SlideShare une entreprise Scribd logo

Shared Responsibility Model_Webinar_-_7-19-16

J
James Harris PMP
1  sur  35
Télécharger pour lire hors ligne
Making Sense of the Cloud's Confusing Shared Responsibility Model Healthcare IT News Webinar: July 19, 2016
Shared Responsibility Can Create Confusion CONFUSION & MISMATCHED EXPECTATIONS ? Roles & Responsibilities ? Data Security ? Breach Reporting ? Service Models PROPRIETARY&CONFIDENTIAL 2
Objectives •Refresher on HIPAA, the BAA and the Security Rule •Understand the key roles in data ownership and how that relates to shared responsibility in the cloud •Understand Cloud deployment and service models •Review the benefits and disadvantages of each service model •Discuss a typical responsibility model aligned with the HIPAA Security Ruleaswellasausecase •Describe considerations for moving to the cloud PROPRIETARY&CONFIDENTIAL 3
Background: HIPAA Security Rules & The BAA
Business Associate Agreement (BAA) The Fundamental Purpose of a BAA is to Protect Patient Data •The CoveredEntitymust enter into a BAA with a Business Associate •TheBusinessAssociatemusthaveaBAAwithSubcontractors •Three Major Obligations of a BAA: - Facilitate Patient Rights - Complete Risk Analysis, Policies and Procedures - Report Breaches and Liability BAA Obligations FlowOutward PROPRIETARY&CONFIDENTIAL 5
BA Breach Reporting Internal Logging External Reporting • Unsuccessful Security Incidents • Breaches of less than 500 records • Successful Security Incidents • Breaches of more than 500 records PROPRIETARY&CONFIDENTIAL 6
HIPAA Fines & Penalties Violation Category Did Not Know Reasonable Cause Willful Neglect: Corrected Willful Neglect: Not Corrected Each Violation $100 - $50,000 $1,000 - $50,000 $10,000 - $50,000 $50,000 All Identical Violations per Calendar Year $1,500,000 $1,500,000 $1,500,000 $1,500,000 PROPRIETARY&CONFIDENTIAL 7
Key Roles in Data Ownership Data Subject An individual who is the subject of personal data Data Controller A person (alone or jointly with other persons) determines the purpose for which, and the manner in which any personal data may be processed Data Processor Any person (other than an employee of the data controller) who processes data on behalf of the controller Data Steward Responsible for data content, context, and business rules Data Custodians Responsible for the safe custody, transport, storage of the data, and implementation of business rules Data Owner Holds legal rights and complete control over a single piece or set of data elements. Define distribution and policies PROPRIETARY&CONFIDENTIAL 8
Cloud Service & Deployment Models
The Cloud Reference Model Cloud Consumer Cloud Auditor Security Audit Portability / Interoperability Security Privacy Cloud Service Management Provisioning / Configuration Service Layer SaaS Business Support Cloud Broker Service Intermediation Service Aggregation Privacy Impact Audit PaaS IaaS Performance Service Audit Arbitrage Resource Abstraction & Control Layer Physical Resource Layer Hardware Facility PROPRIETARY&CONFIDENTIAL 10
The Cloud Reference Model Cloud Consumer Cloud Auditor Security Audit Portability / Interoperability Security Privacy Cloud Service Management Provisioning / Configuration Service Layer SaaS Business Support Cloud Broker Service Intermediation Service Aggregation Privacy Impact Audit PaaS IaaS Performance Service Audit Arbitrage Resource Abstraction & Control Layer Physical Resource Layer Hardware Facility PROPRIETARY&CONFIDENTIAL 11
The Cloud Reference Model Cloud Consumer Cloud Auditor Security Audit Portability / Interoperability Security Privacy Cloud Service Management Provisioning / Configuration Service Layer SaaS Business Support Cloud Broker Service Intermediation Service Aggregation Privacy Impact Audit PaaS IaaS Performance Service Audit Arbitrage Resource Abstraction & Control Layer Physical Resource Layer Hardware Facility PROPRIETARY&CONFIDENTIAL 12
The Cloud Reference Model Cloud Consumer Cloud Auditor Security Audit Portability / Interoperability Security Privacy Cloud Service Management Provisioning / Configuration Service Layer SaaS Business Support Cloud Broker Service Intermediation Service Aggregation Privacy Impact Audit PaaS IaaS Performance Service Audit Arbitrage Resource Abstraction & Control Layer Physical Resource Layer Hardware Facility PROPRIETARY&CONFIDENTIAL 13
The Cloud Reference Model Cloud Consumer Cloud Auditor Security Audit Portability / Interoperability Security Privacy Cloud Service Management Provisioning / Configuration Service Layer SaaS Business Support Cloud Broker Service Intermediation Service Aggregation Privacy Impact Audit PaaS IaaS Performance Service Audit Arbitrage Resource Abstraction & Control Layer Physical Resource Layer Hardware Facility PROPRIETARY&CONFIDENTIAL 14
The Cloud Reference Model Cloud Consumer Cloud Auditor Security Audit Portability / Interoperability Security Privacy Cloud Service Management Provisioning / Configuration Service Layer SaaS Business Support Cloud Broker Service Intermediation Service Aggregation Privacy Impact Audit PaaS IaaS Performance Service Audit Arbitrage Resource Abstraction & Control Layer Physical Resource Layer Hardware Facility PROPRIETARY&CONFIDENTIAL 15
Cloud Deployment Models Private Cloud • Owned or leased by a single organization • Operated solely for that organization Community Cloud •Shared by several organizations • Supports a specific community Hybrid Cloud • Combination of two or more cloud models Public Cloud •Owned by an organization selling cloud services • Sold to the public or large organizations PROPRIETARY&CONFIDENTIAL 16
The BAA & Cloud Service Models
Cloud Service Models Presentation Layer API's SaaS Applications Software as a Service Data Content Integration & Middleware API's Connectivity Hardware Facilities PaaS Platform as a Service IaaS Infrastructure as a Service PROPRIETARY&CONFIDENTIAL 18
SaaS Software delivery method. Provides access to software as a web-based service. Allows access to business functionality, at less cost than purchasing software outright. Customers CAN Customers CANNOT • Use provider's applications running on cloud infrastructure • Access applications via client devices (e.g. thin-client web- based, or a program interface • Manage or control underlying infrastructure, including network, servers, operating systems, storage, application capabilities PROPRIETARY&CONFIDENTIAL 19
