HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Similar documents
Managing Cloud Computing Risk

ISO Controls and Objectives

ISO 27002:2013 Version Change Summary

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Microsoft s Compliance Framework for Online Services

Cloud Computing: Legal Risks and Best Practices

Information Security Policies. Version 6.1

INFORMATION TECHNOLOGY SECURITY STANDARDS

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

ISO COMPLIANCE WITH OBSERVEIT

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Cloud Computing Security Issues

ISO27001 Controls and Objectives

Music Recording Studio Security Program Security Assessment Version 1.1

John Essner, CISO Office of Information Technology State of New Jersey

Cloud Security Introduction and Overview

Intel Enhanced Data Security Assessment Form

Anatomy of a Cloud Computing Data Breach

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Supplier Security Assessment Questionnaire

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Newcastle University Information Security Procedures Version 3

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Domain 1 The Process of Auditing Information Systems

Understanding changes to the Trust Services Principles for SOC 2 reporting

Data Protection: From PKI to Virtualization & Cloud

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Services Providers. Ivan Soto

HIPAA/HITECH Compliance Using VMware vcloud Air

Cloud Computing Security Considerations

Office 365 Data Processing Agreement with Model Clauses

Orchestrating the New Paradigm Cloud Assurance

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

How To Protect Decd Information From Harm

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

VMware vcloud Air HIPAA Matrix

Security Controls What Works. Southside Virginia Community College: Security Awareness

Cybersecurity Framework Security Policy Mapping Table

Big Data, Big Risk, Big Rewards. Hussein Syed

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Assessing, Evaluating and Managing Cloud Computing Security

05.0 Application Development

Cloud Security Trust Cisco to Protect Your Data

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Retention & Disposition in the Cloud Do you really have control?

Security Issues in Cloud Computing

Cloud Security and Managing Use Risks

Top Ten Technology Risks Facing Colleges and Universities

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Compliance Guide

Summary of CIP Version 5 Standards

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Attachment A. Identification of Risks/Cybersecurity Governance

Key Management Best Practices

A Strategic Approach to Enterprise Key Management

INFORMATION SECURITY PROCEDURES

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Central Agency for Information Technology

STATE OF NEW JERSEY Security Controls Assessment Checklist

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Whitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Supplier Information Security Addendum for GE Restricted Data

LEGAL ISSUES IN CLOUD COMPUTING

Certified Information Systems Auditor (CISA)

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

What Cloud computing means in real life

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Data Processing Agreement for Oracle Cloud Services

Retention & Destruction

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

University of Sunderland Business Assurance Information Security Policy

Overview. What are operational policies? Development, adoption, implementation

Third Party Security Requirements Policy

Strategies for assessing cloud security

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

Data Security Incident Response Plan. [Insert Organization Name]

Virtual Private Cloud. Service Level Agreement. Terms and Abbreviations

Service Definition Document

SRA International Managed Information Systems Internal Audit Report

State of Oregon. State of Oregon 1

White Paper: Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements

External Supplier Control Requirements

Addressing Cloud Computing Security Considerations

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

IT Audit in the Cloud

Security from a customer s perspective. Halogen s approach to security

Transcription:

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr. Lenny Michael Bonnes Dr.l.Mike.Bonnes@gmail.com

Contents Security Focus for critical areas within a cloud deployment... 3 Determine Risk tolerance... 3 Evaluate Assets... 3 Map the asset to potential cloud deployment model... 3 Domains:... 4 Security Content Automation Protocol... 4 Information security controls associated to implementation.... 5 Access control... 5 Information access restriction... 5 Cryptographic key management... 6 Capacity... 6 System environment... 6 Data storage... 6 Information Backup... 7 Event Logging... 7 Management of technical vulnerabilities... 7 Security requirements analysis and specification... 7 Responsibilities and procedures... 8 Assessment of and decision on information security events... 8 Forensics Collection of evidence... 8 Businesses should:... 8 Interfaces and APIs forensic information will be provided through:... 8 Compliance... 9 Regulation of cryptographic controls... 9 Compliance with security policies and standards... 9 Technical Compliance Review... 9 Demarcation of responsibility... 9 Protection of Virtual Environment... 10 Cooperation of configurations between virtual and physical network... 10 Information security incident management... 10 Information security risk related cloud computing... 11 Threats to business unit... 11

