By Becky Swain, Director, Standards Development
Your cloud provider is certified to comply with all the major regulations for protecting data in the cloud. That must mean your organization is also certified, right?
Not so fast! While it may be possible to leverage what your cloud service provider is doing, you need to know how and where the lines of responsibility are drawn.
There are security controls you need to apply, some on your own and some that you share with your cloud service provider. Only then can you have confidence your data in the cloud—as well as data you handle for customers and partners—is fully protected from cyber-attacks and complies with regulations and standards pertaining to protecting sensitive data within your locale and industry.
To achieve a strong security and compliance posture in the cloud, it’s critical to take a close look at the strategies of your cloud service provider (CSP). As some standards and regulations may leave things open for interpretation, you may discover their security controls differ from your controls.
Additionally, control implementations rely heavily on how the boundaries are set for the scope being managed, and therefore could lead to some alternative implementations that may or may not meet your specific needs. In both cases, while alternate controls don’t necessarily create a problem, you want to be aware of them. In some cases, you may discover your CSP’s mitigation controls do not meet your requirements.
The challenge in analyzing the security controls applied by your CSP and comparing them to your controls is that the line that defines where your responsibilities and your CSP’s responsibilities begin and end for each control can be unclear. That line can also easily move based on the scope of the control and the organizational need. This makes it difficult to line up control responsibilities with your CSP.
The Answer: The HITRUST Shared Responsibility Program
HITRUST is helping organizations and CSPs take on this challenge with its Shared Responsibility Program, expected to go live in 2020. The program was the topic of discussion at the HITRUST 2019 Conference in May for a panel titled, Shared Responsibility—Understanding How to Share Control Responsibility in the Cloud. Participating on the panel moderated by Mike Annand, Director of Customer Compliance at Armor Cloud Security, were Becky Swain, Director of Standards Development for HITRUST; Kurt Hagerman, CXO Advisor for Cyber Strategy at Coalfire; and Blaise Wabo, Associate Director for A-LIGN.
The panel members all participate in a cross-industry group that is helping to build the HITRUST Shared Responsibility Program, which will enable organizations and cloud providers to work together to protect data by defining security controls within a Shared Responsibility Matrix. The Matrix can be used to designate who is responsible for each control and which controls are shared between CSPs and customers. The program also provides a tool to automate the process to track control responsibility, control testing, risk identification, and risk mitigation.
The panel specifically discussed how utilizing the Shared Responsibility Program will provide a major benefit to organizations because “No CSP can make you compliant,” says Hagerman. “Some of their marketing campaigns can be deceiving, prompting you to think you can leave compliance to them without any responsibility. The responsibility for compliance is the one thing that cannot be completely outsourced.”
Adds Wabo, “As a compliance assessment firm, we tell our customers they are responsible for the data that’s in their custody—even if it’s stored in a cloud managed by a service provider. It’s vital to understand what that provider is responsible for and what you are responsible for. It’s ultimately the responsibility of end-user companies to keep data secure and prove it with some sort of assessment such as HITRUST, ISO or SOC.”
Swain warns, “Assume your service provider’s compliance does not apply to you. The scope that’s been defined for a compliance certification may or may not be relevant to you and your use of that cloud service.”
Working Group Enhances Shared Responsibility Matrix
The HITRUST Shared Responsibility Working Group has been busy this past year enhancing the content of the Shared Responsibility Matrix. Major cloud providers, such as Amazon Web Services and Microsoft Azure, are also contributing to the success of the program.
The Matrix of HITRUST CSF controls lists the common set of sharable and inheritable controls based on a specific third-party service provider’s CSF certification. The vendor/service-specific Matrix can then be used to ensure alignment between customers and service providers to identify which party is responsible and where shared responsibility occurs across the controls relevant for the scope and regulation in question.
Matrix elements include recommendations for assigning responsibility for controls. There are also specific requirements for shared controls to help ensure all aspects of control responsibility are understood when outsourcing systems and services to third parties. This allows organizations to determine the specific controls that are—or should be—a third-party’s full responsibility. It also helps organizations understand their own duties for those controls that are a shared responsibility.
