. I.e., legal precedence for agreement breaches, your client s ability to adequately assess risk of a cloud provider. Where does the responsibility reside to protect sensitive data access points when both business and provider are at fault? Legal issues; contracts and Electronic discovery. Review contracts to ensure that SLA, MLA, or BAAs has not restricted the use of a cloud deployment. Compliance and Audit; maintain audit trail and proving compliance when utilizing a cloud deployment Managing Data; managing data in the cloud the identification and control of data and all compensating controls to deal with loss of physical control. Who is responsible for data confidentiality, integrity and availability? Portability and interoperability; determine the ability to move data/ services from one provider to another, or bring it back in house. Traditional Security practices business continuity and disaster recovery. How does the move to the cloud affect the operational processes and procedures currently used to implement security, business continuity and disaster recovery? Security Content Automation Protocol Assessing Information security risks in cloud services Risk assessment should be run periodically but may also be performed following the manifestation or observation of a vulnerability or new threat. The following considerations should be considered following the assessing of security risk Information security controls disclosed by cloud service provider can be limited or abstracted in order to minimize their risks. Disclosures by the cloud provider on its vulnerabilities can also increase risk to the business unit. When defining the information security policy for the use of cloud computing the following issues have been taken into account. a) Information stored in the cloud computing environment that is subject to Access controls b) Assets maintained in the cloud I.e., application programs c) Processes run on the cloud service d) Administrators who will have privileges

6 Information security controls associated to implementation. Clear division of information security responsibilities between businesses and the service provider should be clearly defined and documented. Segregation of duties and access rights should be determined Policy written for use of cloud service Standards and procedures for use of cloud service Risk determined with each cloud service System and network environment risks with the use of cloud service. Asset management Inventory of assets in relation to use in a cloud environment. Confirmation of support for asset management in the cloud environment Policy developed for the end of contract with Cloud provider and return of assets. Access control Businesses should include the following regarding control on the use of cloud service in the policy on the use of network services: A. Access control for each service. User credentials B. Access control preventing network access from designated sites. IP address or URL C. Identify procedures for issuance and re-issuance of password Information access restriction Businesses should restrict access to cloud service, (Admin Rights) functions and customer information maintained by the cloud service provider. Businesses should put in a request to the cloud service provider for the restrictions that are in place for the cloud service and cloud service customer information. Businesses should restrict and tightly control the use of utility programs running in the cloud environment that might be capable of overriding system and application controls. Business units should request: Specifications of utility programs that might be capable of overriding system and application controls Functional specifications to restrict and control utility programs Business units should request the following information on procedures used to manage keys related to the cloud service.

7 Cryptographic key management Businesses should confirm that functionalities of cryptography provided on cloud service are adequate with the policy on the use of cryptographic control Specifications of key management system, including procedure for each process of key life cycle I.e., generating changing, updating storing, retiring, retrieving retaining and destroying. The businesses should not permit the cloud service provider to store and manage encryption keys on the behalf of the Businesses for protection of any data that is owned or managed by the business unit. Businesses should employ a separate and distinct service to store and manage keys. Businesses should request information about physical security perimeter to confirm that the specification satisfies the regulatory requirements. Capacity Businesses should confirm that communication to the Businesses includes: Changes to the system Planned date and time of system changes Announcement of system change start and completion Businesses should confirm that the capacity is sufficient to deliver product. System environment Data storage Capacity of network and network equipment including the virtual network environment. I.e., bandwidth, maximum number of network sessions. And the following: Agreed or expected system performance Lead time to have additional capacity or system performance Maximum capacity and system performance Redundancy and diversity of systems Redundancy and diversity of access networks Statistics on system resource usage Statistics in a given time period Maximum system resource usage. FYI (Total volume of logical capacity can never exceed the total volume of the physical capacity)

8 Information Backup 1. businesses should define back-up policy and develop procedures with the following considerations 2. Backup and restoration functions should be performed as part of the cloud service 3. Backup and restoration functions should be developed by business unit 4. Backups should be encrypted according HIPAA/HITECH/ISO demands. 5. Backup and restoration functions should be performed as part of the cloud service 6. Local and or offsite storage of backups should be documented 7. businesses should establish a retention period Event Logging Businesses should request specifications to the cloud service providers to develop procedures for monitoring usage of the cloud services A. Types of usage records B. Retention period of usage records Management of technical vulnerabilities Businesses should understand technical vulnerability management of cloud service. Businesses should request the following information to the cloud service provider to understand technical vulnerability management. Process of identification of technical vulnerability Policy to respond to technical vulnerability Request and agree upon criteria for system feature to be considered vulnerable Businesses should request information on functional specifications on dividing the networks into separate network domains. To the cloud provider to segregate networks of cloud service. Security requirements analysis and specification Businesses should specify the security requirements for the cloud service. Businesses should analyze and evaluate the alignment of the implemented controls in the cloud environment Businesses should include cloud specific risks along with the organizations general information security risks. Businesses should be aware that visibility of controls and achieved levels of information security tends to be limited in the use of cloud service and information security risks.