Security Focus for critical areas within a cloud deployment This paper is put together to help Business focus on critical areas when moving to a cloud deployment. Determine Risk tolerance Identify the asset for the cloud deployment 1. Data 2. Applications/functions/process Determine either moving information into the cloud, or transactions/processing (partial functions) Determine the need to have data and applications reside in the same location or can only parts of functions to the cloud. Evaluate Assets How sensitive is the data? How important is the application/function/process For each asset think of these questions: How would we be harmed if the asset became widely public and widely distributed? How would we be harmed if an employee of our cloud provider accessed the asset? How would we be harmed if the application or function were manipulated by an outsider? How would we be harmed if the process or function failed to provide expected results? How would we be harmed if the asset were unavailable for a period of time? These questions are directed towards Confidentiality, integrity and availability requirements for the asset. Map the asset to potential cloud deployment model Determine deployment following options: Public Private, internal /on premises Private, external (dedicated or shared infrastructure) Hybrid have in mind the architecture where functions components and data will reside Map out data flow before deciding

Domains: Governance and Enterprise risk management; the ability of the businesses to govern and measure enterprise risk introduced by a cloud deployment. I.e., legal precedence for agreement breaches, your client s ability to adequately assess risk of a cloud provider. Where does the responsibility reside to protect sensitive data access points when both business and provider are at fault? Legal issues; contracts and Electronic discovery. Review contracts to ensure that SLA, MLA, or BAAs has not restricted the use of a cloud deployment. Compliance and Audit; maintain audit trail and proving compliance when utilizing a cloud deployment Managing Data; managing data in the cloud the identification and control of data and all compensating controls to deal with loss of physical control. Who is responsible for data confidentiality, integrity and availability? Portability and interoperability; determine the ability to move data/ services from one provider to another, or bring it back in house. Traditional Security practices business continuity and disaster recovery. How does the move to the cloud affect the operational processes and procedures currently used to implement security, business continuity and disaster recovery? Security Content Automation Protocol Assessing Information security risks in cloud services Risk assessment should be run periodically but may also be performed following the manifestation or observation of a vulnerability or new threat. The following considerations should be considered following the assessing of security risk Information security controls disclosed by cloud service provider can be limited or abstracted in order to minimize their risks. Disclosures by the cloud provider on its vulnerabilities can also increase risk to the business unit. When defining the information security policy for the use of cloud computing the following issues have been taken into account. a) Information stored in the cloud computing environment that is subject to Access controls b) Assets maintained in the cloud I.e., application programs c) Processes run on the cloud service d) Administrators who will have privileges

Information security controls associated to implementation. Clear division of information security responsibilities between businesses and the service provider should be clearly defined and documented. Segregation of duties and access rights should be determined Policy written for use of cloud service Standards and procedures for use of cloud service Risk determined with each cloud service System and network environment risks with the use of cloud service. Asset management Inventory of assets in relation to use in a cloud environment. Confirmation of support for asset management in the cloud environment Policy developed for the end of contract with Cloud provider and return of assets. Access control Businesses should include the following regarding control on the use of cloud service in the policy on the use of network services: A. Access control for each service. User credentials B. Access control preventing network access from designated sites. IP address or URL C. Identify procedures for issuance and re-issuance of password Information access restriction Businesses should restrict access to cloud service, (Admin Rights) functions and customer information maintained by the cloud service provider. Businesses should put in a request to the cloud service provider for the restrictions that are in place for the cloud service and cloud service customer information. Businesses should restrict and tightly control the use of utility programs running in the cloud environment that might be capable of overriding system and application controls. Business units should request: Specifications of utility programs that might be capable of overriding system and application controls Functional specifications to restrict and control utility programs Business units should request the following information on procedures used to manage keys related to the cloud service.

