Tag Archives: cloud computing

Data in the Clouds: Cloud Storage Offers Businesses Flexibility & Convenience

Is on-premise storage a thing of the past? Is all storage inevitably moving to the cloud? If you’re in IT, you are no doubt keeping a close eye on the shift taking place in data storage infrastructure.

Organizations are increasingly adopting cloud storage options because they need more capacity, flexibility and a better way to manage storage costs. Additionally, many industries are taking advantage of remote-work options, giving their employees the ability to complete their tasks from home or while on the go.

It’s not surprising then that many businesses are supplementing their current storage with cloud data storage. Continue reading Data in the Clouds: Cloud Storage Offers Businesses Flexibility & Convenience

HHS Issues Important Cloud Computing Guidance

There has historically been cloud-storgeconfusion surrounding cloud service providers (CSP) and their related HIPAA compliance. To help provide clarity, the Department of Health and Human Services’ Office for Civil Rights (OCR) released guidance on HIPAA and cloud computing.

Healthcare organizations looking to implement cloud computing services to manage protected health information can use this guidance as a resource to address their HIPAA compliance concerns.

Are Cloud Providers Business Associates?

The big question in the healthcare sector revolves around whether or not CSPs qualify as business associates, and therefore, whether HIPAA regulations apply to them. For the most part, the answer is yes.

If a CSP is used to create, receive, maintain, store, or transmit protected health information on behalf of a HIPAA-regulated entity, they are in fact a business associate under HIPAA. The same applies to CSPs that only store encrypted information and don’t keep the decryption key.

They only exception to this related to de-identified information. A CSP does not qualify as a business associate if it only receives and maintains information that’s de-identified following the protocols in the HIPAA Privacy Rule.

Business Associate Agreements

With CSPs falling under the umbrella of business associates, the discussion turns to the required agreements healthcare organizations need to have in place.

To comply with HIPAA, CSPs must enter into a business associate agreement (BAA) with the HIPAA-regulated entity they are engaging. CSPs will therefore be contractually liable under the BAA, and directly liable as a business associate for compliance with any applicable requirements under HIPAA rules.

Other Service Level Agreement provisions will need to be addressed and considered with the HIPAA rules in mind. SLA provisions often touch on system availability and data recovery, and these are specific areas addressed under HIPAA.

BAAs with CSPs also need to include incident notification provisions. HIPAA Security Rule requires business associates to report any security incidents to the covered entity or upstream business associate.

Key Takeaway

Cloud services are often adopted in the healthcare sector as a means of cost saving or increased efficiency in operations. Companies engaging in cloud services need to perform a risk assessment to get an understanding of how their practices involving protected health information are affected.

As far as HIPAA compliance is concerned, OCR has given the healthcare sector a definitive answer: CSPs are considered business associates under HIPAA even if they only store encrypted ePHI.

DoD Issues New Cyber Incident Reporting Requirements

The Department of Defense issued new interim rules amending the Defense Federal Acquisition Regulation Supplement. The important provisions include expanded incident reporting requirements for contractors and increased security requirements for cloud service providers.

DoD added several regulatory definitions to contractors’ security requirements including:

  1. Compromise: A disclosure of information to unauthorized persons or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.
  2. Cyber Incident: Actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing within that system.
  3. Media: Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, large-scale integration memory chips, and printouts onto which covered defense information is recorded, stored, or printed within a covered contractor information system.

Contractors and subcontractors are now required to report such cyber incidents to the DoD within 72 hours of discovery.

For cloud computing providers, the new provisions require storage of government data not onsite at DoD to be kept within the U.S. or outlying areas.

The DoD’s new interim rules create additional requirements that government contractors must become familiar with to stay in compliance with the Defense Federal Acquisition Regulations.

Survey Results – One-Third of U.S. Businesses Suffer IT Failures Caused by Non-Work Related Use

shutterstock_163858277

 

A survey of U.S. businesses released by GFI Software indicates the use of company devices for personal use is leading to major downtime and loss of confidential data.

The employers of more than one-third of those surveyed (38.6 percent) had suffered a major IT disruption caused by staff visiting questionable and other non-work related web sites with work-issued hardware, resulting in malware infection and other related issues. Nearly half of those surveyed (48 percent) use a personal cloud-based file storage solution (e.g. Dropbox, OneDrive, Box) for storing and sharing company data and documents.

