By Becky Swain, Director, Cloud Assurance Innovation, HITRUST

IT teams have many dynamic components of their environments to manage. This can be a big headache when trying to demonstrate the security posture of their infrastructure. Whether it's regulatory auditors or customers and vendors with which integrated systems share sensitive information, security controls have to be accurately mapped between any systems that are in scope for requiring safeguards against data exposure.

Environments that are particularly difficult to pin down are the computing infrastructures hosted by cloud service providers. Each provider has their own shared responsibility model as to the security controls they apply and what they expect.

Until around 2011, it was difficult (if not impossible) for cloud customers to get visibility into the security controls that cloud providers offered. NIST (National Institute of Standards and Technology) attempted to address this issue by providing a definition of cloud computing service models. Following up to actually give the shared responsibility model some value, the leading cloud platform providers—Amazon Web Services, Microsoft Azure, and Google Cloud Platform—began to post their shared responsibility models.

This, in turn, made it possible for cloud customers to inherit the security controls applied to their environment by their cloud providers. Cloud users could then use that inheritance to demonstrate that part of their security postures to auditors, customers, and partners.

Even with Visibility, Inheritance Required Substantial Manual Work

But inheritance was no small feat, particularly for organizations that use multiple cloud environments and have hundreds of customers and partners to whom they need to demonstrate their security posture—not to mention multiple regulatory and industry auditors.

The core of the challenge?

Each cloud provider created its own unique shared responsibility model. And there’s a lot of manual work involved in mapping a cloud provider’s security controls to an IT environment and the security requirements in play.

Traditionally, there’s even more manual work for the varying audit processes that regulators, customers, and vendors ask for. Many IT teams get caught up in poring through spreadsheets and answering hundreds of questions pertaining to their cloud providers. It’s a drain on time that takes them away from other more pressing issues alongside other core responsibilities.

Consolidating Shared Responsibility Models from Multiple Cloud Providers

To help entities take on this challenge, the HITRUST CSF abstracts the shared responsibility models of all the major cloud providers—the first and only framework to do so. Customers that leverage the HITRUST CSF can automatically consolidate the security controls inherited from each cloud provider into one framework. IT teams can then leverage that framework to create a one-to-many report that meets the security audit needs of every major compliance regulation as well as most customers and vendors.

The HITRUST Approach facilitates the many-to-many exchanges of security posture reporting that needs to take place across the increasingly complex supply chain ecosystems. Businesses and organizations can easily communicate the security posture of their cloud environment as well as their on-premises environment to their vendors and partners—all in a single audit, report, and certification.

As technologies, threats, and regulations evolve, so do auditing and reporting requirements. With greater visibility into their cloud provider’s shared responsibility model, IT teams can also more easily identify where gaps exist between the security controls of their cloud providers and their internal security controls as these factors—and many others—change. They can then take measures to close those gaps before they complete their audit. More importantly, gaps can be addressed before they are exploited by cybercriminals. After all, being secure is ultimately the goal—to fully protect internal digital assets along with digital assets belonging to customers and partners.

Streamlining the Inheritance Process

The major Cloud Service Providers (CSPs) have agreed to follow the HITRUST CSF mapping so their customers can automate security control inheritance and demonstration processes. This eliminates the need for IT teams to decipher what each cloud provider is doing with security controls and how those controls map to HIPAA, PCI DSS, GDPR, and other major regulations.

The loose mapping becomes clear and concise in the HITRUST CSF, which makes visibility and inheritance easy, repeatable, and consistent—with automated ingestion and mapping to environments for self-assessments and any assessments performed by third parties. IT can also streamline and track the process to identify security gaps and put an action plan into play to close those gaps.

The HITRUST CSF is the only security assessment solution that offers the inheritance capability for third-party assurance. The solution provides additional synergies with two complementary solutions.

The first is the HITRUST MyCSF SaaS best-best-in-class information risk management platform, which provides two inheritance mechanisms:

• External Inheritance. Enables organizations to inherit assessment results and scores from their hosting, cloud, and service providers’ assessment(s).
• Internal Inheritance. Enables organizations to inherit assessment results and scores from one of their assessments and apply them to another of their assessments.

The second complementary solution, the HITRUST Shared Responsibility Matrix (SRM), was launched in 2020 and is built upon the assurance industry’s first commonly-adopted and vendor-agnostic Shared Responsibility Model. A simplified taxonomy applies a practical methodology for asserting shared control responsibility. The model also enables qualifying external inheritance conditions based on a distinctive set of situational use-cases relevant for the full spectrum of technical and non-technical security and privacy controls offered by the HITRUST CSF.

The HITRUST SRM also provides baseline templates with pre-populated shared responsibility and inheritance for leading Cloud Services Provider platforms. The model includes more than 2,000 detailed security and privacy control requirements mapped to common regulatory and compliance frameworks. The solution also features enhanced cross-version traceability with unique identifiers. It clarifies external inheritance qualifications tied to any filtered view of the HITRUST CSF Framework control elements—objective, control, assessment domain, and requirement statement levels.

The Road to Reliable, Transparent, High-Quality Security Programs

Over time, as organizations work with their regulation auditors, customers, and vendors to request and provide information security audits, information risk management teams can use the assessments to maintain transparent, high-quality security programs. In addition to understanding each other’s security postures, using a common framework like the HITRUST CSF will enable supply chain partners to collaborate on the steps everyone needs to take to strengthen the security of their ecosystem.

And that’s what leads to collective solid security programs for supply chains—where customers, service providers, and third-party vendors all work together to protect digital assets and keep sensitive data safe.

To learn more about the Shared Responsibility Matrix and Inheritance in the cloud and how these concepts can help you communicate the strength of your security posture to your supply chain ecosystems, contact HITRUST today.

You’re Invited to Download the HITRUST CSF Free of Charge!

Follow HITRUST on X.
Follow HITRUST on LinkedIn.

About the Author

Becky Swain, Director, Cloud Assurance Innovation, HITRUST

With extensive expertise in cybersecurity, privacy supply chain assurance, and GRC frameworks, Becky Swain leads the HITRUST Shared Responsibility and Inheritance Program. Previously, she held leadership roles in cybersecurity and IT audit and compliance, working for the Big Four and Silicon Valley technology companies. As a leading contributor to cloud standards development, Swain was a founding member of the Cloud Security Alliance (CSA), co-founder and author of the CSA Cloud Controls Matrix (CCM), project co-editor of ISO/IEC 27036-1:2014, and a founding member of the exam writing committee for (ISC)2 Certified Cloud Security Professional (CCSP). Swain has been invited to speak at top tech conferences and has received numerous industry security recognitions while holding professional credentials in (ISC)2 CISSP, IAPP CIPT and CIPP/US, the AICPA CISA, and HITRUST CCSFP.