By Matthew Datel, Director of Education and Strategic Initiatives and Becky Swain, Director, Standards Development, HITRUST

Since September 2018, the 21 members of the HITRUST Shared Responsibility Working Group* have been doing some heavy lifting. They’ve been focused on enhancing the HITRUST CSF® controls that relate to Infrastructure as a Service (IaaS) offerings as part of the HITRUST Shared Responsibility Program.

You’ll recall, last year, HITRUST introduced the Shared Responsibility Program to address the misunderstandings, risks, inefficiencies and complexities when utilizing Cloud Service Providers (CSP’s). As part of the announcement, a working group comprised of leading cloud service providers and professional service firms was created to assist in mapping the respective control operation responsibilities of customers and CSP’s.

A focus of the Shared Responsibility Working Group is to remove the ambiguity and confusion associated with defining the roles and responsibilities between a customer and their CSP as far as shared security controls are concerned and to streamline the assurance process by automated control inheritance and review.

And they’ve been making progress.

So far, the working group has collaborated on each of the 1,830 HITRUST CSF® control requirements and organized them into three specific classifications of responsibility: 1) Customer’s responsibility (covering 1,537 of the controls); 2) CSP’s responsibility (132), and; 3) Shared responsibility between customer and CSP (161). For the 161 shared controls, HITRUST and the working group are creating illustrative guidance to define how the controls can be shared and properly assessed, which will help provide much-needed guidance to both customers and their HITRUST CSF Assessors.

“The working group wanted to ensure the matrix outlines data governance, information risk management, and regulatory compliance requirements in clear, concise language,” says working group member, Blaise Wabo, senior manager with assessor firm A-LIGN. “We’ve achieved this because organizations and their cloud providers have raised their hands to say, ‘this is a critical issue that needs to be addressed’.”

Organizations, businesses, and governments that employ cloud service providers in many parts of their supply chain throughout the world – and the complex relationships between supplier and customer – contribute to the ambiguity of what organization is responsible for securing what information, where, when and how.

While the working group’s recommendations will address and improve the inefficient and complex status quo relationship between many organizations and their CSP, the issues are clear – there are misconceptions and misunderstandings around ‘who is responsible for what’ across all industries/sectors when organizations leverage cloud services and share and store information with cloud providers.

There are various permutations, such as when the cloud provider is responsible for the entire operation of the control; when an organization retains responsibility for a portion of the control, while the remaining implementation requirements are inherited by their cloud provider; or when the customer retains all responsibility for the operation of the control.

Wabo said the Shared Responsibility program is also designed to ease contract negotiations between an organization and potential cloud service provider by providing clear guidance regarding inherited responsibility and shared responsibility. In addition, a vendor/service-specific matrix can be used as a tool to ensure alignment where shared responsibility occurs regarding an organization’s infrastructure generally consisting of servers, firewalls, routers or any infrastructure managed services.

The IaaS portion of the Shared Responsibility mappings and matrix are the first deliverable of the working group. The responsibility and associated risks of control failure by CSP’s is being broken into three parts of this Shared Responsibility triangle – Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS).

Ultimately, the three aspects of the Shared Responsibility program will converge to provide a complete guide for companies using IaaS, PaaS and SaaS cloud providers. The Shared Responsibility program will enable organizations and their CSP’s to better understand their roles and responsibilities regarding ownership and operation of controls to meet security, privacy, and compliance objectives. These risks are continuing to grow as covered entities sometimes don’t always fully understand their responsibility, in addition to the increasing complexity and costs of assessing security control effectiveness when control responsibility is shared.

“Organizations must have these discussions with their cloud service providers to ensure everyone is on the same page,” says working group member Bob Smith, senior manager of security compliance at Salesforce. “The matrix will make those conversations much easier and serve as a guide to ensure every party knows what is required of them to ensure all steps are taken to protect information to the best of our ability.”

The working group will continue to classify controls for PaaS and SaaS as well, to complete all three sides of the Shared Responsibility triangle. The completed Shared Responsibility Matrix will also allow organizations to streamline the assurance process when security controls are inherited or shared. HITRUST is working to enhance the CSF Assurance methodology to provide additional guidance to CSF Assessor organizations in performing their review when assessments included shared controls. In addition, HITRUST will be incorporating additional automation in the MyCSF tool so that organizations can directly leverage HITRUST Validated Assessment scores and results from their CSPs. This is another example of the comprehensive and flexible services available through the HITRUST Approach.

*Some of the leading organizations participating on the Shared Responsibility Working Group include Microsoft Azure, Salesforce, SAP, Google, Armor, OnRamp, EvolveIP, Cisco, Datica, and Rackspace. 

Details about the program and the working group are available on the HITRUST website at: https://hitrustalliance.net/hitrust-shared-responsibility-program/