By Becky Swain, Director of Standards Development, HITRUST
Recognizing who is responsible for what plays an important role in society. For example, knowing the rules of the road can prevent a car accident; understanding your coach’s playbook can lead to a play’s perfect execution on the field, scoring the game-winning goal; or grasping the right Tango dance moves to stop stepping on your dance partner’s shoes. You get the point.
Protecting your data and digital assets in the cloud is not that different. With the evolution of cloud innovation, a very complex and comingled ecosystem of service providers, solution partners, and consumers emerged. This environment has significantly blurred the lines of security and privacy control ownership with no clear direction on who should be responsible for what. The lack of ownership created a new cloud security risk in which bad actors more aggressively seek to exploit complexity, finding security cracks in the system where somebody failed to do their part in securing the cloud environment. This would be your classic finger-pointing, where one party assumes the other has it covered but, in reality, they don’t.
To illustrate my point, let’s say you are using a PaaS cloud service to build and deploy a new web or mobile application. And let’s just say that you deserve kudos for implementing robust security controls and regularly patching any vulnerabilities. Shouldn’t that be good enough? Unfortunately, it is not nearly enough. What about the underlying cloud network infrastructure that is hosting your application to give it life? What assurances do you have from your PaaS provider that they are undertaking all the right security procedures to prevent an Internet-facing vulnerability exploit that could cause a security breach, impacting your application and all your customers? Taking it further, let’s say there was, in fact, a security breach reported by this same PaaS provider that not only affected you, but also other tenants. What arrangements have you made with your PaaS provider to participate in the breach response process to triage, investigate, and resolve the breach as quickly as possible and to keep your own customers informed?
The answer to all these questions boils down to one thing: you must have proactive conversations about risk with your cloud service provider from the beginning. You cannot leave anything to chance, especially when it comes to who is responsible for what, where, when, and how. Compliance, assurance, and risk professionals inherently know that details matter—and the devil is always in the details.
This all seems sensible, right? Well, in theory, yes, but in practice, it’s a whole different story. It’s not just about accepting that responsibility is shared, it is having the right path to make it happen. This is where HITRUST’s Shared Responsibility Program comes into play. Shared Responsibility removes the guesswork, ambiguity, and confusion in understanding the roles and responsibilities between the customer and the cloud service provider. This program lays the groundwork for your cloud activities by capitalizing on HITRUST’s established expertise in managing information risk and protecting sensitive information, whether in the cloud or not, with much more clarity and efficiency.
HITRUST launched the Shared Responsibility Program back in 2018 as a strategic business priority to address growing misunderstandings, risks, complexities, and assurance inefficiencies when leveraging cloud service providers. The primary objectives of the program were to help clarify roles and responsibilities regarding ownership and operation of security and privacy controls shared with cloud service providers, and to support automation and streamlining of the assurance process when inheriting controls. With support from a working group of cloud industry experts, the first major milestone has been met with the Version 1.0 general availability release of the HITRUST Shared Responsibility Matrix™, with full cross-compatibility support for HITRUST CSF® Versions 9.1, 9.2, and 9.3.
This first release includes two versions for download: 1) a publicly-accessible control summary version which is now included in the HITRUST CSF Version 9.3 download package, and 2) a subscriber-only full version which can be downloaded via the new “References” landing page within the HITRUST MyCSF® portal.
The following table provides tab-specific information and features associated with the two versions of the Shared Responsibility (SR) Matrix:
Stay tuned for the next series of blog posts on the progress of the Shared Responsibility Program and Matrix. We are in the process of seeking participants for our Shared Responsibility Early-Adopter Program; if you are interested, you can find more information here or contact Support@hitrustalliance.net