9 Responsibilities and procedures Businesses should verify distribution process of information about severe information security incident by cloud provider Businesses should notify cloud provider in the event of an incident or breach Assessment of and decision on information security events Businesses should verify the definition of information regarding severe information security incident provided by cloud provider Business should review incident management framework Forensics Collection of evidence Businesses should: Identify information that can serve as evidence that resides within a cloud service or within the cloud provider environment associated with the cloud service Establish procedures by which the information can be collected and acquired from the cloud service or the related environment. Ensure that information which can serve as evidence is preserved within the cloud service and related provider environment. (Should be covered in the cloud service agreement) Available information made available should be from: VMs network, SIEM, Offline VMs, IPS and other sources Interfaces and APIs forensic information will be provided through: 1. Protection measures against collateral damage during a forensic investigation on shared resources (if available) 2. Protection of sensitive information from other tenants during a forensic investigation on shared resources like RAM or Network (if available) 3. Competence of available personnel supporting forensic investigations. 4. Provider awareness of local laws 5. Procedures and measures to strictly isolate customer related evidence data (if available)

10 Compliance Identification of applicable legislation and contractual requirements Businesses should identify domestic and foreign legal, regulatory and contractual requirements depending on purpose of the cloud service. Businesses should identify Privacy and protection of personally identifiable information Regulation of cryptographic controls Businesses should request cloud service provider to affirm that cryptographic technology used is not in conflict with regulations on export in the countries or regions where such cryptography is provided Compliance with security policies and standards Business service providers need to ensure that there are procedures in place to ensure compliance with security terms contained in the service agreements (and SLAs MLAs BAA) Technical Compliance Review Businesses should confirm information related to technical compliance checking provided from the cloud service provider. Will satisfy any technical compliance. When the cloud provider does not satisfy cloud service customer technical compliance policy, businesses should reconsider the use of cloud service. Demarcation of responsibility Businesses should identify and manage the support contact and the Businesses contact of the cloud service provider Businesses should review proposed demarcation of information security responsibilities and confirm if it can accept the responsibilities of both parties in the contract. Businesses should identify and manage the support contact and the customer contact of the cloud service provider

11 Protection of Virtual Environment Businesses should identify the controls in place by the cloud service provider to ensure that access to Businesses instance is executable from another cloud service customer or unauthorized users to ensure segregation of virtual environments. This segregation should be strictly preserved regardless of physical configurations or physical migration of virtual assets. Businesses should request an operation log by the cloud service provider and stored to clarify boundary of responsibility Cooperation of configurations between virtual and physical network Businesses should request a configuration manual based on virtualized security policy Information security incident management Businesses should verify distribution process of information about severe information security incidents by cloud service provider and be able to acquire information accurately and quickly. Businesses should notify the cloud service provider and have information to avoid affection of incident when Businesses confirmed that an incident occurred in the cloud-computing environment.

12 Information security risk related cloud computing Threats to business unit 1. Loss of governance: Public cloud deployments, customers cede control to the cloud provider over a number of issues that may affect security. All the while the service level agreements may not offer a commitment to provide sufficient security 2. Responsibility ambiguity Ambiguity exist between the Businesses and the cloud provider on who must control security. Most cloud providers supply a division of responsibilities and because of this split between the customer and provider gaps may exist in the environment and should be fully vetted. 3. Isolation failure During a shared resource cloud deployment and multi tenancy characteristics of cloud computing. A higher than normal risk exist on coverage of the usage of data 4. Vendor lock-in This security dependency is within the proprietary services of any one particular cloud service provider which could lead to the cloud service customer being tied to that provider. Services that do not support portability of applications and data to other providers increase the risk of data and service unavailability. 5. Compliance and legal risks Investment in achieving certification or compliance may be at risk by migration to use cloud computing if the cloud service provider cannot provide evidence of their own compliance with relevant requirements or if the cloud provider does not permit audit by the business unit. It is the responsibility of the Businesses to be clear about the division of security responsibilities between the customer and the provider and to ensure that the business unit s responsibilities are handled appropriately when using cloud services. 6. Handling of security incidents The detection, reporting and subsequent management of security breaches is a concern for the business unit, which relies on the cloud provider to handle breach matters. 7. Management interface vulnerability Customer management interfaces of a public cloud provider 8. Data Protection Cloud computing poses several data protection risks for cloud customers. Major point to consider exposure or release of sensitive data but also include loss or unavailability of data. In most cases on data protection it will be a challenge to check the data handling practice of the cloud provider. 9. Malicious behavior of insiders Damage caused by the malicious actions from within the cloud provider can be substantial, given the access and authorizations they may have. This is of course increased within a cloud computing environment. This kind of activity could occur with or without the knowledge of the business unit.

13 10. Business failure of the provider In disaster recovery if the cloud provider fails to recover from a disaster, this could render data and applications unavailable to the business unit. 11. Service unavailability As we know service a host of factors, from equipment or software failures in the provider s data center, or failure of communication between Businesses system and that of the cloud providers, can cause unavailability. 12. Migration and integration failures Migrating to use cloud services may involve moving data and applications from the customer environment to the provider environment with associated configuration changes (I.e., network addressing). Migration of part of the business unit s infrastructure to a cloud service provider may require substantial changes in the infrastructure design. Same issues follow with the migrating of applications and data. 13. Evolutionary risks The businesses should be aware a cloud service provider that has passed the security assessment during acquisition phase might have new vulnerabilities introduced during its lifetime due to changes in software components. 14. Cross border issues The businesses should be aware that the location of the service provider might prevent its ability to meet regulatory requirements due to cross border issues 15. Insecure or incomplete data deletion Requests to delete cloud resources, when a customer terminates the use of a cloud service with a provider, may not result in complete deletion. It is important that the Businesses be aware of where all data rest and how it is disposed, it is quite possible that a cloud provider hardware will retain data that had been deleted and yet artifacts remain.