SaaS Characteristics Characteristics Benefits • Hosted App Management • Software on Demand • App and data access from anywhere • Manage Ease of use / minimal administration • Automatic updates and patch management • Standardization and compatibility • Global accessibility PROPRIETARY&CONFIDENTIAL 20
BAA and the SaaS Model Patient Data Platform Applications Identity & Access Management Data Owner/Process can see and control Limited to user interface and data presentation Operating Systems, Network & Firewall Configurations No control or visibility offered to Owner/Processor Client-Side Data Server-Side Network Traffic Encryption Encryption Protection Cloud Foundation Services Compute Storage Database Networking PROPRIETARY&CONFIDENTIAL 21
PaaS A platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure. Customers CAN Customers CANNOT • Deploy applications that they purchased or developed - Using programming languages, libraries, services, and other tools • Control deployed applications • Possibly control configuration settings for app-hosting environment • Manage or control underlying infrastructure, including OS PROPRIETARY&CONFIDENTIAL 22
PaaS Characteristics Characteristics Benefits • Support multiple language and frameworks • Multiple hosted environments •Flexibility •Allow choice and reduce vendor "Lock-in" • Ability to auto-scale • OS can be changed/upgraded frequently • One environment, globally distributed development teams • Services from diverse resources around the globe •Reduced cost PROPRIETARY&CONFIDENTIAL 23
BAA and the PaaS Model Patient Data Platform Applications Identity & Access Management Data Owner/Process can see and control Operating Systems, Network & Firewall Configurations No control or visibility offered to Owner/Processor Client-Side Data Server-Side Network Traffic Encryption Encryption Protection Cloud Foundation Services Compute Storage Database Networking PROPRIETARY&CONFIDENTIAL 24
IaaS Computer infrastructure delivered as a service. Software and servers are purchased as fully outsourced and billed on usage. Customers CAN Customers CANNOT • Provision processing, storage, networks and other resources • Deploy and run arbitrary software, including OS and apps • Control the OS • Possibly control some networking components (host firewalls • Manage or control underlying infrastructure PROPRIETARY&CONFIDENTIAL 25
IaaS Characteristics Characteristics Benefits • Support Scale • Converged Network and IT Capacity Pool • Self-service, on-demand capacity • High reliability and resilience • OS can be changed/upgraded frequently • One environment, globally distributed development teams • Services from diverse resources around the globe •Reduced cost PROPRIETARY&CONFIDENTIAL 26
BAA and the IaaS Model Patient Data Platform Applications Identity & Access Management Customer Accountability Shared Responsibility Operating Systems, Network & Firewall Configurations No Control or Visibility Client-Side Data Server-Side Network Traffic Encryption Encryption Protection Cloud Foundation Services Compute Storage Database Networking PROPRIETARY&CONFIDENTIAL 27
Data Access with Service Models Information SaaS PaaS IaaS Local Networking ✘ ✘ ✘ ✔ Storage ✘ ✘ ✘ ✔ Servers ✘ ✘ ✘ ✔ Virtualization ✘ ✘ ✘ ✔ OS ✘ ✘ ✔ ✔ Middleware ✘ ✘ ✔ ✔ Runtime ✘ ✘ ✔ ✔ Data ✘ ✔ ✔ ✔ Application ✘ ✔ ✔ ✔ Access ✔ ✔ ✔ ✔ Control PROPRIETARY&CONFIDENTIAL 28
Cloud Managed Service Models Basic DIY Model Managed Cloud Services Model Patient Data Patient Data Platform Applications Identity & Access Management Platform Applications Identity & Access Management Operating Systems, Network & Firewall Configurations Operating Systems, Network & Firewall Configurations Client-Side Data Server-Side Network Traffic Client-Side Data Server-Side Network Traffic Encryption Encryption Protection Encryption Encryption Protection Cloud Foundation Services Cloud Foundation Services Compute Storage Database Networking Compute Storage Database Networking Customer Responsibility Customer Responsibility Cloud Service Provider Responsibility Managed Services Provider Responsibility Cloud Service Provider Responsibility PROPRIETARY&CONFIDENTIAL 29
HIPAA Security Rule Responsibility RACI (Responsible, Accountable, Consulted, Informed) Requirement Covered Entity Business Services Provider Cloud Provider Associate Security Management Process A, R R I IAssigned Security Responsibility A, R R I IWorkforce Security A, R R I IAccess Management A R R IIncident Procedures AR C, I IContingency Plans AR C, I IEvaluation AC, I R IBusiness Assoc. Contracts A, R I - -Physical Access Controls AI I RLogical Access Controls AC, I R IWorkstation Use & Security A, R R I -Device & Media Controls AC, I R R Audit Controls A R R C, I Data & System Integrity A R R C, I Person or Entity Authentication A C, I R I Transmission Security A R R C, I Policies, Procedures & Documentation A, R C, I C, I C, I PROPRIETARY&CONFIDENTIAL 30
IaaS Deployment RACI Use Case Scenario Covered Entity Cloud-based Appointment Setting Application Infrastructure managed by dedicated healthcare cloud provider Infrastructure located on a Public Cloud Task Provision Storage Account Provision IaaS Networking Firewall Management, Configuration Breach Notification Plan Data Encryption at Rest & In Flight Provision IaaS Virtual Machine OS Deployment & Hardening OS Security Patch Management Backup Antivirus/Antimalware, Endpoint Protection App Installation, Configuration Monitoring (fabric, OS, app platform) Monitoring Alerting / Notification Desired State Configuration Vulnerability Scanning Provision Application Services instance CMS Install, Setup, and Maintenance Covered Entity II II II II II II II II I Business Associate C, I C, I C, I C, I C, I C, I I C, I C, I I C C, I I C, I I A, R A, R Services Provider A, R A, R A, R A, R A, R A, R A, R A, R A, R A, R A, R A, R A, R A, R A, R I C, I PROPRIETARY&CONFIDENTIAL 31 Iaa S App s
Best Practices Summary
Summary Know your workload requirements Integration requirements and dependencies Specific architecture, compliance and security requirements Fit the service model to workload requirements IaaS vs. PaaS vs. SaaS Different levels of control and information access Define responsibilities with your provider Create a RACI with your provider up front Establish regular reviews to ensure responsibilities for you and the provider are fulfilled PROPRIETARY & CONFIDENTIAL 33
Questions? PROPRIETARY&CONFIDENTIAL 34 Penalties
(602) 635-4002 chris.bowen@cleardata.com 1600 W. Broadway Road Tempe, AZ 85282 Chris Bowen, MBA, CIPP/US, CIPT Chief Privacy & Security Officer

