HITRUST®, a data protection standards development and certification organisation, announces the release of publicly available resources that clearly define security and privacy responsibilities between cloud service providers and their customers, thereby streamlining processes for risk management programs.

Developed with Amazon Web Services (AWS) and Microsoft Azure, each new HITRUST Shared Responsibility Matrix aligns with the cloud service provider’s unique solution offering. Cloud service providers have long supported shared responsibility models, whereby the provider assumes some security responsibility for hosting applications and systems, while the organisation deploying its solutions in the cloud assumes partial or shared responsibility for others.

Risk management objectives

The challenge, however, is that many shared responsibility models are loosely defined and vary based on the solution. For businesses deploying solutions in the cloud, this ambiguity creates an added layer of complexity related to achieving broader risk management objectives.

Scaling cost-effectively to meet customer demand requires us to leverage the cloud"

Scaling cost-effectively to meet customer demand requires us to leverage the cloud, which introduces additional and unique challenges as it relates to data privacy and security,” said Lee Penn, Chief Financial Officer, and Chief Compliance Officer, PDHI. “Specifically understanding who is responsible or partially responsible for securing cloud services is a challenge that is addressed by the HITRUST Shared Responsibility Matrix.”

Controls between organisations

In 2019, HITRUST engaged AWS and Microsoft Azure to begin developing joint Shared Responsibility Matrices. The initiative was added to the larger HITRUST Shared Responsibility and Inheritance Program, which was introduced in 2018 to address the many misunderstandings, risks, and complexities involved when organisations leverage cloud service providers.

HITRUST launched this Program with the goal of providing greater clarity regarding the ownership and operation of security controls between organisations and their cloud service providers,” said Becky Swain, Director of Standards and Shared Responsibility Program Lead, HITRUST. “The introduction of the Shared Responsibility Matrix is another HITRUST resource that underscores our ongoing commitment to simplifying and enhancing offerings to address our customers’ most pressing risk management challenges.”

Cloud service providers

The HITRUST CSF®, a certifiable framework that integrates and harmonises more than 40 sourcesThe HITRUST CSF®, a certifiable framework that integrates and harmonises more than 40 authoritative sources, serves as the foundation for the HITRUST Shared Responsibility Matrix. With more than 2,000 controls available in the HITRUST CSF (with ‘control’ generally defined as an activity to mitigate risk), the HITRUST Shared Responsibility Matrix documents which HITRUST CSF controls are full, partial, or shared responsibility between cloud service providers and their customers.

With Microsoft’s extensive worldwide presence and partner ecosystem, it is essential to streamline security collaboration. Providing comprehensive coverage for applicable controls across industries and use cases helps ensure that high levels of privacy, security, and compliance are achieved, and nothing falls through the cracks,” said David Houlding, Director of Healthcare Experiences, Microsoft Azure. “This was not an easy feat for the teams at HITRUST and Microsoft, but we know our partners and customers will benefit, which makes it worth it.”

Pursue risk management

The HITRUST MyCSF® SaaS platform used for managing assessments now includes the ability to inherit controls from AWS and Microsoft Azure. The ability to automatically inherit controls saves time, money, and resources as organisations pursue their risk management and compliance objectives.

The HITRUST Shared Responsibility Matrix for AWS and the HITRUST Shared Responsibility Matrix for Microsoft Azure are now available online. AWS and Microsoft Azure also participate in HITRUST’s Third-Party Risk Management Council, which is comprised of companies, third-party vendors, and advisory service firms that are dedicated to improving processes for identifying, assessing, and mitigating supply chain risks.

Download PDF version Download PDF version

In case you missed it

Global regulations of AI: the role and impact on the physical security industry
Global regulations of AI: the role and impact on the physical security industry

The artificial intelligence revolution in physical security has arrived, transforming how we protect people, assets, and infrastructure. From smart buildings that automatically ad...

How does security innovation impact the skillsets operators need?
How does security innovation impact the skillsets operators need?

Technology automates tasks, streamlines processes, and improves efficiency in various fields, including physical security. But the success of today’s latest technologies depe...

How can manufacturers and integrators mitigate the risks of port forwarding?
How can manufacturers and integrators mitigate the risks of port forwarding?

Port forwarding is a networking technique that allows incoming traffic on a specific port number to be redirected to a particular device or application on a local network. Open por...

Quick poll
What's the primary benefit of integrating access control with video surveillance?