The blind, independent study, conducted for GFI Software by Opinion Matters, surveyed 1,010 U.S. employees from companies with up to 1,000 staff that had a company-provided desktop or laptop computer. Other key findings include:

  • 66.9 percent of respondents use their work-provided computer for non-work activities
  • More than a quarter (25.6 percent) have had to get their IT department to fix their computer after an issue occurred as a result of innocent non-work use, while almost 6 percent (5.8) had to do the same due to questionable use (porn, torrents, etc.)
  • 10 percent have lost data and/or intellectual property as a result of the disruption caused by the outage

“Data security and integrity is a big challenge for companies as a result of the widespread movement away from desktop computers to laptops. Since laptops are usually brought home, they frequently get used out-of-hours for both work and non-work activities. Without clear policies and guidelines in place on approved personal use boundaries – backed up with technology to limit access to the most challenging parts of the internet – the dividing line between work tool and personal device, can quickly become blurred,” said Sergio Galindo, general manager of GFI Software.

“Data protection is a big problem, and one that has been exacerbated by the casual use of cloud file sharing services that can’t be centrally managed by IT. Content controls are critical in ensuring data does not leak outside the organization and doesn’t expose the business to legal and regulatory compliance penalties. Furthermore, it is important that policies and training lay down clear rules on use and reinforce the ownership of data,” added Galindo.

Cloud Security Alliance Updates Two Key Documents

The Cloud Security Alliance (CSA) has released updates (announcement) to the Consensus Assessments Initiative Questionnaire (CAIQ) v3.0.1 and the Cloud Controls Matrix (CCM) Version v3.0.1.

The CSA CAIQ can be used as an initial exploratory document between a cloud customer and provider. It includes a question set with a simplified distillation of the issues, best practices, and control specifications from the CSA CCM intended to identify areas for additional discussion between consumer and provider.

The CSA CCM provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.

EU Subgroup Issues Cloud SLA Standardization Guidelines

The European Commission has issued guidelines on the standardization of service level agreements for cloud services providers. The guidelines were prepared by the Cloud Select Industry Group – Subgroup on Service Level Agreements (C-SIG-SLA). The document provides a set of SLA standardization guidelines for cloud service providers and professional cloud service customers, while ensuring the specific needs of the European cloud market and industry are taken into account.

Unauthorized Access of Cloud Services Control Panel Leads to Company Shutdown

Code Spaces, a code-hosting and project management services provider, has been forced to cease operations after a hacker gained access to its Amazon EC2 control panel. Most of Code Spaces data, backups, machine configurations and offsite backups were either partially or completely deleted by the unauthorized user.

According to the CodeSpaces.com home page, “Code Spaces will not be able to operate beyond this point, the cost of resolving this issue to date and the expected cost of refunding customers who have been left without the service they paid for will put Code Spaces in a irreversible position both financially and in terms of on going credibility.”

Key Takeaway: Moving to the cloud has real risks. Work with your provider and IT team to ensure that secure backups and other protections are in place to enable your organization to survive compromise.

(ISC)2 and Cloud Security Alliance to Create Professional Certification for Cloud Security

(ISC)2®, the world’s largest not-for-profit information security professional body and administrators of the CISSP®; and the Cloud Security Alliance (CSA), a not-for-profit organisation with a mission to promote the use of best practices for providing security assurance within Cloud Computing, announced they have signed an agreement to collaborate on a new professional certification for information security. The combined initiative will establish a common global understanding of professional knowledge and best practices in the design, implementation and management of cloud computing systems. The new credential will build on existing certifications offered by both organisations, including (ISC)²’s Certified Information Systems Security Professional (CISSP) and CSA’s Certificate of Cloud Security Knowledge (CCSK). The new credential and first examinations are due to be available in 2014.

US DOC Document Clarifies Safe Harbor Framework and Cloud Computing

The United State Department of Commerce’s International Trade Administration has issued Clarifications Regarding the U.S.-EU Safe Harbor Framework and Cloud Computing addressing various aspects of the U.S.-EU Safe Harbor Framework and its applicability to the cloud computing sector. The document is meant to provide prospective or existing participants in the U.S.-EU Safe Harbor program with a resource that they can use when concerns are raised about the interplay between the program and cloud computing.  According to the document, “This clarification was prepared, in part, to respond to inquiries generated by the July 2012 Article 29 Working Party Opinion on Cloud Computing, as well as an opinion and various statements made by certain EU Member State data protection authorities.”