Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud Cybersecurity: Strategies for Managing Vendor Risk

As more organizations shift away from on-premise architectures toward the cloud or hybrid hosting models, critical cybersecurity concerns emerge. Organizations, especially health systems, should carefully examine the shared responsibility model in partnership with their cloud vendor.

Kevin Scharnhorst, Health Catalyst Chief Information Security Officer, shares perspectives on how your organization’s security program, through adherence to standards-based policy and procedures, can align with your cloud vendor on reduced organizational risk.

  • Be the first to comment

  • Be the first to like this

Cloud Cybersecurity: Strategies for Managing Vendor Risk

  1. 1. © 2021 Health Catalyst Cloud Cybersecurity: Strategies for Managing Vendor Risk Kevin Scharnhorst, CISSP, CISM Chief Information Security Officer, Health Catalyst February 10, 2021
  2. 2. Agenda Cloud Shared Responsibility Model In a cloud vendor/ partner relationship, who has responsibility for what? Who is ultimately accountable for a security compromise or breach? Vendor Risk Evaluation With so many cloud vendors to choose from, what factors go into a final decision? What risks do you consider? What risk management strategies should be considered? Security Policy and Procedures Where do you start with building a Security Program? What standards does your organization align to? What regulatory frameworks need to be considered? Compliance What considerations should be given to compliance? What audits and certifications can help? Are there strategies to consider with alignment to vendor audits and certifications? The Journey What You’ll Learn Improvement is continuous. What does the outlook look like for organizations beginning the journey at various maturity levels? What’s At Risk? We will look at a historical view of past and current breaches that establish the importance of a shared security model between organizations and their vendors.
  3. 3. What is at Risk?
  4. 4. 23 19.1 127.7 35.7 222.5 16.2 22.9 17.3 91.98 85.61 169.07 36.6 197.61 471.23 164.68 300.5 157 321 446 656 498 662 419 447 614 783 781 1093 1632 1257 1473 1108 0 200 400 600 800 1000 1200 1400 1600 1800 2 0 0 5 2 0 0 6 2 0 0 7 2 0 0 8 2 0 0 9 2 0 1 0 2 0 1 1 2 0 1 2 2 0 1 3 2 0 1 4 2 0 1 5 2 0 1 6 2 0 1 7 2 0 1 8 2 0 1 9 2 0 2 0 Data breaches & records exposed in millions Data Beaches and Records Exposed Over Years Millions of Records Exposed Data Breaches Graph sourced from Identity Theft Resource Center, January 2021 Statistics and predictions for 2021 from Cybersecurity Ventures • More than 93% of healthcare organizations experienced a data breach between 2017 and 2020. • More than 57% have had more than 5 data breaches during the same time frame. • Predictions for 2021 estimate breaches at a pace of 2-3x more than 2020. • Ransomware attacks are predicted to grow by 5x in 2021. U.S. Annual Data Breaches and Exposed Records 2005–2020 (Millions) 4
  5. 5. Breaches with greater than 30,000 records World’s Biggest Data Breaches & Hacks Graph sourced from 5
  6. 6. Breaches with greater than 30,000 records World’s Biggest Data Breaches Within Healthcare in 2020 Graph sourced from 6
  7. 7. That is the goal, but… If you and your vendor, suffered a material data breach, could you together logically defend your combined cybersecurity practices to a very emotional audience? The Ultimate Goal is to Stay Out of the Bad Headlines 7
  8. 8. The Cloud Shared Responsibility Model
  9. 9. Image source from • Confidentiality – Keeping sensitive information private (PHI, PII, IP, etc). The goal being to prevent or minimize unauthorized access to data. • Integrity – Protects the reliability and correctness of data. To be maintained, objects must retain their veracity and be intentionally modified by only authorized subjects. • Availability – Authorized subjects are granted timely and uninterrupted access to systems, networks and data needed to perform daily tasks. The CIA Triad Is the Overarching Shared Goal and Objective 9
  10. 10. Types of Cloud Services Applications Database O/S Virtualization Servers Storage Networking Infrastructure Hardware Data Client On-Premise Infrastructure Hardware Applications Database O/S Virtualization Servers Storage Networking Data Client Vendor IaaS Virtualization Servers Storage Networking Infrastructure Hardware Applications Database O/S Data Client Vendor PaaS Applications Database O/S Virtualization Servers Storage Networking Infrastructure Hardware Data Vendor SaaS 10
  11. 11. SaaS PaaS IaaS Web Applications Analytic Accelerators Dashboards Networking Storage Virtualization Servers Analytic Engine Metadata Data Security Machine Learning A Closer Look with the Health Catalyst Data Operating System (DOSTM) 11
  12. 12. • Health Catalyst Data Operating System (DOSTM) is offered as a Platform as a Service (PaaS) moving to SaaS. • Relies on a shared security model where all layers above the Operating System (OS) level involves the partner to manage some aspect. • On premise components such as source systems, IPSec tunnels, point of contact, etc. are responsibilities not depicted that are retained by the customer. An Overview of the Cloud Shared Responsibility Model Using DOSTM 12
