Overcoming Hidden Risks in a Shared Security Model
- 1. Overcoming Hidden Risks in a Shared Security Model
- 2. Agenda • Introduction • Compliance and Security Landscape • Evolution to a 3rd Party Ecosystem • Data Risks and Challenges • Deep Dive Into Shared Responsibilities • Best Practices • Q&A
- 3. Speakers Chad Kissinger Founder OnRamp OnRamp is a leading HITRUST-certified data center services company that guides businesses through the complexities of data security and compliance. Our solutions help organizations in healthcare, financial services and education services meet compliance standards. OnRamp operates multiple enterprise-class SSAE16/AICPA SOC 2 Type 2 and SOC 3 data centers, where we deploy hybrid computing solutions that enable our customers to blend secure cloud computing, managed hosting, and colocation service to best meet their unique requirements. Our team’s consultative approach helps you develop the right mix of solutions to free your resources to focus on agility and differentiation in your industry.
- 4. Speakers Maria Horton CEO EmeSec EmeSec uses cybersecurity and privacy practices to build competitive advantage in today’s connected world for clients. Our intuitive, adaptive and game-changing solutions are designed to help organizations protect their reputation and growth engines while harnessing the power of security and automated technologies. The company is an accredited Third Party Assessor (3PAO) under the Federal Risk and Authorization Management Program (FedRAMP). EmeSec Incorporated is a Woman-Owned Service Disabled Veteran Owned Small Business (SDVOSB), founded in 2003. EmeSec holds certifications in ISO 9001:2015, ISO 20000-1:2011, ISO/IEC 27001:2013, ISO/IEC 17020:2012.
- 5. Speakers Michael Casey Managing Director & Chief Payments Officer EPMG Advisors EPMG Advisors was founded in 2008 with the purpose of providing clients the best payments management and advisory services with boutique customer care. Our firm is driven to provide our clients with the understanding and ability to build and maintain a truly transparent payments environment. Whether your objective is to identify new opportunities for growth or to maximize profits from existing operations, EPMG Payment Advisors can deliver the enterprise-wide solutions you require.
- 6. Current Landscape Ponemon Institute, Cost of Data Breach Study: 2017 Global Analysis https://healthitsecurity.com/news/mobile-security-at-center-of-2.5m-ocr-hipaa-settlement The average consolidated cost of a data breach reached $3.62 million in 2017 50% $4M 2017 The risk of non-compliance is significant. Ignorance is not excused. Pennsylvania-based CardioNet agreed to a $2.5 million OCR HIPAA settlement stemming from improper safeguards of PII data. 50% of organizations don’t know who has access to their data, how they’re using it, or what safeguards are in place to mitigate a security incident.
- 7. Multi-Vendor Management Agility and Responsiveness Retaining Talent Patient or Customer Engagement Team Skillsets Cybersecurity Managing Budgets Evolution to 3rd Party Ecosystem Ability to Innovate & Differentiate Leadership offloads their IT infrastructure and computing needs in order to: • Increase Operational Efficiency • Rely on Subject Matter Experts • Gain a Competitive Advantage • Reduce Costs C-LEVEL RESPONSIBILITIES
- 8. Compliance regulations are written as though one party is responsible for compliance and security. Regulators Leadership Talent Providers/ Suppliers THE PLAYERS Where is the Breakdown?
- 9. Data Risks and Top Challenges with Shared Responsibilities • Confusing Guidance • Insufficient Policies and Processes • Unclear Roles and Responsibilities • No Accountability • Lack of Due Diligence (Choosing & Monitoring 3rd Parties) • Insufficient Technology THE FUMBLES
- 10. Guidance is Not Prescriptive www.hhs.gov; https://www.pcicomplianceguide.org/faq/http s://www2.ed.gov/ NIST publications (800-145, 800-66, 800-52); FIPS 140-2 Office for Civil Rights (OCR) HIPAA FISMA Cloud Council Security Rule Breach Notification Rule PCI Data Security Standards (DSS) U.S. Department of Education- FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) The Privacy Act FedRAMP THE PLAYBOOK: GOVERNING BODIES AND FRAMEWORKS Guidance is vague and up for interpretation. (i.e. "reasonable and appropriate ” measures for HIPAA Certain regulations do not require or recognize audits or certifications. (i.e. FERPA)
- 11. Establishing the Right Policies and Processes • Aren’t able to determine the number of 3rd parties with access to confidential information. • Lack of confidence in third parties’ data safeguards, security policies and procedures. • Rarely conduct reviews of vendor management policies and procedures to ensure they address 3rd party data risk. • Rely on contractual agreements instead of audits and assessments to evaluate the security and privacy practices of their vendors. Standard Policies • Information Classification Policy • Risk Management Policy • Information Systems Security Policy • Ongoing Management • Clearly Defined Roles Symptoms
- 12. Why Are Companies Unable to Determine Who Has Access to Their Data? • No accountability for 3rd party risk management • No one department or function owns this responsibility • Not a priority • Lack of resources to track third parties • Complexity in vendor relationships • Frequent turnover in partners Ponemon Institute, Data Risk in the Third Party Ecosystem
- 13. Roles, Responsibility, & Accountability Senior leadership and boards of directors are rarely involved in third-party risk management. 36% of CEOs play a key role in security & compliance strategy 79% Of CEOs cited over- regulation as a top threat to their organizations’ growth. PWC State of Compliance 2016 Only 16% of respondents indicated that they view their CEO as the compliance and champion at their organizations.
