Case Studies

Snowflake and AWS Inheritance

Written by HITRUST | Mar 3, 2024 4:03:38 AM

Inheritance is critical for demonstrating a comprehensive security posture

When organizations assess their security maturity — as well as those of their downstream customers and upstream vendors with which they share sensitive data — the use of Control Inheritance plays a critical role. It allows cloud platform customers to inherit the security controls of their cloud providers, and customers of the cloud-enabled applications can do the same. Inheritance also saves substantial time and effort when a company needs to provide assurances of its cloud environment to customers and vendors.

 

A cloud platform customer (such as an application service provider) that inherits security controls can put those controls into action. For example, the company can adapt how it defines internal security policies, applies additional controls to cover gaps in the IT environment, and conducts security assessments. This, in turn, impacts how the company builds applications and communicates the security posture of those products to the executive team.

 

With a strong security posture automatically built into applications provisioned via the cloud, the company can more rapidly onboard customers and vendors, which will impact the success of the business. It is also possible to reduce internal resource time and costs spent on security audits, which leaves more time to develop innovative applications that feature strong security as a competitive differentiator. The company can then more quickly generate business value by deploying applications sooner and demonstrating the security posture to their customers.

 

Snowflake and AWS collaborate to demonstrate security controls

A prime example of the power of inheritance is the collaborative effort between Snowflake and Amazon Web Services (AWS). Snowflake provides an integrated platform for data storage and analytics to customers and needs to meet many compliance requirements, including HIPAA for customers who are Covered Entities and Business Associates in the healthcare sector.

 

The Snowflake service runs on top of the AWS cloud

As Snowflake Covered Entities and Business Associates upload sensitive data into the Snowflake platform, they benefit from the AWS security controls that Snowflake inherits as well as the app-specific security controls Snowflake has implemented.

 

When Covered Entities share their sensitive data with third-party Business Associates, both types of organizations benefit from inheritance. The controls applied by Snowflake and AWS essentially flow across the entire IT ecosystem of organizations that access data processed by the Snowflake platform.

 

HITRUST Framework (HITRUST CSF) and MyCSF play vital role

As Snowflake and AWS have collaborated in documenting the security posture of the Snowflake service running on the AWS platform, the key solutions for facilitating this effort are the HITRUST Framework (HITRUST CSF) and HITRUST MyCSF. The framework provides a comprehensive, flexible, scalable, and efficient approach to risk management and compliance with many regulations and standards covering multiple industries and government jurisdictions.

 

Using the HITRUST Framework (HITRUST CSF), Snowflake can easily rationalize regulations and standards into a single security, privacy, and risk management framework. “Using the HITRUST Framework (HITRUST CSF) and working with an independent assessment auditor gave us the guidance to elevate our security posture to the highest certification level in about six weeks,” says Mario Duarte, VP of Security at Snowflake. “On our own, it might have taken us 12-18 months. The accelerated timeline was critical because many of our customers in the healthcare industry require their vendors to have HITRUST certification.” 

 

The HITRUST MyCSF tool provides Snowflake with a SaaS solution for performing risk assessments and corrective action plan management — including enhanced benchmarking and dashboards as well as integration with major GRC platforms. MyCSF also supports evolving assessment needs that align with managing risk in the changing cyber threat, information risk, and global regulatory landscape.

 

Hector Rodriguez, an Executive Security Advisor at AWS, appreciates that the HITRUST Framework (HITRUST CSF) and MyCSF have created a common language and a common framework that enables the cloud provider and its customer ecosystems to speak the same language. “HITRUST certification reports present results in the same way, which builds trust with our customers that can be quantified, audited, and documented,” Rodriguez says.

 

Enabling IT ecosystems to speak the same language

Snowflake and AWS also rely on the HITRUST Shared Responsibility and Inheritance Program. The program includes the HITRUST Shared Responsibility Model (SRM), the first commonly accepted model for sharing security control responsibility in the cloud between service providers and customers.

The model enables AWS and Snowflake to communicate security and privacy assurances relating to the controls associated with the AWS services that Snowflake uses. This occurs without having to fill out a bunch of spreadsheets or getting on the phone (or worse, a plane) to talk through what the scope is, what has been implemented, where the responsibility is shared, and where potential gaps exist.

Instead, the HITRUST Shared Responsibility and Inheritance Program gives Snowflake guidance on the delineation of control ownership, including clarifying partially shared controls, across the full scope of the Snowflake solution. The model simplifies the Snowflake assurance process by streamlining control inheritance while also promoting full awareness and managing risk.

 

“Ecosystems speaking the same language when it comes to security, privacy, and compliance is critical, and control inheritance plays a big part,” says Rodriguez. “When our customers inherit our controls and can demonstrate these controls to their customers, we’ve eliminated a lot of the legwork effort for them. We’ve also made it easier for their customers to quickly adopt our cloud environment so our customers can focus on their core mission.”

“Traditionally, cloud customers had to solve this themselves — building the framework and making sure it’s auditable and trustworthy. With us, and our customers like Snowflake using the HITRUST Framework (HITRUST CSF) end-user customers don’t have to do that anymore,” Rodriguez said.

