Even for Tolga Erbay, a man who makes his living in the world of data security, the number was startling.
Erbay, compliance manager for the popular online storage provider Dropbox, was at a recent Cloud Security Alliance conference in Germany. He struck up a conversation with an IT manager at a 150,000-employee company. An investigation into that company’s online activity found that employees were using nearly 900 cloud-based applications and programs that relied upon some form of online storage.
Only 20 of those applications were actually authorized by the company.
That gap between policy and practice is a huge problem for businesses. Especially in highly regulated industries, storing sensitive data on some external vendor’s digital vault can expose that data to security hazards and quite likely, the sort of compliance lapses that bring regulators calling.
Bans against certain technology and services do little to solve the problem in this age of “bring your own device.” Where once the IT department dictated what devices, programs, and online services could be used, employees are now, in effect, crafting their own IT usage policies.
“There is a role reversal in technology,” says Patrick Heim, Dropbox’s head of trust and security. “It used to be that IT was leading the discussion around what technology should be adopted inside of organizations. Now, IT is listening to employees, looking at what they are adopting to make them more efficient in their work lives. Ninety percent of cloud services are sourced independently by individuals, not the IT organization.”
The challenge is two-fold: keep employees happy and productive, but don’t allow the tools they use to harm the company. It can be easier said than done when many cloud service providers—Salesforce, Box.com, Dropbox, and others—make various security pledges as they push into the enterprise, even if those promises cannot be taken at face value.
Due diligence must be a priority for any company that uses a cloud-based service to store healthcare or financial data, says Gerald Werner, global director of information security at K2 Intelligence and a former IT security executive at the National Football League. The good news, he says, is that these companies were once prone to “overpromise a lot of services, knowing that rarely would they be challenged on any of them.” Recently they have “stepped up their game.”
“The responsibility for businesses is to challenge the vendors to provide more detailed analysis reports.”
Gerald Werner, Global Director of Information Security, K2 Intelligence
While few can claim the sort of iron-clad protocols that would made a CCO sleep better at night, “cloud providers have made a lot of progress in a lot of areas,” Werner says. In addition to an internal focus on security and encryption, they are offering written policies and agreements to customers. For example, the Health Insurance Portability and Accountability Act requires third-party vendors to sign a business associate agreement.
“When we did research a year ago, there were only a few who would agree to do that,” he says. “Today, most of the major vendors will proactively give you this agreement and a whole package of information.”
Also up for review are self-certifications that various storage providers declare. A company cannot afford to take these assurances at face value. Initial vetting starts with a questionnaire, both internally and for the provider, Werner says. What kind of data is your company storing? How critical is that data? What happens if the data is exposed?
“The responsibility for businesses is to challenge the vendors to provide more detailed analysis reports,” Werner says. He suggests organizations like the Cloud Security Alliance as a resource for checklists to guide initial evaluations. HIPAA guidance and recent cloud-specific protocols in the PCI DSS framework are resources for healthcare entities and any company involved in payment transactions, respectively.
THE ROAD TO HIPAA COMPLIANCE
Any entity that handles personally identifiable health care records, or has access to that data as a business associate, should be familiar with both the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Health Insurance Portability and Accountability Act (HIPAA). Together, they impose requirements to ensure that privacy and security of this information is preserved through risk assessments, mandatory controls, and reporting requirements in the event of a breach.
File-sharing services pose numerous hazards for handling PHI. PHI files can be easily synched and stored on unencrypted, employee-owned desktops and mobile devices. The data can be compromised and shared with unauthorized personnel and even external parties. Once out in the wild, auditing file access and usage requires nothing short of a miracle.
The road to HIPAA compliance for Dropbox, announced in October, was a 12-month process.
It all started, as is common with any new compliance certification, with a gap analysis. “You need to understand what you have or don’t have and take stock of that,” says Tolga Erbay, the company’s security risk and compliance manager. “In doing that we found that we already met all of the foundational requirements because we already had ISO 27001, ISO 27018, and Service Organization Control [Soc 2, Soc 3] certifications. We were confident of our privacy controls.”