- 14. Roles, Responsibility, & Accountability INTERNAL – SHARED ACROSS DEPARTMENTS
- 15. Shared Responsibility Varies by Model Responsibility Colocation IaaS PaaS SaaS Data Classification End-point Protection Identity & Access Management Application Controls Network Controls Infrastructure Physical Security Customer Customer Customer Customer Provider Provider Provider Customer Customer Customer Customer Customer Customer Both Parties Both Parties Both Parties Both Parties Customer Customer Both Parties Provider Provider Both Parties Provider Provider Provider Both Parties Provider
- 16. Accountability and Ownership Organizations admit they are sharing sensitive data with third parties that might have poor security policies. Ponemon Institute, Data Risk in the Third Party Ecosystem Figure 2: Perceptions about vendors’ security policies and procedures
- 17. Beware of These 3rd Party Risk Indicators • Turnover of the vendor’s key personnel • IT glitches, operational failures and stoppages • Outdated IT systems and equipment • History of frequent data breach incidents • Legal actions against the vendor • Poorly written security and privacy policies and procedures
- 18. Case Studies • Target breach due to HVAC vendor hack. Ultimately, two- factor authentication and anti-malware would have mitigated the breach. • Hackers breach Equifax’s portal, stealing W-2 data. Only a PIN code was used to protect sensitive data. • Uber pays hackers $100,000 to hide year-old breach of 57 million users. Hackers accessed Github.com, a third-party cloud storage website used by Uber software engineers. Employee training could have prevented passwords from being published on a public forum. ZDN Forbes.com USA today.com
- 19. Best Practices: Risk Management Life Cycle DUE DILLIGENCE CONTRACT ONGOING MONITORING TERMINATION PLANNING OVERSIGHT AND ACCOUNTABILITY
- 20. Best Practices: Technology, People, Processes Technology • Data encryption in transit and at rest • Firewalls • Multi-factor authentication • Cloud encryption • Audit logs showing access to data • Vulnerability scanning, intrusion detection/prevention • Hardware and OS patching • Security Audits • Contingency Planning People & Processes • Audit operational and business processes • Audit access management • Enforce privacy policies • Ensure cloud networks and connections are secure • Evaluate security controls: physical infrastructure and facilities • Data decommissioning process • Be prepared for incidents 1 -Risk Assessment 3-Vendor Security Alignment 2 –Assign Owners
- 21. Best Practices: Choosing a Vendor Understands Your Business Goals Credentials & Certifications Service Level Agreements (SLAs) & Business Associate Agreements (BAAs) Security Availability & Scalability Expertise in Your Industry
- 22. Questions?
- 23. Thank you! Contact Us: Sales@onr.com 888.667.2660 www.onr.com
Editor's Notes
- #7: Chad Provide insights into risk management governance. What are the obstacles? Budget, resources, knowledge, etc. Maria Discuss differences and similarities in the landscape among the industries you serve. Discuss top threat sources. Michael Discuss the cost of compliance versus non-compliance. Remaining non-compliant is not an option. Organizations are on the hook for ongoing penalties until they become compliant. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.
- #8: Chad Discuss the evolution to a third party ecosystem and how it’s only one of the many challenges executives face. Compliance and security is not their core business. Third parties are not limited to outsourcing alone, though. Third parties can also be your suppliers. Think about a large global organization with a massive supply chain could have thousands of supplier relationships with digital entities.
- #9: Chad Compliance regulations are written as though there’s one party responsible, even though there are a number of participants. Football analogy: it’s like creating a play for one player when there are multiple players, and multiple teams.
