Fog-Cloud Computing Trac Model Affecting the Occurrence of ...
Lifting the Fog to See the Cloud
description
Transcript of Lifting the Fog to See the Cloud
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
Lifting the Fog to See the Cloud
Information Security in a Hosted Environment
William ProhnManaging Director
Thomas O’ConnorConsultant
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
William M. ProhnCISSP®, CISA®, CGEIT®, CRISC®,
Managing DirectorDopkins System Consultants
Background
Thomas M. O’ConnorB.S. Accounting Information Systems
M.S. Forensic Accounting
ConsultantDopkins System Consultants
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
Agenda• Introduction to the Cloud• Benefits & Challenges in the Cloud• Certifications• ISACA Knowledge Center• HIPAA
o HITECHo HITRUST
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
What is That?But now they only block the sunThey rain and snow on everyoneSo many things I would have doneBut clouds got in my way
I've looked at clouds from both sides nowFrom up and down, and still somehowIt's cloud illusions I recallI really don't know clouds at all – Joni Mitchell, “Both Sides Now”
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
Introduction to the CloudSimple Definition: Using the internet
• Replace the term ‘in the cloud’ in a statement with ‘on the internet’
• We all use the ‘cloud,’ we just might not know it
• The term originates from network diagrams
US Patent US_5485455
Alternate: Utilizing third party resources accessible through the
internet
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
Why Move to the Cloud?• Reduce storage and archive
costs• Allow for remote access• Allow for collaboration• Improve search efficiency• 24/7 Access and support• Increased security with
redundancy• Reduce administrative overhead
It’s All About the Compromise
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
The Role of the Auditors• Oversee and provide input on governance• Consideration of security
COBIT Objectives:
• May be concerned with any of the COBIT objectives
IT Planning Budgeting Risk Assessment Feasibility
Service Level Management
Business Continuity
Physical Environment IT Governance
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
What Moves to the Cloud?• Applications & Software
o Software as a Service [SaaS]
• Servers & IT Personnelo Infrastructure as a Service
[IaaS]
• Programming languages, libraries, tools and serviceso Platform as a Service
[PaaS]
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
Controls• The compromise with each benefit is
risk• Controls are a response to that risk• Are the controls designed and
implemented appropriately?• Are they operating effectively?
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
ControlsITGC audits typically focus on identifying and testing controls
Manage Changeso Are changes authorized, tested and monitored?
Logical Accesso Is privileged access restricted to appropriate users?
Other IT Operationso Is critical data regularly backed up?o Are incidents reported and addressed timely?
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
Challenges in the CloudWhat about controls in a hosted environment?
• Who owns the data? • Who has access to the data?
New Risks | New Controls | New Audit Steps
[i.e. CSP] [i.e. Data Center] [i.e. System Admin]
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
Challenges in the CloudWhat about controls in a hosted environment?
• Who is responsible for backing up the data?
• What about incidents?
New Risks | New Controls | New Audit Steps
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
• Service Level Agreements
• End-User Licensing Agreements
• Alternate providerso Bankruptcyo Acquisition
• Threats to CSPs
Challenges in the CloudDisaster Recovery & Business Continuity
-- Gartner
1-in-4 Vendors Will Be Gone By 2015
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
Challenges in the CloudCyber Security Insurance• 31% of companies have a cyber security insurance
policy 1
• 39% planned to purchase a policy within a year• ‘Cloud Protection’ policies gaining popularity
Cloud Coverage Typically Includes:• Loss of income due to vendor down time• Costs associated with procuring new vendor• Costs of migrating to new vendor1 Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age -- (Ponemon Institute & Experian), August 2013
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
Certifications & ComplianceService Organization Control (SOC) Reports
SOC 1 SOC 2 SOC 3Controls at a service
organization relevant to user entities internal
control over financial reporting.
Controls at a service organization relevant to security, availability, processing integrity
confidentiality, or privacy.
General use report. Coverage similar to SOC 2.
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
Certifications & ComplianceHIPAAPCI DSS ISO
27001:2005
• Protected Health Information
• Business Associate Agreements
• Payment Card Transactions
• International Information Security Standard
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
ISACA Knowledge Center• Topical Coverage:
o Governance affecting cloud computingo Contractual compliance o Control issues specific to cloud computing
• COBIT & COSO Cross-references• Intended to compliment other audit(s)
One of 25+ ISACA audit programs available:
ISACA Cloud Computing Management Audit/Assurance Program
Cloud Computing Management Audit/Assurance Program
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
Auditing in the CloudService Provider Responsibilities• Service Level Agreements (SLAs)• Performance and frequency of risk assessments
Compliance and Audit:• Right to Audit• Third-party Reviews• Compliance• ISO 27001 Certification
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
Auditing in the CloudIncident Response, Notification and Remediation• Review of SLAs• Legal and regulatory compliance
Data Security • Encryption Identity and Access Management
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
HIPAA & HITECH
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
HIPAAHealth Insurance Portability and Accountability Act
Established in 1996 by Clinton AdministrationMake it easier for workers to maintain
insurance coverage when changing jobs (portability)
This is facilitated by digital files and electronic data
This requires a level of security
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
HIPAAHealth Insurance Portability and Accountability Act
Applies to health care organizations (HCOs)PROVIDERS and INSURERS
Specifically EXCLUDES Workers’ Compensation
Does NOT apply to medical records in other contexts, like employers
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
HIPAAHealth Insurance Portability and Accountability Act
Three Rules that are relevant to compliance:
EDI RuleICD-9ICD-10
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
HIPAAHealth Insurance Portability and Accountability Act
Privacy RuleHCOs must “Reasonably safeguard”
patient data
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
HIPAAHealth Insurance Portability and Accountability Act
Security RuleProtect the Confidentiality, Integrity and
Availability of Protected Health Information against “reasonably anticipated threats or hazards”
Access ControlsAudit ControlsAuthenticationTransmission Security
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
HITECHHealth Information Technology for Economic and Clinical Health
Enacted in 2009 as part of economic stimulus legislation
Gives grant money to HCOs to implement new technologies such as EHR
Creates fines and sanctions for HIPAA violations to pay for the grants
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
HITECHHealth Information Technology for Economic and Clinical Health
Broadens the scope of HIPAA to include “Business Associates” of HCOs
accountants, lawyers, consultants“create, maintain, receive or transmit”
“Cloud”even if they disclaim access
New data breach notification rules
Enforcement is on a “contingent fee” basis HHS gets to keep the money
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
HIPAASpecific Controls Required:
Risk Analysis/Risk ManagementSanction PolicyIncident Response/reporting processData Backup planDisaster Recovery PlanData disposal/media re-useWritten contracts with Business Associates
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
• Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information.
• harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC).
• As a framework, the CSF provides organizations with the needed structure, detail and clarity relating to information security tailored to the healthcare industry.
• www.hitrustalliance.net
2 0 0 I n t e r n a t i o n a l D r. , B u ff a l o , N Y 1 4 2 2 1 - 5 7 9 4 • ( 7 1 6 ) 6 3 4 - 8 8 0 0 • w w w. d o p k i n s . c o m • E m a i l : w p r o h n @ d o p k i n s . c o m
Questions