Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

Transcription

1 Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP) May 16, 2016

2 Speakers Ron Moser, Managing Director, Moserhaus Consulting, LLC and Sr. Consultant, EHNAC Scott Paddock, Security Solutions Architect, Amazon Web Services Kurt Hagerman, Chief Information Security Officer, Armor Defense, Inc. Scott Schimpf, Vice President of Technology, Alpha II, LLC

3 Agenda Introduction Cloud Service Providers (CSPs): Assumptions versus realities Security Framework: Creating a methodology for identifying risk Privacy and Security: Who is responsible for what? Assessment: Completing the Risk Assessment and identifying controls Audit: Value of third party audits Q & A

4 Agenda Introduction Cloud Service Providers (CSPs): Assumptions versus realities Security Framework: Creating a methodology for identifying risk Privacy and Security: Who is responsible for what? Assessment: Completing the Risk Assessment and identifying controls Audit: Value of third party audits Q & A

5 Case Study: EHNAC Electronic Healthcare Network Accreditation Commission An independent 501(c)(6) not-for-profit agency Voluntary, self-governing standards development organization (SDO) Accreditation programs for organizations that electronically exchange healthcare data including: EHNs, HIEs, ACOs, MSOs, TPAs, HISPs, eprescribing, EPCS, HISPs, Financial Services, Medical Billers, and others

6 The Demand for Cloud Computing 83% Of Healthcare Organizations Are Using Cloud-Based Apps Today (HIMSS) The bulk of new IT spending by 2016 will be for cloud computing. (Gartner) Nearly ½ of large enterprises will have cloud deployments by EOY 2017 (Gartner) Money talks. (Anon.)

7 EHNAC Support for CSPs CSPs supported using a primarily risk-based approach Controls identified that must be met Responsibility for controls must be identified (client/csp/both) Proof of compliance with each control must be demonstrated For those controls under CSP responsibility, FedRAMP and SOC 2 audits may be referenced and cross-mapped FedRAMP will be accepted in lieu of physical site visits CEAP Program developed through advisory team of CSP experts

8 Agenda Introduction Cloud Service Providers (CSPs): Assumptions versus realities Security Framework: Creating a methodology for identifying risk Privacy and Security: Who is responsible for what? Assessment: Completing the Risk Assessment and identifying controls Audit: Value of third party audits Q & A

9 The Winding Road to Security & Compliance In the Cloud

10 Security & Compliance as a Journey Achieving and maintaining a truly secure posture and meeting your compliance obligations is an ongoing, living process that involves much more than just technology: Governance Risk Management People Processes Technology 1. It s difficult to do it right by yourself 2. No single service provider has a complete solution 3. Vendors over simplify the requirements to sell their services as a silver bullet

11 Challenges Facing Cloud Consumers and Providers Consumers want to outsource both technology and security & compliance responsibilities Consumers cannot completely offload their responsibilities Providers may not adequately define the division of responsibilities between themselves and their customers Providers often do not clearly articulate what security they take on or how they help customers meet compliance requirements All can lead to confusion in the purchasing decision and create conflicts during an audit

12 NIST Cloud Model Definitions Five Essential Characteristics On-demand self-service Broad network access Resource pooling Rapid elasticity Measured Service Three Service Models Cloud Software as a Service (SaaS) Cloud Platform as a Service (PaaS) Cloud Infrastructure as a Service (IaaS) Four Deployment Models Private cloud Community cloud Public cloud Hybrid cloud

13 Security & Compliance Responsibility Your responsibilities, and those of your cloud vendor, vary based on the model offered by the vendor. Security & Compliance THEM Security & Compliance YOU Applications & Data Middleware APIs Facilities, Hardware & Abstraction Infrastructure as a Service Infrastructure as a Service Platform as a Service Infrastructure as a Service Platform as a Service Software as a Service

14 Security & Compliance Responsibility IAAS Providers: AWS, Azure, Rackspace, SoftLayer, etc. Only provide security for the underlying infrastructure Compliance attestations only apply to underlying infrastructure with minimal leverage available to customer servers Customer owns nearly 100 percent of the compliance responsibility PAAS Providers: AWS (Elastic Beanstalk), Salesforce (Force.com), CloudFoundry, HP Helion Provide development tools and other building blocks for applications and secure these services Compliance attestations apply to the service with limited leverage available to customers Customer owns a majority of the compliance responsibility SaaS Providers: Salesforce, Box, Oracle, Office 365, etc. Own and secure the entire stack up through the application Any compliance attestations apply to the entire service with significant available to customers Customer owns very little of the compliance responsibility

