Kurt Hagerman Chief Information Security Officer BECOME A SMARTER CLOUD CONSUMER Ripping through the Rhetoric to Find Your Cloud & Control Your Risk 05/18/2015
ABOUT KURT HAGERMAN Kurt Hagerman Chief Information Security Officer Expert in attaining and maintaining compliance standards, including PCI, HIPAA, ISO 27001, among others. Has conducted hundreds of security reviews and audits across a number of industries including the payment space, healthcare, financial services and higher education. Industry Leadership Cloud Security Alliance SME Council ISACA CSA ISSA
So, you ve decided to explore the cloud for your PHI but are worried about HIPAA compliance.
Have you done your research and come away confused about how various cloud vendors communicate about HIPAA compliance? It s understandable given what they are saying.
Here s What They re Saying HITRUST 2015: Become a Smarter Cloud Consumer
Are you Confused? Frustrated? I know I am. SECURITY Outrageous statements being made They sound good but ring hollow What do they actually mean to you, the cloud consumer, and how will your vendor s stance affect your compliance?
SNAKE OIL, ANYONE? Vendors trivialize HIPAA compliance Vendors over simplify the requirements to sell their services as a silver bullet HIPAA is risk-based for a reason
CONSIDER THE CLOUD MODELS Your responsibilities, and those of your cloud vendor, vary based on the model used by the vendor. Security~You ROLE CLARITY SaaS Software as a Service Security~Them IaaS Infrastructure as a Service PaaS Platform as a Service Software as a Service Platform as a Service Infrastructure as a Service Platform as a Service Infrastructure as a Service Infrastructure as a Service
INFRASTRUCTURE AS A SERVICE (IAAS) Providers: AWS, Azure, Rackspace, SoftLayer, etc. Typically only provide security for the underlying infrastructure Any compliance attestations only apply to underlying infrastructure with no leverage available to customers Vendors forced into signing BAAs, but theirs are typically weak based on the lack of security provided to the customer Customer owns nearly 100 percent of the compliance responsibility IaaS Infrastructure as a Service Infrastructure as a Service
PLATFORM AS A SERVICE (PAAS) Providers: AWS (Elastic Beanstalk), Salesforce (Force.com), IBM SmartCloud, CloudFoundry, HP Helion, etc. Provide development tools and other building blocks for applications and secure these services Compliance attestations apply to the service with limited leverage available to customers PaaS Platform as a Service Will sign BAAs, but typically provide little liability protection based on limited security provided to the customer Customer owns a majority of the compliance responsibility Infrastructure as a Service Platform as a Service
SOFTWARE AS A SERVICE (SAAS) Providers: Salesforce, Box, Epic, Allscripts, Athena, etc. Own the entire stack up through the application SaaS Software as a Service Any compliance attestations apply to the entire service with significant available to customers BAAs are typically stronger based on security provided to customer data and contain reasonable liability language Customer owns very little of the compliance responsibility (at least for the HIPAA security rule) Infrastructure as a Service Platform as a Service Software as a Service
THE MODELS COMPARED IaaS and PaaS are fairly close in terms of the split of responsibility between customer and vendor (PaaS more difficult to parse) Significant shift from PaaS to SaaS in terms of vendor responsibility Risk to your organization increases from IaaS to SaaS
IT S NOT WHAT THEY SAY. IT S WHAT THEY DO Do you know what your vendor is really doing for you? Do they provide information on the specific security controls that are included with their service? Have they mapped their services and security controls to the HIPAA/HITECH requirements? Does your vendor use third parties to provide services to you? Have they (and their third parties) been independently assessed? Do you know who to call when something goes wrong? What about the privacy and breach rule? How do I manage a compliance program with multiple vendors all providing my cloud services?
SIX COMPLIANCE CHALLENGES 1 Identifying the division of responsibility between you and your cloud vendor 2 Ensuring the services your vendor is providing are properly mapped to your risk assessment 3 4 Getting the evidence you need for your audit Obtaining objective attestation documentation from the vendor for the controls they have full or partial responsibility for 5 6 Monitoring ongoing compliance of your vendors Receiving support from vendor during a breach event
BE A SMARTER CLOUD CONSUMER CAVEAT EMPTOR You need to deal with vendors who will be transparent about what they do and how it assists you in mitigating risk and addressing compliance requirements.
BE A SMARTER CLOUD CONSUMER CAVEAT EMPTOR Your Vendor Should: Provide a clear, concise explanation of the specific security controls they include in their service and how these directly assist you in meeting your compliance obligations Articulate the boundaries between their responsibility and yours Provide documentation that backs up assertions about being HIPAA Compliant, including independent audit reports that clearly state: - the scope of the assessment - the control framework used - how compliance can be leveraged by you
WHAT ABOUT BUSINESS ASSOCIATE AGREEMENTS? Many vendors say they are business associate-friendly and that they will sign a BAA. Does their BAA include language that clearly states what services they are providing and what responsibility they are taking for security incidents? Do they suggest this language when reviewing yours?
Thank You Questions? Kurt Hagerman Email kurt.hagerman@firehost.com Phone +1 877 262 3473