AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

Transcription

1 AHLA JJ. Keeping Your Cloud Services Provider from Raining on Your Parade Jean Hess Manager HORNE LLP Ridgeland, MS Melissa Markey Hall Render Killian Heath & Lyman PC Troy, MI Physicians and Hospitals Law Institute February 5-7, 2014

2 Keeping Your Cloud Services Provider from Raining on Your Parade Melissa Markey Hall Render Killian Heath & Lyman 201 W. Big Beaver Rd., Suite 1200 Troy, MI (248) Jean Hess HORNE LLP 1020 Highland Colony Parkway, Suite 400 Ridgeland, MS llp.com Agenda What exactly is the Cloud? Key issues when selecting your cloud services provider ( CSP ). What methods are used by my CSP to protect my data? Are your contractual terms being met by your CSP? Watch for Carve Outs! What controls are in place at your CSP to safeguard your critical systems and data? 2 1

3 What Exactly is the Cloud? A model for enabling ubiquitous, convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. * * Definition source: NIST Special Publication , September 2011 Image source: 3 The Four Cloud Deployment Models Public cloud: The cloud infrastructure is provisioned for open use by the general public.* Private cloud: The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units).* Hybrid cloud: The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities.* Community cloud: The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations).* * Definition source: NIST Special Publication , September 2011 Image source: 4 2

4 What are the Risks? Your Job: To Ensure the Confidentiality, Integrity and Availability of Mission Critical Data Risks: Data Breach Loss of Confidentiality Viruses, other malware; other types of breach Loss of Integrity DoS/DDoS, Outages Loss of Availability 5 What are the Risks? Your Data in the Hands of a Third Party Co Located with other Customers Some of whom may be a target for Hacktivists Depending on the type of cloud, the Third Party (Cloud Provider) may be primarily responsible for security Relying on another for back up, disaster recovery, monitoring for attacks, responding to threats, and keeping you informed 6 3

5 Who is Responsible? You may be able to delegate responsibility for performing tasks, but you cannot delegate accountability for ensuring accomplishment of the regulatory mandate. 7 Does Healthcare Use the Cloud? How Confident are the Users? Healthcare organizations and the cloud. 62% make moderate or heavy use of cloud services. 9 % do not use cloud services. 47 % are not confident that information in the cloud is secure and 23 % are only somewhat confident. 91% of hospitals surveyed are using cloud-based services, yet 47% lack confidence in the ability to keep data secure in the cloud. *Data Source: Third Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute Research Report, December

6 So Why Does My CIO/CFO/Business Owner Want to Use the Cloud? Access to state-of-the-art computing resources using operating dollars, rather than capital dollars. Scalability when more computing power is needed, easy to scale up; when less is needed, can scale down and save money. Faster implementation. Rather than the months necessary to purchase machines and stand up/expand a data center, cloud services can be provisioned in hours to days. It s cool to be in the cloud. 9 Key Issues When Selecting Your CSP Viability and Capability of CSP Cloud Management and Monitoring Self Service and Ease of Access Daily if you maintain support of some type, In time of disaster, Regulatory Compliance/Experience in Healthcare industry Service Level Agreements Past Performance Other Customers Contractual Compliance (PCI-DSS). 10 5

7 Where Are the Data Risks? At Rest: Within the software application Within the database Within the primary and secondary backup storage systems Including storage media Within mobile devices (smartphones, ipad). In Motion: Hardware Wireless Mobile Devices Third Parties: Who else can access your data? 11 What Methods are Used by my CSP to Protect my Data? Monitor environments: At the Network level At the Firewall For malware, viruses, phishing s Web attacks Denial of Service (DOS) At the Database level At the Device level Especially Mobile Devices. Enforce User Compliance: Secure among shared environments - CSP User Access. 12 6

8 What Methods are Used by my CSP to Protect my Data? - continued Enforce Multifactor Authentication Methods Establish VPNs (Virtual Private Networks) Perform Risk Assessments: Most breaches are found by outsiders Of internal breach discoveries, 52% are found by risk assessments/audits* Require Complex Passwords that are changed regularly Create and Communicate Policies & Procedures Train personnel. Train them again. And again. And again. *Data Source: Third Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute Research Report, December Mobile Devices Are You at Risk? Trends in mobility and employee owned devices put patient data at risk. 81% permit employees and medical staff to use their own mobile devices such as smartphones or tablets to connect to their organization s networks or enterprise systems. Even if it isn t permitted, it is still happening 54% are not confident that personally owned mobile devices are secure.* *Data Source: Third Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute Research Report, December

