Picking the Right Cloud VendorQuestions to Bring Up During Negotiations
At a minimum, organizations should understand how the vendor provides physical security for their locations. "You should be confident that the vendor employs a strong operational framework that sets the rules for access to the devices, how they handle removable media and of course the eventual destruction of that media," Witt says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below).
Witt suggests organizations find out how cloud computing vendors:
- Track who has access to servers and all storage media; and
- Apply encryption to protect data. He suggests making sure the vendor encrypts all removable media as well as all network communication. And, ideally, vendors should encrypt server drives as well, he says.
Witt offers other advice for working with cloud vendors, including:
- Ensure you receive data access logs as well as tracking reports for removable media.
- Define your rights in the event the vendor is acquired.
- For healthcare organizations: Enter a business associate agreement that addresses HIPAA and HITECH Act compliance issues. The agreement should carefully define responsibilities and liabilities in the event of a data breach.
Witt is president and co-founder of Wake Technology Services Inc., which provides information technology consulting in healthcare and other sectors. He has extensive experience as an IT engineer, project manager and product developer.
Defining Cloud ComputingHOWARD ANDERSON: Just for starters, why don't you give us a bit of a framework about cloud computing to start today's discussion?
CHRIS WITT: I always want to properly frame my comments and point of view so they're not taken out of context or people believe that I'm neglecting certain aspects of what they believe cloud computing to be. This might all be obvious, but I've run into a lot of confusion when discussing the cloud, and I assume our discussion is directed toward the public cloud. By this I'm referring to cloud services being provided by a third-party at one or more of their locations. This is different than what typically people call the private cloud, or private cloud services, which are hosted either out of your own data center or a co-location site that you are using for your data center services.
The reason for distinguishing between these two is that organizations will handle their private clouds in a very similar fashion to how they handle their traditional computing resources. However, a new security mindset needs to be focused on the public side because there are some different nuances to that. In addition, what also gets wrapped up in that umbrella of cloud services are applications. Cloud services really are just a platform or an infrastructure service that's being provided, and this is very different than what you would consider a hosted application. Whether or not that hosted application is "living in the cloud" or not, it really doesn't matter at that point because it doesn't matter what the platform is, as long as they live up to their contractual service levels.
Privacy and Security RisksANDERSON: What do you see as the biggest privacy and security risks posed by cloud computing as you defined it?
WITT: The greatest challenges are controlling the location of the data and who has access to it. They're the two main things that will keep CIOs up at night: Where is the data and who can touch it? Because those are the things, under HIPAA and the HITECH Act, that you must keep control of. But the power of the cloud is in removing the user from ... the storage and the network components by using virtualization technologies. This provides some great benefits when it comes to things like automatic provisioning, rapid deployment and, in general, better overall utilization of the assets themselves. However, this does come at the expense of losing direct control over those assets. In the cloud, you no longer own those devices. Somebody else owns and controls those devices. ... Data storage can live anywhere in the world and you would never know the difference whether it's down the street or on the other side of the world. This presents some problems when you have certain regulatory requirements that prohibit data from being located in other countries. I know in some of the European countries they're very restrictive on where healthcare data can reside -.the United States not so much, but there are other restrictions that fall under the HIPAA and HITECH umbrellas.
In addition to knowing where that data resides, a related risk is tracking who has access to it. By access, I'm referring to who has physical access to the location where those servers and the storage systems reside. It also refers to the system and storage administrators who have access to the devices for support purposes and physical media, such as the tapes and disk drives. For audit purposes, you need to be able to track all of these points of access, and while it's not impossible, the cloud does make it a little bit more difficult.
Cloud Computing ContractsANDERSON: What are the critical elements of a strong contract with a cloud computing company?
WITT: Before jumping into a contract and sitting down at the table with the cloud vendor, the organization has to perform some due diligence. This will make the contract negotiations go far smoother. So if you're not comfortable with how the cloud vendor runs their operation and you're not 100 percent confident that they can provide similar or even better protections than you are already providing, then you probably should not be moving forward with that vendor regardless of how good of a contract you can negotiate.