  13. 13. Security Policy and Procedures
  14. 14. • To build a comprehensive Information Security Management Program (or system) (ISMS) that considers layered security controls, you must FIRST know your business and its assets you wish to protect. • Once identified, consider a strategy for how you will classify or label those assets. • What vulnerabilities exist that are a threat to the assets you want to protect? Who is responsible to protect it? Who is accountable to protect them? • Risk management is at the core of a good Information Security Program. Know Your “What” and “Why” Before You Consider “How” 14
  15. 15. What Is the Risk (R) ? Inventory Vulnerabilities Threats Exposure Compensating Controls ƒ ( ) R = Likelihood X Business Impact Confidentiality Integrity Availability 15
  16. 16. • Security policies and standards are arguably the most important aspect of any security program. • When written and communicated correctly, it informs staff, vendors and contractors of acceptable conduct within the work environment. • Process documentation provides instruction for how compliance is achieved and evidenced. Compliance Examines An Organization’s Security Processes 16
  17. 17. • Security is a clear set of technical systems and tools and processes which are put in place to protect and defend the organization’s information and technology assets. • Always consider the people, processes and technologies that are involved with your assets. • When Compliance and Security align in a systematic and controlled way, that is the first step toward reducing risk. Security Aims To Protect Information and Technology Assets 17
  18. 18. The Challenge in Achieving Perfect Balance • Information agility and security are inversely proportional, opposing forces. • Maximizing one, minimizes the other. • Finding the perfect balance between the two is an art, not a science. • Where a clear decision between the two does not exist, let your risk appetite inform. • When your organization and vendor cannot align, let your regulatory compliance frameworks guide the path forward. 18
  19. 19. Compliance
  20. 20. What regulatory frameworks apply to your organization? Select all the apply. • HIPAA – 85.71% • PCI DSS – 34.29% • GDPR – 25.71% • State Based Data Privacy framework (CCPA) – 28.57% • Unknown – 14.29% Poll Question #1 20
  21. 21. Considering your vendors, what is the MOST IMPORTANT certifications you consider? • SOC 2 – 14.29% • HITRUST CSF – 34.29% • ISO 27001/2 – 14.29% • My organization’s own risk assessment process – 11.43% • Unsure – 25.71% Poll Question #2 21
  22. 22. Common Compliance Frameworks 22
  23. 23. Image Source - Image source - Well-known Cyber Security Frameworks 23
  24. 24. Compliance Audits and Certifications SOC Reports are Service Organization Control Reports that deal with managing financial or personal information at a company. There are three different SOC Reports. SOC 1 and SOC 2 are different types with SOC 1 applying to financial information controls, while SOC 2 compliance and certification covers personal user information. SOC 3 Reports are publicly accessible, so they do not include confidential information about the company. These reports apply for a specific period, and new reports consider any earlier findings. The American Institute for Chartered Public Accountants (AICPA) defined them as part of SSAE 18. 24
  25. 25. Compliance Audits and Certifications ISO 27001/2 certifications are globally recognized, standards-based approach to security that outlines requirements for an organization’s Information Security Management System (ISMS). The HITRUST CSF leverages nationally and internationally accepted standards including ISO, NIST, PCI and HIPAA to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations. Measures the compliance with HIPAA and offers the assurance that the organization has a HIPAA-compliance program with adequate measures for saving, accessing, and sharing individual medicaland personal information. 25
  26. 26. Vendor Risk Evaluation
  27. 27. • Non-Disclosure Agreements (NDAs) • Business Associate Agreements (BAAs) • Data Use Agreements (DUAs) • Service Level Agreements (SLAs) • Operational Level Agreements (OLAs) • Compliance Audits and Certifications Vendor / Partner Considerations 27
  28. 28. • Internal GRC teams audit and assess organizational risks • Independent third-party auditors offer external perspective and offer credibility. • Perform compliance and risk assessment on your vendor supply chain • Value certifications that overlap between vendor and your organization Internal, External and Vendor Risk Assessments 28
  29. 29. Coming Back Full Circle…. • Where are your shared responsibilities? • Do your and your vendors compliance frameworks align? • Do your certification strategies align to hopefully minimize your own efforts for certifications? • How will you assess alignment and track shared risk (misalignment)? 29
  30. 30. Image Source - The Journey is Continuous….Embrace It 30
  31. 31. If you would like to learn more about Health Catalyst products and services, please answer this poll question: • Yes • No Poll Question #3 31
  32. 32. Questions? Kevin Scharnhorst, CISSP, CISM Chief Information Security Officer, Health Catalyst