Recommandé

Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsTechcello
 
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
XaaS Overview
XaaS OverviewXaaS Overview
XaaS OverviewMaganathin Veeraragaloo
 
A Study in Borderless Over Perimeter
A Study in Borderless Over PerimeterA Study in Borderless Over Perimeter
A Study in Borderless Over PerimeterForgeRock
 
IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITY
IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITYIDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITY
IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITYForgeRock
 
Cloud Customer Architecture for API Management
Cloud Customer Architecture for API ManagementCloud Customer Architecture for API Management
Cloud Customer Architecture for API ManagementCloud Standards Customer Council
 
SaaS: Introduction
SaaS: IntroductionSaaS: Introduction
SaaS: IntroductionArief Gunawan
 
Practical Guide to Platform-as-a-Service
Practical Guide to Platform-as-a-Service Practical Guide to Platform-as-a-Service
Practical Guide to Platform-as-a-Service Cloud Standards Customer Council
 

Recommandé

Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsTechcello
 
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0
Public Cloud Service Agreements: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
XaaS Overview
XaaS OverviewXaaS Overview
XaaS OverviewMaganathin Veeraragaloo
 
A Study in Borderless Over Perimeter
A Study in Borderless Over PerimeterA Study in Borderless Over Perimeter
A Study in Borderless Over PerimeterForgeRock
 
IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITY
IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITYIDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITY
IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITYForgeRock
 
Cloud Customer Architecture for API Management
Cloud Customer Architecture for API ManagementCloud Customer Architecture for API Management
Cloud Customer Architecture for API ManagementCloud Standards Customer Council
 
SaaS: Introduction
SaaS: IntroductionSaaS: Introduction
SaaS: IntroductionArief Gunawan
 
Practical Guide to Platform-as-a-Service
Practical Guide to Platform-as-a-Service Practical Guide to Platform-as-a-Service
Practical Guide to Platform-as-a-Service Cloud Standards Customer Council
 
Hybrid Cloud Considerations for Big Data and Analytics
Hybrid Cloud Considerations for Big Data and AnalyticsHybrid Cloud Considerations for Big Data and Analytics
Hybrid Cloud Considerations for Big Data and AnalyticsCloud Standards Customer Council
 
Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessSecurity that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessCloudPassage
 
Enterprise Use Case Webinar - PaaS Metering and Monitoring
Enterprise Use Case Webinar - PaaS Metering and Monitoring Enterprise Use Case Webinar - PaaS Metering and Monitoring
Enterprise Use Case Webinar - PaaS Metering and Monitoring WSO2
 
SAP HANA Cloud Security
SAP HANA Cloud SecuritySAP HANA Cloud Security
SAP HANA Cloud SecurityGaurav Ahluwalia
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best PracticeShiu-Fun Poon
 
