Using Control Inheritance, Snowflake and AWS Leverage the HITRUST CSF to Streamline the Process for Ensuring Strong Information Security
Inheritance Is Critical for Demonstrating a Comprehensive Security Posture
When organizations assess their security maturity — as well as those of their downstream customers and upstream vendors with which they share sensitive data — the use of control inheritance plays a critical role. It allows cloud platform customers to inherit the security controls of their cloud providers, and customers of the cloud-enabled applications can do the same. Inheritance also saves substantial time and effort when a company needs to provide assurances of its cloud environment to customers and vendors.
A cloud platform customer (such as an application service provider) that inherits security controls can put those controls into action. For example, the company can adapt how it defines internal security policies, applies additional controls to cover gaps in the IT environment, and conducts security assessments. This in turn impacts how the company builds applications and communicates the security posture of those products to the executive team.
With a strong security posture automatically built into applications provisioned via the cloud, the company can more rapidly onboard customers and vendors, which will impact the success of the business. It is also possible to reduce internal resource time and costs spent on security audits, which leaves more time to develop innovative applications that feature strong security as a competitive differentiator. The company can then more quickly generate business value by deploying applications sooner and demonstrating the security posture to their customers.
What is Inheritance?
Inheritance is a unique capability in the HITRUST MyCSF platform that enables organizations to rely on inherited scores and results of shared controls from a prior HITRUST Validated Assessment.
There are two types of inheritance:
Enables organizations to rely on inherited assessment results and scores of shared controls from a HITRUST Validated Assessment that has been published/enabled for External Inheritance by their hosting, cloud, or service providers.
Enables organizations to inherit their own assessment results and scores from a previously completed HITRUST Validated Assessment, previously completed self-assessment, or a self-assessment still in process.
By minimizing the need for duplicative direct controls testing and documentation, inheritance delivers three key benefits:
- Saves time
- Reduces effort
- Cuts costs
Snowflake and AWS Collaborate to Demonstrate Security Controls
A prime example of the power of inheritance is the collaborative effort between Snowflake and Amazon Web Services (AWS). Snowflake provides an integrated platform for data storage and analytics to customers and needs to meet many compliance requirements, including HIPAA for customers who are Covered Entities and Business Associates in the healthcare sector.
The Snowflake Service Runs on Top of the AWS Cloud
As Snowflake Covered Entities and Business Associates upload sensitive data into the Snowflake platform, they benefit from the AWS security controls that Snowflake inherits as well as the app-specific security controls Snowflake has implemented.
When Covered Entities share their sensitive data with third-party Business Associates, both types of organizations benefit from inheritance. The controls applied by Snowflake and AWS essentially flow across the entire IT ecosystem of organizations that access data processed by the Snowflake platform.
HITRUST CSF and MyCSF Play Vital Role
As Snowflake and AWS have collaborated in documenting the security posture of the Snowflake service running on the AWS platform, the key solutions for facilitating this effort are the HITRUST CSF and HITRUST MyCSF. The CSF framework provides a comprehensive, flexible, scalable, and efficient approach to risk management and compliance with many regulations and standards covering multiple industries and government jurisdictions. Using the HITRUST CSF, Snowflake can easily rationalize regulations and standards into a single security, privacy, and risk management framework.
“Using the HITRUST CSF and working with an independent assessment auditor gave us the guidance to elevate our security posture to the highest certification level in about six weeks,” says Mario Duarte, VP of Security for Snowflake. “On our own, it might have taken us 12-18 months. The accelerated timeline was critical because many of our customers in the healthcare industry require their vendors to have HITRUST Certification.”
The HITRUST MyCSF tool provides Snowflake with a SaaS solution for performing risk assessments and corrective action plan management — including enhanced benchmarking and dashboards as well as integration with major GRC platforms. MyCSF also supports evolving assessment needs that align with managing risk in the changing cyber threat, information risk, and global regulatory landscape.
Hector Rodriguez, an Executive Security Advisor at AWS, appreciates that the HITRUST CSF and MyCSF have created a common language and a common framework that enables the cloud provider and its customer ecosystems to speak the same language. “HITRUST Certification reports present results in the same way, which builds trust with our customers that can be quantified, audited, and documented,” Rodriguez says.
Enabling IT Ecosystems to Speak the Same Language
Snowflake and AWS also rely on the HITRUST Shared Responsibility Model and Inheritance Program. The program includes the HITRUST Shared Responsibility Model (SRM), the first commonly accepted model for sharing security control responsibility in the cloud between service providers and customers.
The model enables AWS and Snowflake to communicate security and privacy assurances relating to the controls associated with the AWS services that Snowflake uses. This occurs without having to fill out a bunch of spreadsheets or getting on the phone (or worse, a plane) to talk through what the scope is, what has been implemented, where the responsibility is shared, and where potential gaps exist.
Instead, the HITRUST Shared Responsibility and Inheritance Program gives Snowflake guidance on the delineation of control ownership, including clarifying partially shared controls, across the full scope of the Snowflake solution. The model simplifies the Snowflake assurance process by streamlining control inheritance while also promoting full awareness and managing risk — a process referred
to as Assess Once, Inherit Many.
