Mitigating Risks in the CloudA Checklist for Managing Vendor Relationships
For example, healthcare organizations should insist on the right "to audit pretty much anything within the environment because if [cloud providers] are doing a good job, then they really have nothing to hide," he says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below).
In the interview, Nanji points out:
- Regarding data control, "We may have to revise our models for establishing trust and consequences in chain of custody and how we provide access and authentication for our key data assets."
- The movement to the cloud means there will be more interactions between software and systems. And that means organizations must "account for the reality that the user in the cloud may more likely be a machine than another person ... This has very profound implications on how identities are provisioned, authenticated and managed."
- "We must have a clear, concise view of how things are administered." Cloud computing clients should demand that their vendors spell out in advance who can access data, then provide access logs and agree to audits, he says.
In addition, the security consultant advises organizations to:
- Make sure cloud vendors have an up-to-date disaster recovery plan, including adequate access to backup power;
- Avoid working with cloud vendors who are inflexible about making changes in their security policies to meet the customer's needs; and
- Ask for the results of penetration tests for the network and applications, and make sure such tests are conducted at least every six months.
Nanji is executive director at Techumen, an information security firm focusing exclusively on securing healthcare information. He has more than 25 years of information technology experience. He serves on the advanced security workgroup for the Certification Committee on Health Information Technology. He is a Certified Information Security Systems Professional.
Security RisksHOWARD ANDERSON: When considering using cloud computing for remotely hosted applications, such as electronic health records, or for remote data or image storage, what are the most significant security risks that healthcare organizations must consider?
FEISAL NANJI: The most important thing is that we really make sure that the actual agreement that we sign with the hosting provider is done well, which means that our biggest risk is really educating our own legal team on this. Often this can be a failure because the legal team is not as technically in-depth. As we are moving into the cloud, we have significant changes in our control structure, so standard controls that may seem reasonable may not really be adequate for cloud-based environments. With that said, the actual agreement is a big issue.
Then we also have to worry about a various number of other issues. For example: How is the cloud vendor is implementing administrative rights and segregation of duties? That is, who has access to the administrative rights for managing the virtual machines, managing the storage network and managing the network itself? These are all important issues. You have also other issues that focus on disaster recovery and business continuity plans, and we want to make sure that vendors are really doing this right.
Things that we have to ask the vendor are: When was the last time they did a full exercise or a simulation of a shut-down? Do they have adequate access to back-up power? ... This is an important issue because a lot of people will say, "Yes, we have back-up power." But sometimes, if you read the agreements [with organizations that provide] back-up power, for example, a municipality, you might find that the municipality in the event of an earthquake will [use] all the power for that data center. ...Disaster recovery, back-up and business continuity planning are details that have to be ironed out upfront.
Another issue is that we shouldn't assume that "big" is "good." A lot of people will say, "My hosting provider has X billion dollars of business a year." That's nice, but we cannot assume, from our standpoint as customers, that big is necessarily good. The other important aspect is whether we are co-locating, which in many cases is going to be a concern. We might be co-locating with direct competitors. How is data segregation managed? Do we have storage clusters that are shared or are they different? It is nice clearly to say that we have logical separation, but sometimes it might be even nicer to have actual physical separation of those storage clusters in addition to logical separation. ...
Some other issues, for example, could focus on the inflexibility of the vendor in making policies and standards changes to their environment. That is, they have a set of standards and policies that they feel is inflexible. Those may be inadequate for us as a customer, and if they are showing such inflexibility then that is not a good thing. ...
Questions to Ask VendorsANDERSON: In light of those risks, could you go over a few of the most important questions to ask a cloud computing vendor before signing on the dotted line, and the documentation cloud customers should request?
