by John Howie, COO, Cloud Security Alliance
This week Microsoft announced that Windows Azure had completed an assessment against the Cloud Security Alliance Level 2 Cloud Control Matrix as part of its Service Organization Control (SOC) 2 Type II audit conducted by Deloitte. This combined approach was recommended by the American Institute of CPAs (AICPA) and published in a position paper released with the Cloud Security Alliance (CSA) earlier this year, as part of our guidance on selecting the most appropriate reporting standard.
The guidance reflects the Cloud Security Alliance’s view that for most cloud providers, a SOC 2 Type II attestation examination conducted in accordance with AICPA standard AT Section 101 (AT 101) utilizing the CSA Cloud Controls Matrix (CCM) as additional suitable criteria is likely to meet the assurance and reporting needs of the majority of users of cloud services.
We would like to congratulate Microsoft for their continued leadership in being the first cloud provider to produce a SOC 2 report with CCM included as recommended by the AICPA and the CSA. Customers of Windows Azure will benefit from the comprehensive review of the company’s cloud controls in critical areas such as confidentiality, availability, and privacy.
We strongly encourage other providers to follow Microsoft’s lead by doing the same, as it will work to strengthen and preserve the confidentiality and privacy of data in the cloud for us all.
Visit the Windows Azure Security blog to learn more.
by Kamal Shah, VP, Products and Marketing at Skyhigh Networks
Cloud services are here to stay, and practically everybody is embracing them. In fact, the cloud computing industry is growing at the torrid pace of nearly 30% per year right now, according to Pike Research.
Certainly healthcare service providers are getting on the cloud services bandwagon, either by choice or by decree. As reported in Forbes, the Health Insurance Portability and Accountability Act (HIPAA) omnibus and the American Recovery and Reinvestment Act (ARRA) requirements stipulate that everyone in the healthcare industry must migrate their patient records and other data to the cloud. This is to facilitate medical professionals’ authorized access to electronic health records (EHRs) to improve patient care and reduce costs.
At the same time, healthcare organizations have an obligation to make sure that their use of cloud services is secure and that personal health information (PHI) is fully protected. The risks are huge if they don’t get this right. Any exposure of PHI is deemed a violation of HIPAA compliance, which can lead to steep fines and other costs for the healthcare service provider, not to mention the loss of trust and confidence of its patients.
Even the best of intentions can backfire on healthcare organizations. PHI doesn’t necessarily have to be lost or stolen in order to violate HIPAA’s letter of the law. The Oregon Health & Science University was recently cited for using an unsecured cloud platform to maintain a spreadsheet containingsensitive patient data. The intent was to make it easier to share accurate information about patients among the healthcare professionals involved in their care.
Unfortunately the university didn’t have a contractual agreement to use the cloud service and the privacy and security of the patient data could not be absolutely assured. Although officials don’t believe the incident will lead to identity theft or financial harm, the university is notifying affected patients as a matter of caution.
So, what’s the prescription for hospitals and other providers to reduce their risk when using cloud services? Security experts recommend a three-step process to facilitate cloud data protection:
- First, get an understanding of all the cloud services already in use by the organization. There’s probably a lot of unofficial “shadow use” of services that company officials aren’t aware of and that may put the organization at risk.
- Next, leverage all the innovation in big data analytics to understand this usage and to ensure that the organization’s policies are consistently enforced.
- And finally, for the recommended cloud services, secure the data in the cloud through contextual access controls based on user, device and location, encryption, and data loss prevention.
Read how one leading hospital put this framework to use and successfully reduced the risk of cloud services.