Access Assurance in the Cloud
Access Assurance in the CloudAccess Assurance in the Cloud
Access Assurance in the CloudCourion Corporation
 
PECB Webinar: The alignment of Information Security in Service Management
PECB Webinar: The alignment of Information Security in Service ManagementPECB Webinar: The alignment of Information Security in Service Management
PECB Webinar: The alignment of Information Security in Service ManagementPECB
 
Data Entitlement in an API-Centric Architecture
Data Entitlement in an API-Centric ArchitectureData Entitlement in an API-Centric Architecture
Data Entitlement in an API-Centric ArchitectureWSO2
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Avi Networks
 
Cloud Customer Architecture for Big Data and Analytics
Cloud Customer Architecture for Big Data and AnalyticsCloud Customer Architecture for Big Data and Analytics
Cloud Customer Architecture for Big Data and AnalyticsCloud Standards Customer Council
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudScientia Groups
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Serviceguest536dd0e
 
Data Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware PlatformData Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware PlatformWSO2
 
Cloud Customer Architecture for Big Data and Analytics V2.0
Cloud Customer Architecture for Big Data and Analytics V2.0Cloud Customer Architecture for Big Data and Analytics V2.0
Cloud Customer Architecture for Big Data and Analytics V2.0Cloud Standards Customer Council
 
[WSO2Con EU 2017] Integration Platform Strategy for Digital Transformation
[WSO2Con EU 2017] Integration Platform Strategy for Digital Transformation[WSO2Con EU 2017] Integration Platform Strategy for Digital Transformation
[WSO2Con EU 2017] Integration Platform Strategy for Digital TransformationWSO2
 
Mis 20021241104 20021241103_20021241148_20021241155_20021241149_eai and flexi...
Mis 20021241104 20021241103_20021241148_20021241155_20021241149_eai and flexi...Mis 20021241104 20021241103_20021241148_20021241155_20021241149_eai and flexi...
Mis 20021241104 20021241103_20021241148_20021241155_20021241149_eai and flexi...Shaunak Gujjewar
 
Paas
PaasPaas
PaasNikunjPansari
 
Con9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - finalCon9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - finalOracleIDM
 
From Disaster to Recovery: Preparing Your IT for the Unexpected
From Disaster to Recovery: Preparing Your IT for the UnexpectedFrom Disaster to Recovery: Preparing Your IT for the Unexpected
From Disaster to Recovery: Preparing Your IT for the UnexpectedDataCore Software
 
Cloud & Software Terms Defined
Cloud & Software Terms DefinedCloud & Software Terms Defined
Cloud & Software Terms DefinedNamtek Consulting Services
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Standards Customer Council
 
IT4651w-CC-1b-Introduction.pptx
IT4651w-CC-1b-Introduction.pptxIT4651w-CC-1b-Introduction.pptx
IT4651w-CC-1b-Introduction.pptxnada542773
 

Contenu connexe

Tendances

Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessSecurity that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessCloudPassage
 
Enterprise Use Case Webinar - PaaS Metering and Monitoring
Enterprise Use Case Webinar - PaaS Metering and Monitoring Enterprise Use Case Webinar - PaaS Metering and Monitoring
Enterprise Use Case Webinar - PaaS Metering and Monitoring WSO2
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best PracticeShiu-Fun Poon
 
PECB Webinar: The alignment of Information Security in Service Management
PECB Webinar: The alignment of Information Security in Service ManagementPECB Webinar: The alignment of Information Security in Service Management
PECB Webinar: The alignment of Information Security in Service ManagementPECB
 
Data Entitlement in an API-Centric Architecture
Data Entitlement in an API-Centric ArchitectureData Entitlement in an API-Centric Architecture
Data Entitlement in an API-Centric ArchitectureWSO2
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Avi Networks
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudScientia Groups
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Serviceguest536dd0e
 
Data Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware PlatformData Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware PlatformWSO2
 
Cloud Customer Architecture for Big Data and Analytics V2.0
Cloud Customer Architecture for Big Data and Analytics V2.0Cloud Customer Architecture for Big Data and Analytics V2.0
Cloud Customer Architecture for Big Data and Analytics V2.0Cloud Standards Customer Council
 
[WSO2Con EU 2017] Integration Platform Strategy for Digital Transformation
[WSO2Con EU 2017] Integration Platform Strategy for Digital Transformation[WSO2Con EU 2017] Integration Platform Strategy for Digital Transformation
[WSO2Con EU 2017] Integration Platform Strategy for Digital TransformationWSO2
 
Mis 20021241104 20021241103_20021241148_20021241155_20021241149_eai and flexi...
Mis 20021241104 20021241103_20021241148_20021241155_20021241149_eai and flexi...Mis 20021241104 20021241103_20021241148_20021241155_20021241149_eai and flexi...
Mis 20021241104 20021241103_20021241148_20021241155_20021241149_eai and flexi...Shaunak Gujjewar
 
Con9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - finalCon9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - finalOracleIDM
 
From Disaster to Recovery: Preparing Your IT for the Unexpected
From Disaster to Recovery: Preparing Your IT for the UnexpectedFrom Disaster to Recovery: Preparing Your IT for the Unexpected
From Disaster to Recovery: Preparing Your IT for the UnexpectedDataCore Software
 

