By Hector Rodriguez, Worldwide Health Chief Information Security Officer, Microsoft & Matthew Datel, Manager, Assessor Program & Assurance Strategy, HITRUST®

Protecting sensitive information is a challenge for any organization. And our brave new world of connected hybrid-heterogeneous cloud environments, while creating new opportunities, also expands the potential for cyber attacks. When organizations stand up new services or move existing applications to the cloud, IT security efforts need to be coordinated amongst business units and with multiple third-party partners; these partners can range from cloud platform providers to application providers as well as partners who oversee the operating systems on your end-user and network devices.

“There are many steps to consider for IT security along the cloud path,” says Matt Rathbun, who served as chief security officer-Azure Global at Microsoft from 2015 through 2018. “Is it the device provider’s responsibility? The cloud platform provider’s responsibility? The customer who owns the data? To guarantee data is secure, you have to clearly articulate who owns what, where there are security gaps, and who will close those security gaps.”

As sensitive information flows back and forth among devices and servers in the cloud, it’s critical to document where the security responsibilities begin and end for your organization and all of your service provider partners. You then need to identify the gaps and determine who will close those gaps.

Solving the Risks and Complexities of Cloud Security

With the introduction of the Shared Responsibility Program, by HITRUST, there is now a path forward to address the misunderstandings, risks and complexities when partnering with service providers to provision cloud applications—by clarifying the roles and responsibilities over the operation of each security control to protect information. The program also automates and streamlines the assurance process to measure and certify the effectiveness of security controls applied by organizations and their third-party service providers that handle the various components for provisioning applications and connecting devices via the cloud.

When moving to the cloud, determining where the responsibility for privacy and security lies among all the parties is sometimes confusing. Depending on the scenario, it could be the cloud provider, the customer, another provider, or even a shared model. There needs to be agreement on where the responsibilities lie.

Of course, there is seldom a single partner. And, therefore, very seldom a single agreement. To paint the supply chain picture accurately, organizations need to approach this challenge not from a supplier-by- supplier perspective. Rather, organizations require a view into the risks mapped to the controls implemented across all environments.

The Shared Responsibility Program capitalizes on HITRUST’s expertise in managing information risk and protecting sensitive information. Organizations can remove the guesswork, ambiguity and confusion in understanding the roles and responsibilities among their service providers relating to shared and inherited controls by clearly outlining data governance, information risk management and regulatory compliance requirements. By leveraging the program, organizations can solve the challenge of dealing with the time-consuming effort to determine who is responsible for the operation of security controls when they exchange information with third-party service providers.

Utilizing the Shared Responsibility Program is beneficial not only for organizations delivering applications via the cloud, but also for the service providers that deliver cloud-based services and manage customer devices that interact with the cloud. If a breach occurs that exposes sensitive information, fingers will be pointing in every direction. By insisting on a shared responsibility model that clearly points out the security responsibilities for customers and all third-parties, service providers can focus on their defined responsibilities and respond to their customer with relevant feedback how their controls and responsibilities were, or were not met, during the security incident.

Key Elements of the HITRUST Shared Responsibility Program

To build the Shared Responsibility Program, HITRUST worked with a group of security experts from leading cloud service providers and professional services firms. The program consists of four main elements to identify the respective security control responsibilities of organizations and their service providers. The elements also provide guidance to ensure an effective assessment and review of the controls when auditors come knocking:

  • The HITRUST CSF® helps organizations delineate security responsibilities and accountability for controls that are leveraged in outsourcing arrangements, including those where shared responsibility occurs.
  • The Shared Responsibility Matrix lists the common set of shareable and inheritable controls based on a specific third-party service provider’s HITRUST CSF Certification. The matrix includes recommendations for assigning responsibility for controls and specific requirements for shared controls, and it helps ensure all aspects of control responsibility are understood when outsourcing systems and services to third-parties.
  • The Shared Assurance Program ensures controls with shared responsibility are operating effectively with specific guidance for proper sampling, testing and scoring.
  • MyCSF Assessment Automation allows organizations to pre-populate their assessments with fully- inherited and shared responsibility control results directly from designated HITRUST CSF-certified service providers. MyCSF further streamlines the process for customers using certified service providers to complete their assessment and to reduce the effort during the assessment review process.

From our perspective, we are seeing a shift in security models that indicate the HITRUST Shared Responsibility Program is meeting a distinct need in the marketplace.

“A lot of traditional models of security are based around boundary controls at the network layer, but in the cloud, there is no network layer,” says Rathbun. “The modern security model is moving away from boundary-based controls in isolation to one where end-user and device identity represent the new plane of security.”

This is what we refer to as a supply chain of controls – such as adding multi-factor authentication and other well-defined access controls to enable data layer authorization. Focusing solely on the perimeter – especially as defined by the cloud service provider – can leave many gaps wide open. Conversely, a shared responsibility model that focuses on access control and other risk-mitigating controls regardless of the provider, ensures that the users and systems – and, more importantly, the data – remain protected regardless of the location and flow of the services and data.

The HITRUST Approach to Information Risk Management and Compliance

HITRUST understands the challenges of assembling and maintaining the many and varied programs, which is why our integrated approach ensures the components are aligned, comprehensive and continuously maintained to support an organization’s information risk management and compliance program.

The HITRUST Approach leverages these best-in-class components for a comprehensive information risk management and compliance program. The HITRUST Shared Responsibility Program integrates and aligns with our other programs and services, including:

  • HITRUST CSF®—a robust privacy and security controls framework.
  • HITRUST CSF Assurance Program—a scalable and transparent means to provide reliable assurances to
    internal and external stakeholders.
  • HITRUST Threat CatalogueTM—a list of reasonably anticipated threats mapped to specific HITRUST CSF
  • HITRUST MyCSF®—an assessment and corrective action plan management platform.
  • HITRUST Assessment EXChangeTM – an automated means of means of sharing assurances between
  • HITRUST® Third Party Assurance Program – a third party risk management process.
Original date of publication January 7, 2019.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals