Steps and Tactics to Securely Engage Cloud Providers

Apple recently announced it has ramped up its iCloud’s security after a recent cyber-attack that resulted in hundreds of celebrity nude selfies being leaked on the Internet. In addition, in 2014 we’ve seen major corporations like Target and Home Depot suffer major cyber-attacks and also make front page news.


Apple recently announced it has ramped up its iCloud’s security after a recent cyber-attack that resulted in hundreds of celebrity nude selfies being leaked on the Internet. In addition, in 2014 we’ve seen major corporations like Target and Home Depot suffer major cyber-attacks and also make front page news, which doesn’t necessarily help alleviate concerns that cloud computing isn’t a secure platform.

However, other than a handful of reported breaches, major cloud providers generally avoid large scale security attacks. Cloud providers are putting more emphasis on security to help ensure their clients’ data is safe and they understand the reputational risk that a major data breach can bring to their entire business model.

Here are four basic steps you should always consider when engaging cloud providers:

First and foremost, do your research about which provider you choose to work with. While reported data breaches involving cloud providers have been limited, there has been some concern about the reliability of some platforms. If you pick a provider with a proven history of successful managed security services or extensive cloud security service portfolio, then the chances of these types of providers going out of business any time soon are much less likely. Any cloud provider can experience a data breach, outage or service disruption; so pick an organization that is able to prepare for the worst and plan accordingly.

Second, make sure your data is encrypted. Protect your sensitive data with industry recognized encryption standards before transferring it to the cloud. Providers typically offer encryption; but encrypting your data puts you in control. If the data is encrypted before it is transferred to the cloud provider, then only you can decrypt the data.

Third, carefully read the cloud provider's service level agreement (SLA). Providers offer choices of service levels. Services should include on-demand scalability to keep applications running, offline backups, and disaster recovery and high availability without disruption due to maintenance or upgrades. The SLA should include guarantees to cover availability, response times for normal-issue severity levels and response times when dealing with specific security issues or potential data breaches.

Lastly and most importantly, risk assessments should be conducted initially and annually thereafter to identify cloud-dependent data, resources and activities; analyze threats and vulnerabilities; and recommend whether to accept, avoid, mitigate or transfer information risks. Risk management is your primary driver since all cloud providers are subject to information risk-related issues just as much as your own organization.

Here are some straight-forward tactics to implement these steps:

* Consider taking a tiered approach to assessing and managing cloud provider risks, which allows you to allocate your limited resources more effectively and direct your focus to the most critical areas. This allows for broader coverage without substantially increasing the overall resource investment in risk management.

* When cloud providers handle PHI or credit card data, it is imperative that some form of written contract or agreement specifies what is expected.  But contracts and agreements alone are weak controls unless security and compliance can be verified. Spell out specifics and build in a verification process that allows you to confirm how your data is actually being protected. Cloud providers should offer a transparent and measurable way to demonstrate how industry regulatory requirements and security best practices are being met.

* Employ an information security questionnaire as part of your risk assessment process. The questionnaire should be broad in scope and address all applicable disciplines of security to give a fundamental understanding of the cloud provider’s level of security posture and maturity. Consider aligning your questionnaire with the International Organization for Standardization (ISO) 27001/27002 Security Standards because of its depth and breadth. The questionnaire results should provide evidence of current data handling, risk management and compliance activities that allow for better prioritization of next step tasks.  

* For the highest risk relationships, consider deploying security staff to the cloud provider’s site where your data resides to comprehensively assess any potential areas of improvement. An onsite assessment should include staff interviews, physical inspection of the facilities and policy/procedure reviews as well as technical vulnerability testing.  The cloud provider should be compliant with your privacy and security compliance needs to include HIPAA and PCI. This approach provides much greater assurance of contract, policy and regulatory compliance and gives insight into how data is actually being protected.  

* Keep in mind, individual risk assessments do not scale well.  It becomes less practical to conduct an exercise of assessing risk the greater the number of sites and cloud providers involved. Conducting onsite risk assessments can become impractical whenever any organization has more than a few high risk relationships. Consider using a trusted third party vendor that can conduct risk assessments on your behalf.  They can offer a reliable and scalable risk assessment approach.

* Continuous review processes should be in place to ensure that expectations are consistently being met. Periodically, review the cloud provider’s operations in order to verify that they are conforming to the terms of the written contract or agreement and meeting expectations.  But just as important, you should ensure their continuing compliance with applicable federal and state laws, rules and regulations, as well as internal policies and procedures.

* Consider designating a specific individual or a team to coordinate the oversight activities with respect to your high risk cloud provider relationships. As necessary and appropriate, involve other operational areas such as IT Audit and Compliance departments in the monitoring process. The extent of oversight of a particular cloud provider will depend on the potential risks and the scope and magnitude of the relationship.     Results of oversight activities should be reported to senior leadership or a designated committee. Of course, any identified non-compliance issues or weaknesses should be documented and addressed.

These steps and tactics may be new and seem overwhelming to implement, but cloud computing is here to stay. The adoption of cloud-based services will only increase as healthcare organizations gain a better understanding of the cloud, its benefits and limitations, and how they must prepare in order to commit important clinical and business systems and core operational processes to the cloud.

The reality of cloud computing as a secure platform can be realized when information risks in the cloud are managed more effectively through a combination of technical, administrative and legal means that identify, evaluate and mitigate any identified issues on an ongoing basis.

More for you

Loading data for hdm_tax_topic #reducing-cost...