At a minimum, you should understand how the vendor provides physical security to their locations. You should be confident that the vendor employs a strong operational framework that sets the rules for access to the devices, how they handle removable media and, of course, the eventual destruction of that media because it's almost a cradle-to-grave type of scenario as far as the data is concerned. Then, once you're satisfied that the vendor is doing all the right things, you can then negotiate a contract that legally binds them to doing those things correctly.
Aside from the normal terms and conditions of a contract, you want to focus on certain measurable performance and penalty items that are specific to your needs in the world of cloud computing. But related to security and privacy, some of the items that you would probably want to include would be ensuring that you receive regular reporting that includes things such as physical location of data, access logs and tracking of that removal media I had mentioned earlier.
You also need to know how you'll get your data returned upon termination of the contract. This is not always an easy area, only because we're dealing with large volumes of data, especially in healthcare. When you're dealing with a lot of image data, things of that nature, you're in the large terabytes quantity of data and reaching petabytes of data ... that you just can't copy onto a thumb drive and go down the street and move to another vendor. The challenge is to make sure that all those ground rules are set in stone upfront so you know how to proceed in the event that you would terminate the contract because vendors are human. They can be less than helpful when you are transferring your business to a competitor.
Another area is you need to define how your data ... are destroyed upon decommissioning of the assets or termination of the contract. You want assurances that that the data will not live on beyond your use of it. That's a critical component.
You also need to define your rights in the event that a vendor is acquired. The cloud market is still relatively young, and we'll probably see some more mergers and acquisitions taking place before it does eventually stabilize and the larger players kind of bubble up. In most cases, this shouldn't present any problem, but if the acquiring organization is one that you do not care to do business with, then you definitely need an out.
One of the more important items in a contract that needs to be addressed is you need to define exactly how breaches or suspected breaches are handled. This is very important because in healthcare ... this is where all your liability is. With each of those items you define your expected outcomes, and then, just as important, you need to define your appropriate penalty for non-performance, and they need to be daunting enough that it would motivate the vendor to continue doing the right thing. ...
EncryptionANDERSON: Should organizations that use cloud computing demand the vendor make extensive use of encryption?
WITT: Ideally, yes. In a perfect world, end-to-end encryption provides the best protection; however, this is not always feasible. It's hard enough to get the application vendors to fully support server virtualization, let alone full encryption. ... At a minimum, you need to look at what are the encryption areas [that are essential] ... your high-risk areas. And then look at ones that would be the next tier of risk that you would like to see. Any tape or other removable media, should be encrypted. That's a no-brainer. All network communication should be encrypted. Again that's straightforward. They're the easy ones. Everybody already does this today or should be doing it. That next level or next tier should include SAN [storage area network] storage. There is technology available today to encrypt all data on the drives and it is able to do it without a significant performance penalty. Encrypting those drives protects the organization from someone pulling a drive out of a SAN and walking away with it. That's really what you want to do. ...
Business Associate AgreementsANDERSON: Finally, what details should be spelled out in a business associate agreement with the cloud computing vendor to adequately address HIPAA and HITECH Act compliance? Is that business associate agreement separate from the overall contract with the vendor?
WITT: What I have typically seen in working with clients and their attorneys is that the business associate agreement will always be separate and it will always take precedence over all the other agreements. ... Usually there's a whole list of different legal documents that are involved in deals, but the business associate agreement should always take precedence and it should always be focused on the HIPAA and HITECH compliance issues. As it relates to cloud computing, there really is nothing particularly different that would be spelled out in a BAA with a cloud vendor as opposed to any other vendor. It still needs to cover all the basic terms relating to access to PHI [protected health information], notification of access to PHI, notification of disclosure, things like that. It must also define a vendor's responsibilities and liabilities in the case of a disclosure.
Ideally the organization wants a BAA that provides them with unlimited liability relief so they're not burdened with any of the notification or legal costs related to a disclosure; but this is very difficult. Vendors do not like unlimited liability. But regardless of how much liability protection you're able to bake into the BAA, or ultimately whose fault it is for the disclosure, it will still be your organization's name in the headlines when a breach occurs. Ultimately, the BAA is a protecting document and it should be pretty much the same for all your vendors.