Sharing Cloud Security ResponsibilitiesPrivacy Attorney Adam Greene on Key Considerations
A cloud computing security model needs to be customized to fit how the cloud provider serves its clients, says privacy attorney Adam Greene.
"There's not a one-size-fits all," he says in an interview with Information Security Media Group.
"You may have one cloud provider that's a software-as-a-service provider that might take care of all the security requirements with technical and physical safeguards," he notes. In another situation, an "infrastructure as-a-service provider may provide the configurations that allows the client ... to turn on certain security controls, but leaves it up to the customer to do so."
To ensure that important security controls don't fall through the cracks, delegating responsibilities to cloud vendors is essential, he says.
"The only way to really know who's got what responsibility is to have open lines of communication between the parties so that no one is in fact dropping the ball," he says. "It's important that the parties know who's turning on what, and who's got what responsibility."
In this interview (see audio link below photo), Greene also discusses:
- Top mistakes entities make with cloud security;
- Contingency plans for cyberattacks and other disruptions involving critical vendors;
- HIPAA compliance issues involving cloud vendors;
- Considerations when engaging off-shore cloud services providers and other vendors.
As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the Department of Health and Human Services' Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.