 

Inheritance reduces burden on IT and security

The HITRUST Framework (HITRUST CSF) proves particularly beneficial when Snowflake customers require proof that Snowflake is compliant in the cloud for the AWS services that Snowflake uses — like EC2, S3, and EKS. Since AWS is HITRUST-compliant and shares its compliance status with Snowflake through the HITRUST inheritance capabilities, Snowflake can then easily demonstrate its compliance posture to customers.

 

“AWS has developed a well-documented and validated process that’s driven by policies,” says Duarte. “Each policy maps to one or more controls, and through the HITRUST inheritance capability, we can show our customers that those controls are in place.”

This capability eliminates the need for Snowflake to answer hundreds of customer questions about Snowflake’s AWS cloud controls. Whereas a security questionnaire requires an extensive manual process and often does not produce clear results, HITRUST assessments quickly and clearly communicate extensive reporting on the efficacy of security controls. This reduces the burden on AWS, Snowflake, and customer IT and IS resources — while also making it possible for customers to engage sooner with Snowflake services running on AWS.

A comprehensive approach to control assessment and risk management maturity

The HITRUST certification process goes beyond other certifications and assessments that merely identify if specific security controls are implemented. “The independent assessors look for proof that controls are operating properly and if there’s a documented process that’s being followed,” says Duarte. “Assessors also look to see if each process is repeatable, automated, and scalable. This shows how mature each control is — which is critical whether we’re assessing our own controls or when a customer is assessing our controls.”

 

Snowflake can also leverage the HITRUST Framework (HITRUST CSF) when onboarding vendors. Rather than exchanging security audit questionnaires that tax internal IT/IS teams, both parties can simply exchange HITRUST certification reports via the HITRUST Assessment XChange and the HITRUST Results Distribution System. Vendors can see the security controls Snowflake has inherited from AWS as well as the controls Snowflake has deployed. Snowflake can do the same with respect to cloud service providers used by vendors and the controls vendors have deployed.

 

The chain connecting the ecosystem’s security posture together does not end with Snowflake and its customers. Businesses using Snowflake to build their own applications and to drive their own business decisions may also be bound to regulatory and industry compliance and reporting.

With the HITRUST Shared Responsibility and Inheritance Program, Snowflake customers can inherit the Snowflake controls, which also inherit the AWS controls. This allows Snowflake the ability to demonstrate an ecosystem-wide view of its security and risk management posture relative to the control sets required for each regulation, standard, and policy to which Snowflake must adhere.

The HITRUST Framework (HITRUST CSF) thus gives entire ecosystems confidence, knowing the certification process is comprehensive and identifies where any security gaps exist. This allows organizations to discuss with each other how they plan to close those gaps. By doing this, the HITRUST model addresses one of the biggest pains a lot of CISOs talk about according to Duarte.

 

“Many security teams achieve multiple certifications — SOC, ISO, PCI, HIPAA, FedRAMP — but it’s not enough,” Duarte points out. “Customers still want to meet with vendors to do more testing or ask more questions. We do the same thing with our vendors who are not HITRUST certified.”

 

“The problem is, we all do it differently — asking questions in slightly different ways. Conversely, our customers understand the value of the HITRUST compliance programs. There’s more trust, and customers have fewer questions. Any time you save time and effort in verifying security postures, it’s an advantage to customers and vendors, and ultimately, the end-users,” Duarte concluded.

Benefits for entire service provider, customer, and vendor ecosystems

“With AWS having achieved HITRUST certification, our customers can inherit 80% or more of the security controls we have implemented for the architecture of their cloud environment,” says Rodriguez. “That inheritance also comes with control monitoring and visibility so our customers’ customers can understand and trust just how strong the security posture of the environment is.”

 

Adds Duarte, “You can determine how impactful any security gaps are on systems that process sensitive data. This is particularly helpful in cases where a company has recently acquired another company. The HITRUST Framework (HITRUST CSF) helps gain a full understanding of the security posture within the IT infrastructure of that acquisition.”

 

When considering the value of a HITRUST certification and its complementary services, it is clear that Rodriguez and Duarte look beyond the internal capabilities to see how entire service provider, customer, and vendor ecosystems also benefit.

 

About Snowflake

Snowflake enables every organization to mobilize their data with Snowflake’s Data Cloud. Customers use the Data Cloud to unite siloed data, discover and securely share data, and execute diverse analytic workloads. Wherever data or users live, Snowflake delivers a single data experience that spans multiple clouds and geographies. Thousands of customers across many industries, including 241 of the 2021 Fortune 500 and 488 of the 2021 Forbes Global 2000 (G2K) as of January 31, 2022, use Snowflake Data Cloud to power their businesses.
Learn more at snowflake.com.


About AWS

For over 15 years, Amazon Web Services has been the world’s most comprehensive and universally adopted cloud offering. AWS has been continually expanding its services to support virtually any cloud workload, and it now has more than 200 fully-featured services. Millions of customers — including the fastest-growing startups, largest enterprises, and leading government agencies — trust AWS to power their infrastructure, become more agile, and lower costs.
Learn more at aws.amazon.com.


All product names, logos, and brands are property of their respective owners and used for identification purposes only, and are in no way associated or affiliated with HITRUST. Use of these names, logos, and brands does not imply endorsement.