- #10: Maria Discuss challenges at a high level. Continuing the football analogy: It’s as if your coach isn’t tell you what position you’re playing during the game or evaluating post-game recaps to continue to improve your performance. You weren’t given a helmet and have no clue what plays you’re running.
- #11: Maria Discuss the limitations of compliance frameworks. Highlight the fact that they are not prescriptive, but instead are up for interpretation. Discuss regulations that offer certification by a third-party auditor, versus others do not have a formalized way to prove compliance. Michael Discuss PCI DSS requirements and which ones require shared responsibilities with vendors and partners. Discuss Common misconceptions of the requirements.
- #12: Michael Internal policies and processes are PREREQUISTES to bringing in a 3rd party – you must have those in order prior to adding complexity of external parties. When your organization doesn’t have a baseline of standards, you open your organization up to vulnerabilities. If you suspect you don’t have the right policies and procedures in place, chances are you are right – and you won’t have control or confidence over your security internally or exchanging data with providers. You must not only develop policies and processes, but also enforce them. (1st and last symptom) who has access to their information and that they rely on contractual agreements for peace of mind. Highlight the fact that organizations are unable to determine
- #13: Michael
- #14: Maria Discuss the stats from the State of Compliance 2016 report. Most boards and executives perceive compliance and security to be important to their organization’s growth and well-being, but the majority of them are not involved. They do not play a key role in the strategy or execution of the plans that maintain risk management. This disconnect impacts employee perception of senior leadership’s role in their organizations’ compliance programs, as only 16% of respondents indicated their employees view the CEO as the compliance and ethics champion at their organizations.
- #15: Maria Discuss who is responsible for what across departments. Operations, Security, Compliance, and IT take the lead on strategy, information custodians (i.e. Database Administrator) control access to the data, and information owners can be in any department. Everyone plays a part in reducing vulnerabilities, reporting possible security incidents, etc.
- #16: Chad Discuss how security is different across different types of infrastructures. Some responsibilities are shared, while others are clearly one or the other party. Include examples of differences in physical vs virtualized environment security.
- #17: Chad Organizations admin they are sharing sensitive data with vendors and supplies that have poor security, but they also aren’t doing anything about it. In Ponemon’s 2017 Data Risk Survey, 58% of organizations stated that it’s not possible to determine if their 3rd parties have sufficient safeguards. Only 1/3 of organizations perform frequent review of vendor management policies to make sure they address the changing landscape. And about 38% of organizations have no tracking methods regarding their risk management program internally or externally.
- #18: Michael Discuss the warning signs of a 3rd party that is struggling with their own security measures, and will likely put you at risk, too. It’s not impossible to determine like some organizations indicate across studies.
- #19: Michael Target breach due to HVAC vendor hack: HVAC vendor did not use appropriate anti-malware software or two-factor authentication for contractors, leaving a backdoor open to Target’s network. Hackers breach Equifax’s portal, stealing W-2 data: The trouble stemmed from TALX, an Equifax subsidiary that provides online payroll, HR and tax services. Hackers were able to reset the 4-digit PIN given to customer employees as a password and then steal W-2 tax data after successfully answering personal questions about those employees. The PIN was the only security measure put in place. Uber pays hackers $100,000 to hide year-old breach of 57 million users. Hackers accessed Github.com, a third-party cloud storage website used by Uber software engineers. Employee training could have prevented passwords from being on a public forum. Sources: http://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/ https://www.forbes.com/forbes/welcome/?toURL=https://www.forbes.com/sites/thomasbrewster/2017/09/08/equifax-data-breach- history/&refURL=https://www.google.com/&referrer=https://www.google.com/ https://www.usatoday.com/story/tech/2017/11/21/uber-kept-mum-year-hack-info-57-million-riders-and-drivers/887002001/
- #20: Maria Discuss the risk management lifecycle. Review the lifecycle and draw particular attention to documentation and audit-prep, as it’s not enough to be compliant and secure—you must have proof of your efforts: Documentation To address the risk, companies should have an inventory of all third-party vendors. In your contracts with 3rd party vendors, make sure you address how our information is being access and processed, including with whom you have no direct relationship – aka a 4th party. Audits ‘Weakest Link’ Attack Methodology’: An attacker does not want to spend a great deal of time looking for a way into a target network. The objective is to obtain entry, gather valuables, and abscond in a minimal timeframe To address the risk, companies should have an inventory of all third-party vendors. In your contracts with 3rd party vendors, make sure you address how our information is being access and processed, including with whom you have no direct relationship – aka 4th party
- #21: Chad Develop a strong compliance and security posture within your organization (policies, processes, technology). Discuss the ideal strategy and highlight a few of the most important aspects.
- #22: Chad