I read a piece this morning from Fierce HealthCare in which a well known CIO (who will remain nameless) claimed that cloud computing is insecure. This is obviously something of a contrarian viewpoint, albeit a common one. Last year SkyHigh Networks came out with a similar statement citing that more than 13% of cloud services used in healthcare are high‒risk and 77% are medium risk.
Security has always been an interest of mine and over the past twenty five years I’ve seen many strong statements about the security of computer systems. Of late they have become more opinionated and, in my view, less supported by evidence.
What exactly is “high-risk” and how should a consumer of cloud services rate the risk of a service? Is it enough to ask for industry standard reports? Which reports should you believe?
Starting from the absolute basics, if your cloud service is handling PII you’ve got to have a Business Associates Agreement. This is a legal promise that the vendor will treat the data appropriately that usually contains the following information:
- Permitted uses and disclosures of PHI
- Parties responsibilities with respect to PHI
- Termination rights
- Indemnification Language
What does this do for security? It obligates the other party to meet your obligations to your customer and holds them responsible if they breach. That’s it.
The next level up is a security report. Look at least for a SOC II type II – “a report on controls at a service organization provider relevant to security, availability, processing integrity, confidentiality and privacy”. These are issued by AICPA (the American Institute of CPAs).
There are two types of SOC-II which have been creatively named type-1 and type-2. Type 2 is a report on the suitability of design and how well the controls actually work over an extended period and is based on an audit by a CPA and info sec specialist. Type-1 is just a statement of how management at the service provider intends to handle controls.
Type-2 is essential for cloud providers. Period. It also needs to cover the security, availability and confidentiality trust principles at a minimum. Privacy and processing integrity are highly desirable. It’s important to get a copy of the report and read it. Your milage can vary …
I’m a huge advocate of the service provider claiming compliance with ISO 27001/27002. The supporting audit report will allow you to ensure that their Information Security Management System (ISMS) is up to snuff, in particular, it should cover principles for initiating, implementing, maintaining, and improving information security management within their organization.
There are many other standards to consider. I think SOC-II type 2 and ISO 27001/27002 form a good foundation. Others may disagree …
So, back to high-risk. How do you determine if you cloud provider is high risk? Well, if you are a covered entity or it’s business associated you are required to perform a risk-assessment. This should involve the following actions:
- Inventory and prioritize assets
- Identify threats and vulnerabilities
- Review existing security controls
- Determine the likelihood of exposure
- Determine the impact of a security breach
- Prioritize and mitigate identified risks
- Establish a security incident response team
Guess what? If you are trying to evaluate the risk of your cloud provider a lot of this information should be present in their SOC-II report. Grab your audit reports from the providers, sit down and go through them carefully.
The point I’m trying to make here is that throwing around terms like “high-risk” is basically intellectually lazy. Did the authors of these web articles evaluate the standards reports from the organizations they are looking at? Some may have, but certainly not all. Evaluating the risk of a cloud provider is a complex activity, and it must be done in the context of a specific usage of the service.
There are no shortcuts.