“Cloud Service Providers probably do a better job of securing their servers and networks than a typical business.” You can see in their eyes the relief in believing that their decision to move to the Cloud is a safe one. Then I say “But the Cloud is something that is entirely managed and accessed via the public Internet so it’s fundamentally riskier.”
The Cloud Dichotomy
This duality can be hard to grasp. After all, this statement implies that the Cloud is more secure and also not. For organizations that require compliance with various industry and legislative standards such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), or International Traffic in Arm Regulations (ITAR) the stakes are high as the efficiencies provided by Cloud services are incredibly appealing but the impact of a security or privacy breach can result in massive fines and other expenses. Creating additional challenges is the fact that the security, visibility, and control associated with industry and legislative compliance is directly at odds with the reason users are adopting Cloud services. Users are often more interested in performing their jobs as efficiently as possible as opposed to maintaining compliance with regulation du jour. In an effort to make this clearer CipherPoint is writing a series of articles to review the controls necessary for compliance with PCI DSS, HIPAA, and ITAR, and identify which controls are available in Office 365 or otherwise provided by Microsoft. This first article in the series covers PCI DSS (an easy task as you will find out soon enough) and the Administrative Safeguards required by HIPAA. Remember that many compliance mandates are an organizational responsibility, not a technology certification. As a general rule, your organization cannot offload the entire compliance burden to Microsoft. Microsoft runs the data centers but your organization is still responsible for the behavior of your users.
PCI DSS
Microsoft claims Level 1 compliance with the Payment Card Industry Data Security Standard (PCI DSS) for their own billing systems. Per Microsoft, however, “customers should not use the Office 365 service to transmit or store [cardholder] data for their own use.” This means that Office 365 must be out of scope for any organizations that store, process, or transmit cardholder data. Microsoft doesn’t say why this is the case and any organization that intends to store sensitive information of any kind in Office 365 should attempt to get an answer. One possible reason could be that organizations storing cardholder data in Office 365 will not be able to demonstrate many of the requirement controls for their Qualified Security Assessor (QSA) since Microsoft is performing those functions. https://technet.microsoft.com/en-us/library/office-365-compliance.aspx
HIPAA/HITECH
The HIPAA and HITECH Acts together include specific guidance on privacy, information security, and breach notification. The HIPAA Security Rule requires common technical security controls such as user authentication, authorization, access control, encryption, data integrity, and audit logging. The security rule also includes requirements for physical safeguards including controls related to physical access to information and systems including workstation access controls, device and media controls, and facility access control. There are also contractual requirements for risk sharing, called Business Associate Agreements (BAA), among covered entities and service providers. It is important to understand that HIPAA compliance is an organizational responsibility, not a technology certification. As such, Microsoft can only help your organization meet the HIPAA compliance requirements because Microsoft is responsible only for their employees’ access to patient information; they are not responsible for the compliance requirements associated with your employees and business associates accessing patient information. You can use the table below as a worksheet to identify gaps in your organization’s compliance posture relative to the Administrative Safeguards required by HIPAA. The Office 365 administrators in your organization will have access to ePHI but they probably would rather not be exposed to that information and associated compliance culpability.
Making the Grade
Compliance is a perennial and effective catalyst for information security budgets and priorities. The HIPAA requirements above are just the first example of the need to understand exactly which aspects of compliance you may outsource to Microsoft and which aspects your organization remains responsible for. As the table above indicates, there are very few categories that Microsoft can assume total ownership of. In fact, the compliance relationship between your organization and Microsoft is more one of partnership than outsourcing. Future articles in the series will cover the remaining Technical and Physical Safeguard under HIPAA, and ITAR.