Tendances (20)

Hybrid Cloud Considerations for Big Data and Analytics
Hybrid Cloud Considerations for Big Data and AnalyticsHybrid Cloud Considerations for Big Data and Analytics
Hybrid Cloud Considerations for Big Data and Analytics
 
Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessSecurity that works with, not against, your SaaS business
Security that works with, not against, your SaaS business
 
Enterprise Use Case Webinar - PaaS Metering and Monitoring
Enterprise Use Case Webinar - PaaS Metering and Monitoring Enterprise Use Case Webinar - PaaS Metering and Monitoring
Enterprise Use Case Webinar - PaaS Metering and Monitoring
 
SAP HANA Cloud Security
SAP HANA Cloud SecuritySAP HANA Cloud Security
SAP HANA Cloud Security
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
 
Access Assurance in the Cloud
Access Assurance in the CloudAccess Assurance in the Cloud
Access Assurance in the Cloud
 
PECB Webinar: The alignment of Information Security in Service Management
PECB Webinar: The alignment of Information Security in Service ManagementPECB Webinar: The alignment of Information Security in Service Management
PECB Webinar: The alignment of Information Security in Service Management
 
Data Entitlement in an API-Centric Architecture
Data Entitlement in an API-Centric ArchitectureData Entitlement in an API-Centric Architecture
Data Entitlement in an API-Centric Architecture
 
Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance Secure Your Web Applications and Achieve Compliance
Secure Your Web Applications and Achieve Compliance
 
Cloud Customer Architecture for Big Data and Analytics
Cloud Customer Architecture for Big Data and AnalyticsCloud Customer Architecture for Big Data and Analytics
Cloud Customer Architecture for Big Data and Analytics
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the Cloud
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 
Data Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware PlatformData Entitlement with WSO2 Enterprise Middleware Platform
Data Entitlement with WSO2 Enterprise Middleware Platform
 
Cloud Customer Architecture for Big Data and Analytics V2.0
Cloud Customer Architecture for Big Data and Analytics V2.0Cloud Customer Architecture for Big Data and Analytics V2.0
Cloud Customer Architecture for Big Data and Analytics V2.0
 
[WSO2Con EU 2017] Integration Platform Strategy for Digital Transformation
[WSO2Con EU 2017] Integration Platform Strategy for Digital Transformation[WSO2Con EU 2017] Integration Platform Strategy for Digital Transformation
[WSO2Con EU 2017] Integration Platform Strategy for Digital Transformation
 
Mis 20021241104 20021241103_20021241148_20021241155_20021241149_eai and flexi...
Mis 20021241104 20021241103_20021241148_20021241155_20021241149_eai and flexi...Mis 20021241104 20021241103_20021241148_20021241155_20021241149_eai and flexi...
Mis 20021241104 20021241103_20021241148_20021241155_20021241149_eai and flexi...
 
Paas
PaasPaas
Paas
 
Con9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - finalCon9024 next generation optimized directory - oracle unified directory - final
Con9024 next generation optimized directory - oracle unified directory - final
 
From Disaster to Recovery: Preparing Your IT for the Unexpected
From Disaster to Recovery: Preparing Your IT for the UnexpectedFrom Disaster to Recovery: Preparing Your IT for the Unexpected
From Disaster to Recovery: Preparing Your IT for the Unexpected
 
Cloud & Software Terms Defined
Cloud & Software Terms DefinedCloud & Software Terms Defined
Cloud & Software Terms Defined
 

Similaire à Shared Responsibility Model_Webinar_-_7-19-16

Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Standards Customer Council
 
IT4651w-CC-1b-Introduction.pptx
IT4651w-CC-1b-Introduction.pptxIT4651w-CC-1b-Introduction.pptx
IT4651w-CC-1b-Introduction.pptxnada542773
 
Qualifying SaaS, IaaS.pptx
Qualifying SaaS, IaaS.pptxQualifying SaaS, IaaS.pptx
Qualifying SaaS, IaaS.pptxSachin Bhandari
 
Best Practices for Multi-Cloud Security and Compliance
Best Practices for Multi-Cloud Security and ComplianceBest Practices for Multi-Cloud Security and Compliance
Best Practices for Multi-Cloud Security and ComplianceRightScale
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
Seeking Cybersecurity--Strategies to Protect the Data
Seeking Cybersecurity--Strategies to Protect the DataSeeking Cybersecurity--Strategies to Protect the Data
Seeking Cybersecurity--Strategies to Protect the DataCloudera, Inc.
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
1.Service Models of Cloud Computing .pptx
1.Service Models of Cloud Computing .pptx1.Service Models of Cloud Computing .pptx
1.Service Models of Cloud Computing .pptxGSCWU
 
A Guide to Cloud Computing Service Models.pptx
A Guide to Cloud Computing Service Models.pptxA Guide to Cloud Computing Service Models.pptx
A Guide to Cloud Computing Service Models.pptxCETPA
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
Softchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security WebinarSoftchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security WebinarSoftchoice Corporation
 
Interoperability and Portability for Cloud Computing: A Guide V2.0
Interoperability and Portability for Cloud Computing: A Guide V2.0Interoperability and Portability for Cloud Computing: A Guide V2.0
Interoperability and Portability for Cloud Computing: A Guide V2.0Cloud Standards Customer Council
 