Cryptographic key management Businesses should confirm that functionalities of cryptography provided on cloud service are adequate with the policy on the use of cryptographic control Specifications of key management system, including procedure for each process of key life cycle I.e., generating changing, updating storing, retiring, retrieving retaining and destroying. The businesses should not permit the cloud service provider to store and manage encryption keys on the behalf of the Businesses for protection of any data that is owned or managed by the business unit. Businesses should employ a separate and distinct service to store and manage keys. Businesses should request information about physical security perimeter to confirm that the specification satisfies the regulatory requirements. Capacity Businesses should confirm that communication to the Businesses includes: Changes to the system Planned date and time of system changes Announcement of system change start and completion Businesses should confirm that the capacity is sufficient to deliver product. System environment Data storage Capacity of network and network equipment including the virtual network environment. I.e., bandwidth, maximum number of network sessions. And the following: Agreed or expected system performance Lead time to have additional capacity or system performance Maximum capacity and system performance Redundancy and diversity of systems Redundancy and diversity of access networks Statistics on system resource usage Statistics in a given time period Maximum system resource usage. FYI (Total volume of logical capacity can never exceed the total volume of the physical capacity)

Information Backup 1. businesses should define back-up policy and develop procedures with the following considerations 2. Backup and restoration functions should be performed as part of the cloud service 3. Backup and restoration functions should be developed by business unit 4. Backups should be encrypted according HIPAA/HITECH/ISO 27001 demands. 5. Backup and restoration functions should be performed as part of the cloud service 6. Local and or offsite storage of backups should be documented 7. businesses should establish a retention period Event Logging Businesses should request specifications to the cloud service providers to develop procedures for monitoring usage of the cloud services A. Types of usage records B. Retention period of usage records Management of technical vulnerabilities Businesses should understand technical vulnerability management of cloud service. Businesses should request the following information to the cloud service provider to understand technical vulnerability management. Process of identification of technical vulnerability Policy to respond to technical vulnerability Request and agree upon criteria for system feature to be considered vulnerable Businesses should request information on functional specifications on dividing the networks into separate network domains. To the cloud provider to segregate networks of cloud service. Security requirements analysis and specification Businesses should specify the security requirements for the cloud service. Businesses should analyze and evaluate the alignment of the implemented controls in the cloud environment Businesses should include cloud specific risks along with the organizations general information security risks. Businesses should be aware that visibility of controls and achieved levels of information security tends to be limited in the use of cloud service and information security risks.

Responsibilities and procedures Businesses should verify distribution process of information about severe information security incident by cloud provider Businesses should notify cloud provider in the event of an incident or breach Assessment of and decision on information security events Businesses should verify the definition of information regarding severe information security incident provided by cloud provider Business should review incident management framework Forensics Collection of evidence Businesses should: Identify information that can serve as evidence that resides within a cloud service or within the cloud provider environment associated with the cloud service Establish procedures by which the information can be collected and acquired from the cloud service or the related environment. Ensure that information which can serve as evidence is preserved within the cloud service and related provider environment. (Should be covered in the cloud service agreement) Available information made available should be from: VMs network, SIEM, Offline VMs, IPS and other sources Interfaces and APIs forensic information will be provided through: 1. Protection measures against collateral damage during a forensic investigation on shared resources (if available) 2. Protection of sensitive information from other tenants during a forensic investigation on shared resources like RAM or Network (if available) 3. Competence of available personnel supporting forensic investigations. 4. Provider awareness of local laws 5. Procedures and measures to strictly isolate customer related evidence data (if available)

Compliance Identification of applicable legislation and contractual requirements Businesses should identify domestic and foreign legal, regulatory and contractual requirements depending on purpose of the cloud service. Businesses should identify Privacy and protection of personally identifiable information Regulation of cryptographic controls Businesses should request cloud service provider to affirm that cryptographic technology used is not in conflict with regulations on export in the countries or regions where such cryptography is provided Compliance with security policies and standards Business service providers need to ensure that there are procedures in place to ensure compliance with security terms contained in the service agreements (and SLAs MLAs BAA) Technical Compliance Review Businesses should confirm information related to technical compliance checking provided from the cloud service provider. Will satisfy any technical compliance. When the cloud provider does not satisfy cloud service customer technical compliance policy, businesses should reconsider the use of cloud service. Demarcation of responsibility Businesses should identify and manage the support contact and the Businesses contact of the cloud service provider Businesses should review proposed demarcation of information security responsibilities and confirm if it can accept the responsibilities of both parties in the contract. Businesses should identify and manage the support contact and the customer contact of the cloud service provider

