How to manage risk with cloud vendors
According to a recent Forrester report on the US technology market outlook for 2016 and 2017, cloud adoption has hit a tipping point. After two years of slowing growth in 2013 and 2014, there was a 5.4 percent growth in businesses implementing cloud technology last year.
Cloud computing is no longer a matter of "if" but "how."
Along this trend of cloud adoption, a recent marketing report from Gartner found that healthcare providers are taking measured steps toward the cloud, but remain circumspect about vendor security claims.
The cloud is emerging as a business platform, fueling productivity, innovation, differentiation and competitiveness, and according to IDC, more than 90 percent of new software will be built for cloud delivery in 2015. Where traditional IT environments keep network and information assets such as applications, servers, mobile devices and storage media on premise, cloud environments allow organizations to remove the cost and burden of managing and maintaining hardware, with the added benefits of:
- Near-instant scaling and adding of resources.
- Multi-tenancy in which multiple customers and their information share applications and infrastructure.
- New kinds of services such as virtual machine hosting and development and integration services hosting.
- Utility model of consumption and allocation.
Companies are at varying stages of migrating IT to the cloud, but for most, a hybrid cloud will be the ultimate solution. In fact, 80 percent of IBM Cloud clients are building hybrid clouds, which enable them to connect and integrate any new cloud applications with the investments they already have in IT. A hybrid cloud solution eliminates the need for a business to choose between moving everything to the public cloud and keeping everything in the private cloud.
As healthcare providers continue to shift to the cloud, their IT architecture may change, but the complexion of security controls and processes does not. However, organizations should have a formal cloud vendor risk management program in place. No matter how varied or unique the cloud computing environment may be, a cloud vendor risk management program enables healthcare providers to approach information security in a consistent manner, ensuring there is consistent information on which to base decisions and actions.
The objective of the cloud vendor risk management program is to arrive at a tailored set of security controls and requirements within a cloud computing environment. A cloud vendor risk management program focuses on the processes necessary to effectively address information security controls, requirements and considerations in cloud computing solutions, services and operations through a phased lifecycle approach.
All information assets require some form of protection. The appropriate level of security should be commensurate with the value of the asset including the value of the information the asset contains, the magnitude of harm that would result from a loss of confidentiality, integrity or availability, and the impact such a loss could inflict. These factors represent important drivers for securely managing cloud computing operations.
The cloud vendor risk management program can be organized into five phases. Each phase deals with different issues and challenges and includes a minimum set of actions and considerations needed to effectively verify, validate or incorporate information security into cloud computing operations. They provide an end-to-end lifecycle approach to effectively manage cloud vendor information risks based on industry-recognized security principles and practices while aligning with methodologies from sources such as ITIL, ISACA and NIST. The following is an overview of each phase:
Healthcare organizations identify the need for cloud computing services and document its purpose. This involves participation from key stakeholders from Clinical and Business areas, Legal, Compliance, Vendor Management, IT and Finance. During the development of the business case and cost benefit analysis, Information Security provides a voice in the critical decision making process of moving to the cloud. Security planning begins in the Initiation phase with the identification of key security roles to carry out the cloud vendor risk management approach. Security requirements are evaluated for any confidential information intended to be processed, transmitted, stored or maintained within the cloud environment.
All stakeholders should have a common understanding of the security considerations. This should consist of a preliminary risk assessment of the basic security needs and requirements considering applicable laws, regulations, organizational policy and controls and should identify the threats affecting the cloud environment. It also identifies the information classification to assist in making the appropriate selection of security controls. As part of the initial due diligence, healthcare organizations should have a list of cloud vendors they have properly vetted.
Solution development phase
The cloud vendor solution is designed, purchased, programmed, developed, or otherwise constructed and ensures security controls, requirements and all necessary components of the asset are considered when incorporating security into the life cycle. A key security activity in this phase is conducting a formal risk assessment and using the results to identify the baseline security controls and requirements.
This includes requesting from the cloud vendor such items as their security policy, infrastructure geographic locations, technical security measures, and other control documentation. It is critical that the cloud vendor meets or exceeds organizationally defined information security requirements. It’s imperative for the Information Security and Vendor Management teams to collaborate in defining and incorporating baseline security requirements into business associate agreements.
IT assets or services are integrated or implemented within the cloud vendor environment and the security controls are established and verified in accordance with organizational policy and expectations, cloud vendor instructions and available implementation guidance.
Prior to the migration, certain sensitive assets should be encrypted. In preparation of the possibility of a failed migration, a disaster recovery plan with back out procedures should be established. Finally, agreed upon security controls, should be fully documented to include the results of the verification reviews and tests.
Operations and maintenance phase
This phase ensures that controls continue to be effective in their application through periodic monitoring, testing and evaluation and adequate consideration occurs regarding the potential security impacts due to changes in the cloud environment. The cloud vendor should provide external assessment reports such as the AICPA SOC reports if they preclude their customers to conduct an assessment. Healthcare organizations should continuously monitor performance of the asset to ensure that it is consistent with pre-established security controls and requirements, and that any needed asset modifications are incorporated.
Termination and disposal phase
This phase ensures the information, information asset and any hardware and software components within the cloud environment is moved to another asset, archived, sanitized or destroyed according to organizational policy. The termination and disposal requirements should be explicitly written in the business associate agreements. Additionally, it ensures the orderly termination or decommissioning so that the information is effectively migrated to another asset or archived in accordance with applicable records management regulations and policies.
Cloud computing does create risks and may require a rethink but not a reinvention of security programs and architectures. Healthcare organizations should increase their skills and training to negotiate, monitor and enforce agreements with cloud vendors. They should also adapt technical security architectures for more open networks, rethink security zones for the cloud and conduct ongoing assessments.
Cloud vendors offer more effective security than a lot of healthcare organizations could afford to deploy themselves. The majority of cloud vendors invests significantly in security technology and personnel, and realizes their business would be at risk without doing so. With virtually all healthcare organizations undergoing some form of cloud transition a comprehensive approach with a structured methodology to manage cloud vendor risks can mitigate fears of the cloud and ensure all cloud management is organized and secure.