An introduction to the cloud 11 v1
An introduction to the cloud 11 v1An introduction to the cloud 11 v1
An introduction to the cloud 11 v1charan7575
 

Similaire à Shared Responsibility Model_Webinar_-_7-19-16 (20)

Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud Services
 
IT4651w-CC-1b-Introduction.pptx
IT4651w-CC-1b-Introduction.pptxIT4651w-CC-1b-Introduction.pptx
IT4651w-CC-1b-Introduction.pptx
 
Architecting SaaS
Architecting SaaSArchitecting SaaS
Architecting SaaS
 
Qualifying SaaS, IaaS.pptx
Qualifying SaaS, IaaS.pptxQualifying SaaS, IaaS.pptx
Qualifying SaaS, IaaS.pptx
 
Best Practices for Multi-Cloud Security and Compliance
Best Practices for Multi-Cloud Security and ComplianceBest Practices for Multi-Cloud Security and Compliance
Best Practices for Multi-Cloud Security and Compliance
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptx
 
Lecture31.ppt
Lecture31.pptLecture31.ppt
Lecture31.ppt
 
Seeking Cybersecurity--Strategies to Protect the Data
Seeking Cybersecurity--Strategies to Protect the DataSeeking Cybersecurity--Strategies to Protect the Data
Seeking Cybersecurity--Strategies to Protect the Data
 
Lecture5
Lecture5Lecture5
Lecture5
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
1.Service Models of Cloud Computing .pptx
1.Service Models of Cloud Computing .pptx1.Service Models of Cloud Computing .pptx
1.Service Models of Cloud Computing .pptx
 
A Guide to Cloud Computing Service Models.pptx
A Guide to Cloud Computing Service Models.pptxA Guide to Cloud Computing Service Models.pptx
A Guide to Cloud Computing Service Models.pptx
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
Softchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security WebinarSoftchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security Webinar
 
Interoperability and Portability for Cloud Computing: A Guide V2.0
Interoperability and Portability for Cloud Computing: A Guide V2.0Interoperability and Portability for Cloud Computing: A Guide V2.0
Interoperability and Portability for Cloud Computing: A Guide V2.0
 
An introduction to the cloud 11 v1
An introduction to the cloud 11 v1An introduction to the cloud 11 v1
An introduction to the cloud 11 v1
 
Practical Guide to Hybrid Cloud Computing
Practical Guide to Hybrid Cloud ComputingPractical Guide to Hybrid Cloud Computing
Practical Guide to Hybrid Cloud Computing
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 

