The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) is one of the industry’s most widely adopted security frameworks. As a designated HITRUST CSF Assessor, Wipfli helps health care clients and business associates alike with HITRUST programs and does so in a variety of capacities.
Lately, we’ve uncovered uncertainties about cloud computing services with regard to HITRUST compliance—in particular, whether Amazon Web Services (AWS), Microsoft Azure, or other third-party tools offer features that can help address the assurances required across the 19 CSF assessment domains.
Although Wipfli does not have hands-on management expertise with AWS or Azure, we do perform a number of baseline assessments and have encountered features that are inherent in these services as well as other third-party tools.
Therefore, in the interest of shedding light on the possibilities, this series of articles will share some of the useful tools and features we’ve encountered while performing assessments. This is not intended to be a comprehensive list; rather, it’s a list of constructive observations. The intent is to share examples of tools that can help with HITRUST compliance by mentioning as many of the most useful offerings as possible. And if your organization already pays for an enterprise security solution, by all means ask your vendor if it can also provide some of the other security controls mentioned in this series of articles.
Keep in mind that any given tool described herein may perform a variety of security tasks. Just because one tool is mentioned as being helpful for a specific domain, like encryption, for example, and another is highlighted as being helpful for endpoint protection, it doesn’t necessarily mean that either tool can’t be used for either task.
We’ll simply go down the list of HITRUST CSF assessment domains and call attention to those tools which come up most frequently and/or heavily promote specific security features.
Let’s start with the first domain in the CSF scope: Information protection program.
Information Protection Program: Using AWS and Azure
One of the chief advantages of leveraging AWS or Azure is that these solutions come from companies with deep resources at their disposal. Therefore, both Amazon and Microsoft have been able to obtain certifications in a wide variety of security standards including those important to the health care industry.
One of the main concerns of HITRUST is that security programs be based on industry-accepted frameworks and meet regulations to be HIPAA compliant. AWS and Azure conform on both counts. Both AWS and Azure can provide numerous certifications in support of compliance with various security frameworks. Among them:
- Cloud Security Alliance (CSA)
- ISO* 9001, 27001, 27017, 27018
*Frameworks that HITRUST also incorporates.
When using AWS or Azure, it’s important to note that neither can ensure all aspects of your environment are secure. Instead, both include a “shared responsibility” agreement. Both companies give their own examples of what they consider to be their company’s responsibilities and those of the customer.
The following diagrams from the respective company websites further illustrate this point.
Both illustrations are useful in understanding some of the pros and cons of cloud-hosted environments and solutions. As the illustrations point out, the actual infrastructure is normally the responsibility of cloud providers. They provide the computing resources, networking, storage locations, and redundancy. A lot of the security responsibility, however, is still on the customer. It is the customer’s responsibility to secure client data, set up and manage applications, configure network security, and handle encryption.
The good news is that both platforms provide plenty of tools, either directly or from third parties, for customers to use in securing their environments. However, such tools do require use by someone who is knowledgeable about how to set up and manage them properly.
Another important factor to understand is cloud-hosted environments (as illustrated in the Azure example). While hosting in the cloud might have started primarily as an Infrastructure as a Service (IaaS) offering, it has now evolved into both Platform as a Service (PaaS) and Software as a Service (SaaS). The latter two are the standards that most technology is moving toward, yet it is important to understand what all three mean.
- IaaS is really just a virtual machine, nearly identical to buying some computers and a rack and setting them all up as an on-premise solution; the difference with IaaS is that all the components are instead purchased by AWS or Azure. These components have already been set up, and access is provided. However, the customer is still responsible for pretty much everything else, such as security patches (keeping Windows updated), management of applications, and setting up of virus scanners, databases, etc.—all aspects other than buying the actual machines.
- PaaS puts much more of the security management in the hands of the cloud-hosting provider. Here, almost all aspects of the machine itself are managed by AWS or Azure. The only thing required of customers is to deploy their applications and manage their data.
- With SaaS, all that customers must do is manage users. Think of Salesforce.com or Office 365 as examples. They are platforms that have been set up, and customers are simply given access. For the most part, people use them "out of the box.”
It’s important to note that as the preferred method of deployment moves from IaaS to PaaS, more of the security responsibility falls on the provider, yet the provider also inherits more control over customers’ operations. Therefore, much more faith in providers and their ability to keep client data and intellectual property safe is required.
When it comes to overall cloud security compliance and management, both AWS and Azure offer tools.
Azure Security Center. This tool gives an organization a complete overview of its environment's security health. It allows an organization to define and enforce technical security policy. It will point out security gaps and then walk users through ways they can remediate the issues with either first-party solutions from Microsoft or solutions from a third party.
For example, if there is a firewall gap, Barracuda is available to remediate the issue if an organization believes Microsoft's solution is not adequate.
Also included with this tool is a dashboard that gives organizations insights into their environments, including suspicious or obvious malicious activity. It is important to understand, however, that this service is not a default, nor is it free. In fact, consider the following factors:
- Data collection (a setting in Azure) must be turned on. (It is off by default.)
- The data collection uses Azure Blob Storage, which costs money as more space is used.
- Security policies must be manually configured.
- The machine learning and security alerts used by the security center incur a cost per resource.
AWS Trusted Advisor. This tool is very similar to Azure's offering. It, too, includes analysis of an environment and will point out security gaps and offer options for remediation, including third-party solutions. The tool also suggests other AWS services such as help for identifying areas where money can be saved and overall performance can be improved.
AWS Config. This is another security tool Amazon offers, allowing an organization to define and fully configure a security environment. The tool advertises audits, change management, and security incident management and remediation.
As with Azure, these tools are not free, and while some of the features are available just by using AWS, the most useful and important tools are behind a paywall.
Next up: The CSF assessment domains of endpoint protection, portable media security, and mobile device security. As all of the domains are covered in subsequent articles, the tool sets of AWS and Azure, as well as other third-party options, will be examined in greater detail.