9 Critical Contract Provisions Location of Data Are all data centers in US? Is support follow the sun? Data rights and ownership Can vendor use de identified/anonymized data for own purposes/development of algorithms? Security expectations Service Level Agreement (SLA) details Audit, Compliance, E Discovery 15 Critical Contract Provisions Security Specify who is responsible for what Security responsibilities may vary depending on type of cloud IaaS, PaaS, SaaS Backup Who How often is restoration tested? Disaster Recovery/COOP Declaration, Implementation, Testing, RTO, RPO Where is Hot/Warm Site? Different Vendor? 16 8

10 Critical Contract Provisions Indemnification Insurance Warranties Reporting Account Executive Who is your primary POC? How often will you meet? Audits SSAE 16, PCI DSS, Next Gen. alternatives 17 What SSAE 16 Standards Report is Right for You? Do you need a report that focuses on non-financial data such as the network infrastructure, applications and databases? Controls relate to Trust Service Principles SOC 2. Do you need a report that focuses on financial data and how it is maintained, secured and processed? Controls relate to Financial transactions SOC 1. Sometimes you need both! Image Source:

11 SOC 2 Report - Trust Service Principles: Trust Service Principles: Security: The system is protected, both physically and logically, against unauthorized access. Availability: The system is available for operations as agreed. Processing Integrity: System processing is complete, accurate, authorized and timely. Confidentiality: Sensitive/confidential information is protected. Privacy: Personal information is collected, used, retained and disclosed in conformity with the contractual agreements in the user entity s privacy notice and as stated in the AICPA principles. Document Source: 19 Carve Outs? What you Need to Know! What are Carve Outs? Areas or controls that a CSP identified as not covered under their SOC 1 or SOC 2 report, Omitted areas or controls may be critical to your HIPAA compliance requirements, Receivers of SOC reports must read their SOC reports carefully to ascertain if omitted areas require an additional SOC report from another vendor who is a subcontractor or associate of the CSP, Some CSPs include the subcontractor s SOC reports within their report

12 Examples of Carve Outs Examples of Carve Outs commonly seen in SOC reports: Users are responsible for performing maintenance on their applications located at the data center. Users are responsible for performing all data backups, changing backup media and monitoring availability. Users need to develop their own disaster recovery plans in case the CSP s equipment is not available. Users are responsible for confidentiality and integrity of their data. 21 What is the Cloud Security Alliance? Cloud Security Alliance (CSA) not for profit organization founded in 2008 to promote best practices for providing security assurance within Cloud Computing* Created an Open Certification Framework providing various levels of cloud certification Another source of information on cloud providers and their level of compliance with security controls Security, Trust & Assurance Registry (STAR ) Registry, CSA Position Paper recommends SOC 2, Type 2 report for CSPs if the SOC report is not directly related to financial statements. * Definition source: and Image Source:

13 What Controls are in Place at your CSP to Safeguard Your Critical Systems and Data? Examples of IT Control Areas and Relevant Controls: Entity Level Security, Physical Security and Environmental Controls, Logical & Data Security, Security Administration (Service Providers and Client), Access Management (Internet/Network Access), Change Management, System Development, Anti Virus, Network Security (Network and System Monitoring), System Uptime and Maintenance, Data Transmissions, Event Management and Problem Resolution Backup and Storage. 23 IT Controls Your CSP Should Have? Controls should be in layers of Protection: Exterior of Your CSP s Data Center facility Interior of the CSP s facility Your equipment cage Remote access Third Party access

14 The Devil is in the Details! Physical & Environmental: Subcontractors for providing telecommunications may not have BAAs with CSP or their own disaster recovery plan and processes. Logical: Is Vulnerability & Penetration testing performed on an annual basis Are the Cisco routers, switches and security appliances patched Data Processing Monitoring: Who is accessing your systems and data Data Storage: If you use encryption, you need to understand what type of hardware that your applications and databases reside For instance, if you encrypt the database and it becomes corrupted, can the CSP change out the drive without impacting your business? 25 How Do You Know if Your CSP is Meeting Your Contractual Terms? CSPs need operational transparency: Right to Audit the CSP facilities Review SSAE16 Service Organization Control reports: SOC 2 Report, Type 2: Prior control issues Carve outs Notice if any breaches occur, whether or not your data is directly affected Cloud Security Alliance (CSA): Security, Trust & Assurance Registry (STAR ) Registry Image Source:

15 IT Control Questions to Ask Your CSP! Concerns regarding Breaches: Third party access: Consultants used by CSP and other vendors Pen testing?? How often does the CSP conduct reviews of personnel changes and terminations Trusted Certificates Cryptographic keys and certificates: SSH (Secure Shell keys) are used to authenticate to and manage systems Ask CSPs if they know how many keys and digital certificates they have: Probably not known. Ask CSP where their data centers are located? If overseas for storage or processing, they may not comply with your regulatory or contractual requirements. 27 Business Associate The Cloud Provider is a Business Associate Even if the Data is Encrypted Even if you hold the encryption key Yes, they need to sign a BAA No, they are not a conduit No, I am not kidding If you doubt me, ask: 28 14