Shared Responsibility Model_Webinar_-_7-19-16

  • 1. Making Sense of the Cloud's Confusing Shared Responsibility Model Healthcare IT News Webinar: July 19, 2016
  • 2. Shared Responsibility Can Create Confusion CONFUSION & MISMATCHED EXPECTATIONS ? Roles & Responsibilities ? Data Security ? Breach Reporting ? Service Models PROPRIETARY&CONFIDENTIAL 2
  • 3. Objectives •Refresher on HIPAA, the BAA and the Security Rule •Understand the key roles in data ownership and how that relates to shared responsibility in the cloud •Understand Cloud deployment and service models •Review the benefits and disadvantages of each service model •Discuss a typical responsibility model aligned with the HIPAA Security Ruleaswellasausecase •Describe considerations for moving to the cloud PROPRIETARY&CONFIDENTIAL 3
  • 5. Business Associate Agreement (BAA) The Fundamental Purpose of a BAA is to Protect Patient Data •The CoveredEntitymust enter into a BAA with a Business Associate •TheBusinessAssociatemusthaveaBAAwithSubcontractors •Three Major Obligations of a BAA: - Facilitate Patient Rights - Complete Risk Analysis, Policies and Procedures - Report Breaches and Liability BAA Obligations FlowOutward PROPRIETARY&CONFIDENTIAL 5
  • 6. BA Breach Reporting Internal Logging External Reporting • Unsuccessful Security Incidents • Breaches of less than 500 records • Successful Security Incidents • Breaches of more than 500 records PROPRIETARY&CONFIDENTIAL 6
  • 7. HIPAA Fines & Penalties Violation Category Did Not Know Reasonable Cause Willful Neglect: Corrected Willful Neglect: Not Corrected Each Violation $100 - $50,000 $1,000 - $50,000 $10,000 - $50,000 $50,000 All Identical Violations per Calendar Year $1,500,000 $1,500,000 $1,500,000 $1,500,000 PROPRIETARY&CONFIDENTIAL 7
  • 8. Key Roles in Data Ownership Data Subject An individual who is the subject of personal data Data Controller A person (alone or jointly with other persons) determines the purpose for which, and the manner in which any personal data may be processed Data Processor Any person (other than an employee of the data controller) who processes data on behalf of the controller Data Steward Responsible for data content, context, and business rules Data Custodians Responsible for the safe custody, transport, storage of the data, and implementation of business rules Data Owner Holds legal rights and complete control over a single piece or set of data elements. Define distribution and policies PROPRIETARY&CONFIDENTIAL 8
  • 9. Cloud Service & Deployment Models
  • 10. The Cloud Reference Model Cloud Consumer Cloud Auditor Security Audit Portability / Interoperability Security Privacy Cloud Service Management Provisioning / Configuration Service Layer SaaS Business Support Cloud Broker Service Intermediation Service Aggregation Privacy Impact Audit PaaS IaaS Performance Service Audit Arbitrage Resource Abstraction & Control Layer Physical Resource Layer Hardware Facility PROPRIETARY&CONFIDENTIAL 10
  • 11. The Cloud Reference Model Cloud Consumer Cloud Auditor Security Audit Portability / Interoperability Security Privacy Cloud Service Management Provisioning / Configuration Service Layer SaaS Business Support Cloud Broker Service Intermediation Service Aggregation Privacy Impact Audit PaaS IaaS Performance Service Audit Arbitrage Resource Abstraction & Control Layer Physical Resource Layer Hardware Facility PROPRIETARY&CONFIDENTIAL 11
  • 12. The Cloud Reference Model Cloud Consumer Cloud Auditor Security Audit Portability / Interoperability Security Privacy Cloud Service Management Provisioning / Configuration Service Layer SaaS Business Support Cloud Broker Service Intermediation Service Aggregation Privacy Impact Audit PaaS IaaS Performance Service Audit Arbitrage Resource Abstraction & Control Layer Physical Resource Layer Hardware Facility PROPRIETARY&CONFIDENTIAL 12
  • 13. The Cloud Reference Model Cloud Consumer Cloud Auditor Security Audit Portability / Interoperability Security Privacy Cloud Service Management Provisioning / Configuration Service Layer SaaS Business Support Cloud Broker Service Intermediation Service Aggregation Privacy Impact Audit PaaS IaaS Performance Service Audit Arbitrage Resource Abstraction & Control Layer Physical Resource Layer Hardware Facility PROPRIETARY&CONFIDENTIAL 13
  • 14. The Cloud Reference Model Cloud Consumer Cloud Auditor Security Audit Portability / Interoperability Security Privacy Cloud Service Management Provisioning / Configuration Service Layer SaaS Business Support Cloud Broker Service Intermediation Service Aggregation Privacy Impact Audit PaaS IaaS Performance Service Audit Arbitrage Resource Abstraction & Control Layer Physical Resource Layer Hardware Facility PROPRIETARY&CONFIDENTIAL 14
  • 15. The Cloud Reference Model Cloud Consumer Cloud Auditor Security Audit Portability / Interoperability Security Privacy Cloud Service Management Provisioning / Configuration Service Layer SaaS Business Support Cloud Broker Service Intermediation Service Aggregation Privacy Impact Audit PaaS IaaS Performance Service Audit Arbitrage Resource Abstraction & Control Layer Physical Resource Layer Hardware Facility PROPRIETARY&CONFIDENTIAL 15
  • 16. Cloud Deployment Models Private Cloud • Owned or leased by a single organization • Operated solely for that organization Community Cloud •Shared by several organizations • Supports a specific community Hybrid Cloud • Combination of two or more cloud models Public Cloud •Owned by an organization selling cloud services • Sold to the public or large organizations PROPRIETARY&CONFIDENTIAL 16
  • 17. The BAA & Cloud Service Models
  • 18. Cloud Service Models Presentation Layer API's SaaS Applications Software as a Service Data Content Integration & Middleware API's Connectivity Hardware Facilities PaaS Platform as a Service IaaS Infrastructure as a Service PROPRIETARY&CONFIDENTIAL 18
  • 19. SaaS Software delivery method. Provides access to software as a web-based service. Allows access to business functionality, at less cost than purchasing software outright. Customers CAN Customers CANNOT • Use provider's applications running on cloud infrastructure • Access applications via client devices (e.g. thin-client web- based, or a program interface • Manage or control underlying infrastructure, including network, servers, operating systems, storage, application capabilities PROPRIETARY&CONFIDENTIAL 19