NANJI: The kind of documentation the cloud customers should request varies, and of course as I mentioned earlier, the actual agreement with the hosting provider is very, very critical. That said, let's assume you've gone through that step and that the legal environment has really worked very closely with the compliance environment as well as the IT operations environment to understand that we, the customer, are getting what we want. Then, based on that, what we really need to know is ... if they have had any past failures or shutdowns. We need to know who the cloud provider's business associates are; these might be firms who are doing the physical shredding of documents, people who are involved in actual physical security of the facilities and people who provide the network and the telecom security as well. We would also need to know in-depth the information security policy standards and the procedures that the hosting vendor is providing. The procedures, especially, are important because they go into a bit more detail on what actually is being done.
We clearly have to have transparency into their operations and this is a ... very important point. Transparency into cloud operations is vital. Who in the hosting provider organization is handling administrative rights? Who is managing the virtual machine environment? Who has database access, storage access and network access? ... We should request from the hosting provider is very easy access to logs for the above. These clearly should be randomly selected by date or function, if possible ... If the hosting provider is not going to provide you with good logs on who is handling our information, who the administrators are, what the virtual machine environment changes look like, when they were done, and so forth, then I think we have to be circumspect at the overall quality of the hosting vendor.
One other area that I think we should have in the contract is the right to audit ... pretty much anything within the environment, because if they are doing a good job, then they really have nothing to hide. We should really have the right to audit anything. Then finally, what I would also like to see is penetration test results for the network layer and the application layer, the most recent ones that they have. Typically for most hosting providers, they should do one every six months. That is doing at least what is known in the industry as an ethical hack, both at the network layer and also for the application. ...
Business Associate AgreementsANDERSON: What details should be spelled in a business associate agreement with a cloud computing vendor to adequately address HIPAA and HITECH Act compliance?
NANJI: As I mentioned earlier, we must have in the business associate agreement transparency into their operations. We must understand who is handling all the administrative rights and the segregation of duties, the storage access and the network access. We again, of course, have to have easy access to their logs for any business associate. Then we really want to find out what is the lowest common denominator for security in their environment. We must take a stab at understanding what is absolutely guaranteed by the business associate. ... But in general, we have to understand what the lowest common denominator is that the business associate agreement is going to provide for us. If it is not in meeting with our standards, then we much identify those gaps and let them know in no uncertain terms that this is what we must fix. Again, the right to audit anything and the penetration test results ... are also extremely important.
The Most Important StepsANDERSON: Based on your experience, what is the single most important step a healthcare organization can take to ensure the secure use of cloud computing?
NANJI: Again, we want to make sure that the vendor is treating us right. Cloud computing is a new foray into IT infrastructure, and there are lots of cloud companies out there, all claiming to do the right thing. ... But because it is a fairly new endeavor in IT, it really means that there will be a lot of variation. ... What we really must do, and I can't stress this enough, is make sure that the vendor is treating us right.
Let's also make sure that we educate our internal teams. These are the IT teams who typically will want to get on the cloud bandwagon, but if we don't educate them well enough on what security requirements ought to be, they may be missing something. Then of course, we also have to educate the legal team because they are far removed from the technical nuances of what needs to get done in the cloud. We as technical experts have to really provide the direction to the legal team.
Then we must raise most of the issues before any contract is signed. Obviously, that makes the most sense. I've seen quite a few instances in which people raise issues after the contract is signed, and that is not particularly helpful. ...
I would like to end by just saying there are clearly three major cloud compliance issues if you really think about them. One is this notion of data ownership and control. That is, we may have to revise our models for establishing trust, consequences and chain of custody and how we provide access and authentication for our key data assets. So as we IT folks and legal folks think about signing a contract on cloud computing, let's make sure that we genuinely understand what the data ownership and control chain of custody is.
Second, we must also realize that as we move to the cloud, the interactions between software and systems will exceed typically those between people and machines. The cloud will only accelerate this trend, and so it is imperative for IT and security folks to account for the reality that a user in the cloud may more likely be a machine then another person. This really has very profound implications on how identities are provisioned, authenticated and managed.
The final thing is this notion of administration. We must have a clear, concise view of how things are administered. What are the policies? Do we have full transparency into the policies, the procedures and the standards? Do we have auditing capabilities that are adequate?
In general, those are the three major issues that I would like to summarize and end with, because those are the most important. ...