“The Shared Control Matrix shows the responsibility of each control for the CSP and the customer,” said Wabo. “Some controls could be in one organization’s court 100%, while another control may be shared 50/50.”
The Matrix will also include assessment guidance on how evidence can be obtained and validated. A completed Matrix would then be used by a HITRUST CSF assessor as part of the HITRUST CSF assessment to ensure compliance.
Industry Standards Add Clarity
Within the Matrix, the HITRUST Shared Responsibility Program is producing an industry-recommended baseline to clarify what it means to share control ownership. The Shared Responsibility Matrix is designed and built based on a Shared Responsibility Model, which provides a common taxonomy that enables CSPs and their customers to have a meaningful dialogue to agree on which controls are shared or not.
“Both parties can then understand what ownership of a control means and go through the control framework,” Swain said. “They can then assign ownership, see where ownership is shared, and define from an implementation and assessment perspective why there are separate responsibilities.”
The Matrix also helps address the challenge of controls that are complex. This is key because some controls are actually aggregates of multiple controls and perhaps multiple classification types. For example a user control type (to ensure users are following user-level policy) and an organizational control (to ensure systems and applications are abiding by organizational-level policies) may fall into scope for an overarching control set and there may not be a clear delineation between these types within that control set.
“For one control, there might be eight things to do, but the steps may not all line up with how you manage your security program,” Hagerman said. “With the Shared Responsibility Matrix, we’re making the HITRUST CSF more absorbable and easier to understand from both the service provider and the customer perspective.”
Removing Confusion When Defining Control Responsibility
The HITRUST Shared Responsibility Program comes at a good time because protecting sensitive information is a challenge for any organization and even more so for organizations that retain third-party service providers, such as a CSP. There is also added complexity and time-consuming effort that comes with determining who is responsible for the operation of security controls and gaining assurance that these controls are being operated effectively by both parties.
The importance of the Shared Responsibility Program in taking on this challenge was underscored in a separate interview with Lee Penn, Chief Financial Officer at PDHI: “A common challenge that many organizations encounter when it comes to Shared Responsibility is the lack of visibility into the security controls that their CSP has deployed,” Penn said. “Most CSPs don’t share information regarding their security controls with their customers. This lack of transparency creates a major headache when trying to identify risk and validate mitigation controls.”
The HITRUST Shared Responsibility Program will help remove the guesswork, ambiguity and confusion that come with defining control responsibility between customers and service providers—by outlining data governance, information risk management, and regulatory compliance requirements in clear, concise language. The program will also ensure organizations and their third-party cloud providers appropriately identify and assess information security controls. This will allow for the complete and accurate sharing of assurances among organizations, third-party service providers, and other relying parties.
“What HITRUST is doing with the Shared Responsibility Model—making it transparent and enabling organizations to inherit control compliance from CSPs—is having a major impact on the world of cybersecurity,” Penn said. “It’s creating a way for entire supply chains to collaborate closely on risk management and the related security controls in order to protect everyone’s digital assets and sensitive information.”
Due Diligence Still Required
The panel closed its comments noting that the HITRUST master plan for Shared Responsibility will not be the only tool organizations need to use to ensure cloud security and compliance. Any organization with applications running in the cloud will also need to conduct due diligence to understand how the CSP’s controls apply to their specific environment and organization.
“Create a strategy based on the risk; what you are willing to accept, what you can mitigate in-house with current resources, and what you can outsource to a third party,” Wabo advised. “What we are producing with the HITRUST Shared Responsibility Model is a road map that sets the tone for customers and service providers to work together to reduce the risk. But it’s not a master plan that will fit the needs of everyone’s compliance needs.”
Hagerman recommended, “Understand what you’re doing and what your use of the cloud is. Then extract from the Shared Responsibility Model the information that’s valuable to you based upon how you use the cloud and the services you are leveraging.”
Swain closed with, “Shared responsibility requires organizations to transform how customers think about the way they should be interacting with their service providers and vice versa. The HITRUST Shared Responsibility Matrix can serve as the tool to drive that analysis and facilitate conversations between CSPs and their customers.”