Mission accomplished? No. “What we found, of course, is that every law has its own unique quirks,” Erbay says. “Every standard has different wording and interpretations of that wording. For us, the two major challenges were around setting up the structure for Business Associate Agreements. The way BAAs work with HIPAA, you need to identify your sub-processors and have written security agreements with them. There was a lot of lawyering and working with our partners to make sure we had the right agreements in place.”
A more technical challenge was meeting HIPAA’s line-item requirements for monitoring system activity. “Sometimes they were as vague as ‘thou shall monitor system activity.’ Then, you are trying to understand what activity counts and how much monitoring is enough. We used a lot of experience from the industry and other companies that have done this, from outside counsel to industry groups like the Healthcare Cloud Coalition.” Creating sufficient monitoring protocols in place, and “documenting them in a way that is provable” was among the biggest challenges.
Mapping HIPAA’s security and privacy rule requirements to in-house controls was another important task. “That mapping will tie very closely to the controls you would see in a Soc 2 or ISO 27001 report,” Erbay says. “We are looking next year to have the HIPAA requirements added to our Soc 2 report, so the controls are directly mapped and tested.”
The strategy is to use one control set. “We are not going to build separate compliance programs for different pieces,” Tolga adds. “We are going to use one control set to meet the requirements as much as we can, across the board.”
Among the frameworks and regulations to both consider upfront and continually monitor for compliance: ISO 27001 (security); ISO 27018 (privacy and data protection); a Service Organization Control 3 (Soc 3) assurance report to comply with standards set by the American Institute of Certified Public Accountants; the Cloud Security Alliance’s Security, Trust, and Assurance Registry (CSA STAR) certification; the U.S. Family Education Rights and Privacy Act (FERPA); and the Children's Online Privacy Protection Act (COPPA).
Are companies doing enough? “No,” Werner says bluntly. “People rarely read contracts before they sign with cloud providers.” Cloud services also aren’t going to give top-tier security away for free. “They count on customers asking them for specific services so they can generate more revenue from them.”
Surprisingly, Werner finds that many companies don’t demand regular updates and notifications on security issues. “Certain regulatory bodies need to be notified within a certain timeframe, so that requirement is clearly one of those things that needs to be a part of a contractual negotiation, so the cloud provider actually provides this notification,” he says. Companies should also demand up-to-date records of the aforementioned certifications, ideally validated by a third party. Werner says he has seen some providers hand over certification records that were two years old.
Log-in data is another concern. Companies will want to track who used a service, what they did, what files were added, and with whom those files were shared. “Almost all regulatory bodies demand that log-in information is maintained for at least a year,” Werner says. “Many cloud providers don’t do that. We have run into several instances where a cloud provider really only keeps log-in information for a couple of days unless a longer period is contractually agreed upon.”
If all this sounds complicated for companies, it is just as challenging for cloud providers themselves. Continuing its move from a purely consumer-based service to one that is enterprise-ready, Dropbox recently completed a year-long project to bolster its security and offerings. Notably, Dropbox announced in October that it is HIPAA-compliant.
“There was a great demand to legitimize Dropbox,” Heim says. “That drove the business demand to come up with a product that is certified from a compliance perspective.”
The goal, he says, is to have compliance and IT security officers view Dropbox as a risk management tool, not a risk.
The goal for cloud service providers—and the pitch for Dropbox’s new slate of enterprise-grade offerings as it goes head-to-head with others in that space—is to convince companies that they can handle offloaded data security needs more effectively compared to the resource-draining complexity that comes with doing everything in-house.
“The reality is that security doesn’t scale very democratically,” he says. “Trying to do it yourself, even if you are a large organization is a losing game. It is much better to compartmentalize, identify who the providers are that you can work with, and shift a portion of your infrastructure. Maybe you don’t hand over the crown jewels, but there are so many ancillary systems you can shift to various providers who are doing this for a living and whose entire reputation is staked on keeping that information safe, secure, and compliant.”