Protection of Virtual Environment Businesses should identify the controls in place by the cloud service provider to ensure that access to Businesses instance is executable from another cloud service customer or unauthorized users to ensure segregation of virtual environments. This segregation should be strictly preserved regardless of physical configurations or physical migration of virtual assets. Businesses should request an operation log by the cloud service provider and stored to clarify boundary of responsibility Cooperation of configurations between virtual and physical network Businesses should request a configuration manual based on virtualized security policy Information security incident management Businesses should verify distribution process of information about severe information security incidents by cloud service provider and be able to acquire information accurately and quickly. Businesses should notify the cloud service provider and have information to avoid affection of incident when Businesses confirmed that an incident occurred in the cloud-computing environment.

Information security risk related cloud computing Threats to business unit 1. Loss of governance: Public cloud deployments, customers cede control to the cloud provider over a number of issues that may affect security. All the while the service level agreements may not offer a commitment to provide sufficient security 2. Responsibility ambiguity Ambiguity exist between the Businesses and the cloud provider on who must control security. Most cloud providers supply a division of responsibilities and because of this split between the customer and provider gaps may exist in the environment and should be fully vetted. 3. Isolation failure During a shared resource cloud deployment and multi tenancy characteristics of cloud computing. A higher than normal risk exist on coverage of the usage of data 4. Vendor lock-in This security dependency is within the proprietary services of any one particular cloud service provider which could lead to the cloud service customer being tied to that provider. Services that do not support portability of applications and data to other providers increase the risk of data and service unavailability. 5. Compliance and legal risks Investment in achieving certification or compliance may be at risk by migration to use cloud computing if the cloud service provider cannot provide evidence of their own compliance with relevant requirements or if the cloud provider does not permit audit by the business unit. It is the responsibility of the Businesses to be clear about the division of security responsibilities between the customer and the provider and to ensure that the business unit s responsibilities are handled appropriately when using cloud services. 6. Handling of security incidents The detection, reporting and subsequent management of security breaches is a concern for the business unit, which relies on the cloud provider to handle breach matters. 7. Management interface vulnerability Customer management interfaces of a public cloud provider 8. Data Protection Cloud computing poses several data protection risks for cloud customers. Major point to consider exposure or release of sensitive data but also include loss or unavailability of data. In most cases on data protection it will be a challenge to check the data handling practice of the cloud provider. 9. Malicious behavior of insiders Damage caused by the malicious actions from within the cloud provider can be substantial, given the access and authorizations they may have. This is of course increased within a cloud computing environment. This kind of activity could occur with or without the knowledge of the business unit.

10. Business failure of the provider In disaster recovery if the cloud provider fails to recover from a disaster, this could render data and applications unavailable to the business unit. 11. Service unavailability As we know service a host of factors, from equipment or software failures in the provider s data center, or failure of communication between Businesses system and that of the cloud providers, can cause unavailability. 12. Migration and integration failures Migrating to use cloud services may involve moving data and applications from the customer environment to the provider environment with associated configuration changes (I.e., network addressing). Migration of part of the business unit s infrastructure to a cloud service provider may require substantial changes in the infrastructure design. Same issues follow with the migrating of applications and data. 13. Evolutionary risks The businesses should be aware a cloud service provider that has passed the security assessment during acquisition phase might have new vulnerabilities introduced during its lifetime due to changes in software components. 14. Cross border issues The businesses should be aware that the location of the service provider might prevent its ability to meet regulatory requirements due to cross border issues 15. Insecure or incomplete data deletion Requests to delete cloud resources, when a customer terminates the use of a cloud service with a provider, may not result in complete deletion. It is important that the Businesses be aware of where all data rest and how it is disposed, it is quite possible that a cloud provider hardware will retain data that had been deleted and yet artifacts remain.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information