HIPAA Requirements for Complete Cloud Security
-
Upload
bitglass -
Category
Technology
-
view
67 -
download
0
Transcript of HIPAA Requirements for Complete Cloud Security
STORYBOARDS
STORYBOARDS
8%of healthcare orgs
had cloud apps deployed in 2014
37%of healthcare orgs
had cloud apps deployed in 2015
cloud adoption is rising fast
Bitglass Cloud Adoption Report
STORYBOARDS
the traditional approach to
security is inadequate
STORYBOARDS
native security features can’t be relied upon:the data blind spot
components
usage/consumption
data
application
services
servers & storage
network
layer
data
application
infrastructure
owner
enterprise
STORYBOARDS
security must evolve to
protect data outside the
firewall
cloud:attack on SaaS
vendor risks sensitive data
access:uncontrolled access from any device
network:data breach - exfiltration & Shadow IT
mobile:lost device with sensitive data
5
STORYBOARDS
HIPAA technical safeguards for cloud
■ access control
○ granular context-based controls over access to both managed and unmanaged devices
○ secure identity/authentication
■ transmission security
○ end-to-end encryption
■ audit and visibility
■ data integrity
STORYBOARDS
access controlsthe new data reality requires a new security architecture
■ cross-device, cross-platform agentless data protection
■ granular DLP for data at rest and in motion
■ contextual access control
STORYBOARDS
controlling access from unmanaged mobile devices
■ secure mobile devices without invasive profiles or certificates; support multiple affiliations
■ protect data in “unwrappable” native apps like mail, contacts, calendar
■ selectively wipe corporate data
■ enforce device security policies
■ full data control and visibility for IT
STORYBOARDS
identitycentralized identity management is key to securing data
■ cloud app identity management should maintain the best practices of on-prem identity
■ SSO enables cross-app visibility into suspicious access activity
■ contextual multi-factor authentication mitigates risk
STORYBOARDS
transmission securityend-to-end protection
■ cloud data doesn’t exist only “in the cloud”
■ a complete solution must provide visibility and control over data in the cloud
■ solution must also protect data on end-user devices
■ leverage contextual access controls
STORYBOARDS
audit and visibility
■ detailed logging for compliance and audit.
■ identify PHI data at rest and external sharing
■ easily modify sharing permissions and quarantine files for review
■ detect and be alerted instantly of suspicious behavior
STORYBOARDS
data integrity
■ secure the data in the cloud - where you
have versioning and control over
permissions
■ apply granular DLP to sensitive data with
spectrum of actions from watermarking to
encryption.
STORYBOARDS
CASB: a better approach to cloud security
identity
discovery
data-centric security
mobile
STORYBOARDS
secure office 365
+ byod
challenge
■ Inadequate native O365 security■ Controlled access from managed & unmanaged
devices■ Limit external sharing
■ Interoperable with existing infrastructure, e.g. Bluecoat, ADFS
solution
■ Real-time inline DLP on any device (Citadel)■ Contextual access control on managed &
unmanaged devices (Omni)■ API control in the cloud■ Discover data breach & Shadow IT
fortune 50 healthcare provider
STORYBOARDS
HIPAA compliant
mobility
challenge:
■ Existing solution, AT&T Toggle, was obsolete■ HIPAA-compliant BYOD■ Migration path to Office 365
solution:
■ Agentless deployment ■ Usability, transparency & privacy
■ DLP of PII, PCI & PHI
■ Selective wipe; device PIN & encryption
■ Improved mobility for care providers
majorUS hospital system
STORYBOARDS
our mission
total data
protectionest. jan 2013
100+ customers
tier 1 VCs
resources:more info about cloud security
■Report: 2016 healthcare breaches
■Whitepaper: The Definitive Guide to CASBs
STORYBOARDS
bitglass.com@bitglass