  • 20. SaaS Characteristics Characteristics Benefits • Hosted App Management • Software on Demand • App and data access from anywhere • Manage Ease of use / minimal administration • Automatic updates and patch management • Standardization and compatibility • Global accessibility PROPRIETARY&CONFIDENTIAL 20
  • 21. BAA and the SaaS Model Patient Data Platform Applications Identity & Access Management Data Owner/Process can see and control Limited to user interface and data presentation Operating Systems, Network & Firewall Configurations No control or visibility offered to Owner/Processor Client-Side Data Server-Side Network Traffic Encryption Encryption Protection Cloud Foundation Services Compute Storage Database Networking PROPRIETARY&CONFIDENTIAL 21
  • 22. PaaS A platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure. Customers CAN Customers CANNOT • Deploy applications that they purchased or developed - Using programming languages, libraries, services, and other tools • Control deployed applications • Possibly control configuration settings for app-hosting environment • Manage or control underlying infrastructure, including OS PROPRIETARY&CONFIDENTIAL 22
  • 23. PaaS Characteristics Characteristics Benefits • Support multiple language and frameworks • Multiple hosted environments •Flexibility •Allow choice and reduce vendor "Lock-in" • Ability to auto-scale • OS can be changed/upgraded frequently • One environment, globally distributed development teams • Services from diverse resources around the globe •Reduced cost PROPRIETARY&CONFIDENTIAL 23
  • 24. BAA and the PaaS Model Patient Data Platform Applications Identity & Access Management Data Owner/Process can see and control Operating Systems, Network & Firewall Configurations No control or visibility offered to Owner/Processor Client-Side Data Server-Side Network Traffic Encryption Encryption Protection Cloud Foundation Services Compute Storage Database Networking PROPRIETARY&CONFIDENTIAL 24
  • 25. IaaS Computer infrastructure delivered as a service. Software and servers are purchased as fully outsourced and billed on usage. Customers CAN Customers CANNOT • Provision processing, storage, networks and other resources • Deploy and run arbitrary software, including OS and apps • Control the OS • Possibly control some networking components (host firewalls • Manage or control underlying infrastructure PROPRIETARY&CONFIDENTIAL 25
  • 26. IaaS Characteristics Characteristics Benefits • Support Scale • Converged Network and IT Capacity Pool • Self-service, on-demand capacity • High reliability and resilience • OS can be changed/upgraded frequently • One environment, globally distributed development teams • Services from diverse resources around the globe •Reduced cost PROPRIETARY&CONFIDENTIAL 26
  • 27. BAA and the IaaS Model Patient Data Platform Applications Identity & Access Management Customer Accountability Shared Responsibility Operating Systems, Network & Firewall Configurations No Control or Visibility Client-Side Data Server-Side Network Traffic Encryption Encryption Protection Cloud Foundation Services Compute Storage Database Networking PROPRIETARY&CONFIDENTIAL 27
  • 28. Data Access with Service Models Information SaaS PaaS IaaS Local Networking ✘ ✘ ✘ ✔ Storage ✘ ✘ ✘ ✔ Servers ✘ ✘ ✘ ✔ Virtualization ✘ ✘ ✘ ✔ OS ✘ ✘ ✔ ✔ Middleware ✘ ✘ ✔ ✔ Runtime ✘ ✘ ✔ ✔ Data ✘ ✔ ✔ ✔ Application ✘ ✔ ✔ ✔ Access ✔ ✔ ✔ ✔ Control PROPRIETARY&CONFIDENTIAL 28
  • 29. Cloud Managed Service Models Basic DIY Model Managed Cloud Services Model Patient Data Patient Data Platform Applications Identity & Access Management Platform Applications Identity & Access Management Operating Systems, Network & Firewall Configurations Operating Systems, Network & Firewall Configurations Client-Side Data Server-Side Network Traffic Client-Side Data Server-Side Network Traffic Encryption Encryption Protection Encryption Encryption Protection Cloud Foundation Services Cloud Foundation Services Compute Storage Database Networking Compute Storage Database Networking Customer Responsibility Customer Responsibility Cloud Service Provider Responsibility Managed Services Provider Responsibility Cloud Service Provider Responsibility PROPRIETARY&CONFIDENTIAL 29
  • 30. HIPAA Security Rule Responsibility RACI (Responsible, Accountable, Consulted, Informed) Requirement Covered Entity Business Services Provider Cloud Provider Associate Security Management Process A, R R I IAssigned Security Responsibility A, R R I IWorkforce Security A, R R I IAccess Management A R R IIncident Procedures AR C, I IContingency Plans AR C, I IEvaluation AC, I R IBusiness Assoc. Contracts A, R I - -Physical Access Controls AI I RLogical Access Controls AC, I R IWorkstation Use & Security A, R R I -Device & Media Controls AC, I R R Audit Controls A R R C, I Data & System Integrity A R R C, I Person or Entity Authentication A C, I R I Transmission Security A R R C, I Policies, Procedures & Documentation A, R C, I C, I C, I PROPRIETARY&CONFIDENTIAL 30
  • 31. IaaS Deployment RACI Use Case Scenario Covered Entity Cloud-based Appointment Setting Application Infrastructure managed by dedicated healthcare cloud provider Infrastructure located on a Public Cloud Task Provision Storage Account Provision IaaS Networking Firewall Management, Configuration Breach Notification Plan Data Encryption at Rest & In Flight Provision IaaS Virtual Machine OS Deployment & Hardening OS Security Patch Management Backup Antivirus/Antimalware, Endpoint Protection App Installation, Configuration Monitoring (fabric, OS, app platform) Monitoring Alerting / Notification Desired State Configuration Vulnerability Scanning Provision Application Services instance CMS Install, Setup, and Maintenance Covered Entity II II II II II II II II I Business Associate C, I C, I C, I C, I C, I C, I I C, I C, I I C C, I I C, I I A, R A, R Services Provider A, R A, R A, R A, R A, R A, R A, R A, R A, R A, R A, R A, R A, R A, R A, R I C, I PROPRIETARY&CONFIDENTIAL 31 Iaa S App s
  • 33. Summary Know your workload requirements Integration requirements and dependencies Specific architecture, compliance and security requirements Fit the service model to workload requirements IaaS vs. PaaS vs. SaaS Different levels of control and information access Define responsibilities with your provider Create a RACI with your provider up front Establish regular reviews to ensure responsibilities for you and the provider are fulfilled PROPRIETARY & CONFIDENTIAL 33
  • 35. (602) 635-4002 chris.bowen@cleardata.com 1600 W. Broadway Road Tempe, AZ 85282 Chris Bowen, MBA, CIPP/US, CIPT Chief Privacy & Security Officer