“Ecosystems speaking the same language when it comes to security, privacy, and compliance is critical, and control inheritance plays a big part,” says Rodriguez. “When our customers inherit our controls and can demonstrate these controls to their customers, we’ve eliminated a lot of the legwork effort for them. We’ve also made it easier for their customers to quickly adopt our cloud environment so our customers can focus on their core mission.”
“Traditionally, cloud customers had to solve this themselves — building the framework and making sure it’s auditable and trustworthy. With us, and our customers like Snowflake using the HITRUST CSF, end-user customers don’t have to do that anymore,” Rodriguez said.
Inheritance Reduces Burden on Information Technology and Security
The HITRUST CSF proves particularly beneficial when Snowflake customers require proof that Snowflake is compliant in the cloud for the AWS services that Snowflake uses — like EC2, S3, and EKS. Since AWS is HITRUST compliant and shares its compliance status with Snowflake through the HITRUST inheritance capabilities, Snowflake can then easily demonstrate its compliance posture to customers.
“AWS has developed a well-documented and validated process that’s driven by policies,” says Duarte. “Each policy maps to one or more controls, and through the HITRUST inheritance capability, we can show our customers that those controls are in place.”
This capability eliminates the need for Snowflake to answer hundreds of customer questions about Snowflake’s AWS cloud controls. Whereas a security questionnaire requires an extensive manual process and often does not produce clear results, HITRUST assessments quickly and clearly communicate extensive reporting on the efficacy of security controls. This reduces the burden on AWS, Snowflake, and customer IT and IS resources — while also making it possible for customers to engage sooner with Snowflake services running on AWS.
A Comprehensive Approach to Control Assessment and Risk Management Maturity
The HITRUST Certification process goes beyond other certifications and assessments that merely identify if specific security controls are implemented. “The independent assessors look for proof that controls are operating properly and if there’s a documented process that’s being followed,” says Duarte. “Assessors also look to see if each process is repeatable, automated, and scalable. This shows how mature each control is — which is critical whether we’re assessing our own controls or when a customer is assessing our controls.”
Snowflake can also leverage the HITRUST CSF when onboarding vendors. Rather than exchanging security audit questionnaires that tax internal IT/IS teams, both parties can simply exchange HITRUST CSF Certification reports via the HITRUST Assessment XChange and the HITRUST Results Distribution System. Vendors can see the security controls Snowflake has inherited from AWS as well as the controls Snowflake has deployed. Snowflake can do the same with respect to cloud service providers used by vendors and the controls vendors have deployed.
The chain connecting the ecosystem’s security posture together does not end with Snowflake and its customers. Businesses using Snowflake to build their own applications and to drive their own business decisions may also be bound to regulatory and industry compliance and reporting.
With the HITRUST Shared Responsibility and Inheritance Program, Snowflake customers can inherit the Snowflake controls, which also inherit the AWS controls. This allows Snowflake the ability to demonstrate an ecosystem-wide view of its security and risk management posture relative to the control sets required for each regulation, standard, and policy to which Snowflake must adhere.
The HITRUST CSF thus gives entire ecosystems confidence, knowing the certification process is comprehensive and identifies where any security gaps exist. This allows organizations to discuss with each other how they plan to close those gaps. By doing this, the HITRUST model addresses one of the biggest pains a lot of CISOs talk about according to Duarte.
“Many security teams achieve multiple certifications — SOC, ISO, PCI, HIPAA, FedRAMP — but it’s not enough,” Duarte points out. “Customers still want to meet with vendors to do more testing or ask more questions. We do the same thing with our vendors who are not HITRUST Certified.”
“The problem is, we all do it differently — asking questions in slightly different ways. Conversely, our customers understand the value of the HITRUST compliance programs. There’s more trust, and customers have fewer questions. Any time you save time and effort in verifying security postures, it’s an advantage to customers and vendors, and ultimately, the end-users,” Duarte concluded.
Benefits for Entire Service Provider, Customer, and Vendor Ecosystems
“With AWS having achieved HITRUST Certification, our customers can inherit 80% or more of the security controls we have implemented for the architecture of their cloud environment,” says Rodriguez. “That inheritance also comes with control monitoring and visibility so our customers’ customers can understand and trust just how strong the security posture of the environment is.”
Adds Duarte, “The HITRUST CSF gives you a roadmap to strengthen your internal security controls and to evaluate a vendor’s controls. You can also determine how impactful any security gaps are on systems that process sensitive data. This is particularly helpful in cases where a company has recently acquired another company. The HITRUST CSF helps gain a full understanding of the security posture within the IT infrastructure of that acquisition.”
When considering the value of a HITRUST Certification and its complementary services, it is clear that Rodriguez and Duarte look beyond the internal capabilities to see how entire service provider, customer, and vendor ecosystems also benefit.
For Additional Information About How to Get a HITRUST Certification for Your Organization’s Information Program, Contact HITRUST by Calling: 855-448-7878 or Emailing: firstname.lastname@example.org