15 Six Common Challenges 1. Identifying the division of responsibility for security and compliance between you and your cloud vendor 2. Ensuring the services your vendor is providing are properly mapped to your risk assessment 3. Getting the evidence you need for your audit 4. Obtaining objective attestation documentation from the vendor for the controls they have full or partial responsibility for 5. Monitoring ongoing compliance of your vendors 6. Receiving support from vendor during a breach event

16 A To-Do List For Cloud Consumers & Providers Consumers need to fully understand all of their security and compliance responsibilities Consumers need to effectively evaluate and understand the various cloud provider models Consumers need to ask for clear definition of all services and the division of responsibilities between them and their providers Consumers must put programs in place to ensure that their providers are meeting their responsibilities. Providers must be more transparent about their security programs and deliver adequate details about offered services Providers must clearly articulate the delineation of responsibilities between themselves and customers Providers must be clear about how their offered services can assist consumers in meeting compliance requirements

17 Agenda Introduction Cloud Service Providers (CSPs): Assumptions versus realities Security Framework: Creating a methodology for identifying risk Privacy and Security: Who is responsible for what? Assessment: Completing the Risk Assessment and identifying controls Audit: Value of third party audits Q & A

18 Risk and Governance Frameworks Helps you to identify and address the most significant issues first Promotes the efficient allocation of resources and effort Benefits in the area of organizational maturity and audit readiness No need to roll your own There are many great options available

19 Example Governance Frameworks

20 Which help certification efforts, like: Possibly helpful call out- EHNAC has accepted FedRAMP

21 Customers Security & compliance is a shared responsibility Customer applications & content Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customers are responsible for their security IN the Cloud Client-side Data Encryption Foundation Services Server-side Data Encryption Network Traffic Protection Compute Storage Database Networking Global Infrastructure Availability Zones Regions Edge Locations The cloud provider is responsible for the security OF the Cloud

22 Common questions about compliance If I sign on with a cloud provider that is certified/compliant with HIPAA/PCI/Whatever, am I then certified/complaint also? No. It s important to understand the shared nature of compliance when using any outsourcing providers How can I tell if a cloud provider is certified or compliant with a given standard or regulation? Audit reports from trusted third party attestation organizations are normally available and detail any major findings. Is compliance something that is regional, or service based? The applicability of a compliance report should define the services and locations that are in scope.

23 Agenda Introduction Cloud Service Providers (CSPs): Assumptions versus realities Security Framework: Creating a methodology for identifying risk Privacy and Security: Who is responsible for what? Assessment: Completing the Risk Assessment and identifying controls Audit: Value of third party audits Q & A

24 Introduction Alpha II, LLC Healthcare SaaS provider Claim Scrubber (over 25 million claims per month) Utilizing the cloud for over 4 years Two sites: Active/Active Configuration Two EHNAC Accreditations (HNAP-EHN 2013, DRAP 2015)

25 Topics Assessment: Completing the Risk Assessment and identifying controls Audit: Value of third party audit/review of cloud deployment

26 Assessment: Completing the Risk Assessment Completing a Risk Assessment properly is a daunting task Talk to other companies who have gone through this exercise Third Party Consultant Bite size chunks Multiple sessions to complete Involve Team members for each department Ensure the proper risk factors are considered IT, Development, Accounting, Etc. Upper Management Involvement

27 Identifying controls Be honest about your assessment This is a tool to help you mitigate risk Every company has room to improve Once the Risk Assessment is complete you can identify areas of the most significant risk and implement controls Examples Implemented a web based password repository for every user Implemented Intrusion Detection/Protection systems (IDS/IPS)

28 Audit: Value of third party audit/review of cloud deployment You do not know what you do not know Third Party Audit and Review: Helps you ask the right questions of your cloud provider Where is my data stored? Does the data ever move over seas? Who has access to the hardware? What Certifications and Accreditations do they have? And what they mean for your business Shared/Non-Shared Infrastructure

29 Audit: Value of third party audit/review of cloud deployment Security, Security, Security How Secure is my data Security Firewalls IDS/IPS Site to Site Communication Security Scans Internal and External What is their physical security like? Threat recognition and mitigation

30