AWS Customers are responsible for Governance Risk Control (GRC), Data Security, and Application Security. AWS is responsible for Platform Security, Infrastructure Security, and Physical Security. Platform Security is a shared responsibility. Manage GRC, data security, and application security with Machina.

Securing Data IN the Cloud: Whose Responsibility Is It?

Suprit Patel interviews Robert Ball on behalf of healthcare providers about the shared responsibility model; organizations are often not aware that ensuring data protection in the cloud is their responsibility, not the cloud service provider’s.

Suprit Patel, CEO of The Bestige Group: The Bestige Group provides advisory services to healthcare providers and medical device manufacturers. Suprit is a former Management Consultant for leading companies such as Ernst & Young and The Advisory Board Company. Suprit brings deep experience in the Healthcare Industry.

Robert Ball, chief business development officer and general counsel of Ionic Security: Ionic enables scalable and consistent data protection by securing all of an organization’s sensitive data from unauthorized access and data breaches, wherever it lives or travels. Robert leads Ionic’s business development efforts and also serves as the company’s General Counsel and chief privacy officer. He also serves as Chair of the Policy Council of the National Technology Security Coalition. Robert has 20+ experience at the intersection of technology and law & policy.

Suprit: Large scale data breaches involving tens and sometimes over 100 million consumer records have become all too frequent, and the impact of some of the latest data breaches are capturing the attention of Congress who are demanding action. Just the other day, Senators Elizabeth Warren and Ron Wyden wrote a letter to the Federal Trade Commission demanding they investigate Amazon’s “failure to secure the servers” in connection to the recent Capital One breach. What are your thoughts on this?

Robert: Indeed, these data breaches are significant, not only for the costs they impose on companies that are being breached, but also for the consumers affected and loss of trust that is part of the fallout. These breaches do deserve the attention they are getting, but they also highlight that reactions such as the Warren/Wyden demands are often misguided and ill-informed. 

“Failure to secure the servers” may be great for headlines, but when you look at who is responsible for data security in the cloud, the lines are very clear. In the case of AWS, it is called the “Shared Responsibility Model.” Under this model, the cloud service provider – AWS – is responsible for the security of the cloud. Customers are responsible for security in the cloud. Specifically, the customer is responsible for data security, most aspects of application security, and for setting the proper policy around security governance, risk, and compliance. This is what security in the cloud means. AWS is responsible for the physical security of its servers and the infrastructure around them, as well as most of the platform security.

In the case of the Capital One breach, a former Amazon employee used her deep knowledge of how the different parts of AWS work together to find a hole in the configuration of an application built on the cloud that allegedly allowed her to access personal information of over 100 million Capital One customers and prospects.

Suprit: I deal mostly with healthcare providers and medical device manufacturers. What should they be aware of?

Robert: Healthcare providers face the same risks that banks do, if not more. Along with law firms and universities, hospitals are among the top three targets for hackers. And the healthcare industry is highly regulated – Federal laws and regulations such HIPAA have strict requirements regarding the security and privacy of PHI, and a number of states like Massachusetts have their own set of regulations. 

Suprit: Healthcare providers are indeed big targets. Personal health information or PHI is ten times more valuable on the black market than retail data. And with an average cost per breach of $429 per record and $6.45 million per breach, you can rest assured they are paying attention. What do you suggest companies need to do to understand these differences?

Robert: They need to clearly understand that it is their responsibility to secure their data. Under the shared responsibility model, this falls on them, not AWS. And they need to consider a technical data protection solution that enables customer-managed trust and separates who stores the data from who secures the data.

Suprit: I’m guessing you know of a solution out there that addresses the shared responsibility model and helps prevent these sorts of breaches?

Robert: Yes, there is: Ionic MachinaTM. Security for decades has been about securing the perimeter around data. Ionic focuses on protecting the data itself across its entire lifecycle at enterprise scale by creating a system of record for contextually defining and enforcing rich data access policies. Building on our strategic partnerships with the major cloud service providers including AWS, Microsoft, and Google, we jointly help our customers fulfill their security and compliance commitments within the shared responsibility model.

Global businesses, especially highly regulated healthcare and financial services, and government agencies use Ionic today to accelerate innovation by driving data protection across their organization, and throughout their journey to the cloud. Machina delivers real-time data policy enforcement against a rich set of identity, data, and environmental attributes.

Specifically, our offerings for cloud storage currently on the AWS Marketplace and the Microsoft Azure Marketplace, simplify the protection of stored data and the control over access to it via our attribute-based access control framework. This is the same framework a provider can use for their on-premises data, so policy can be set once and applied to data both on-premises and in the cloud. 

And our AWS and Azure offerings provide a low cost entry point –$1,500.00/month for the first year for unlimited usage –for healthcare providers and other enterprises and their developers to move their expensive on-premises storage to the top cloud providers, define and enforce data protection policies in real-time, and easily maintain compliance with ever-evolving data security and privacy regulations like HIPAA.

Suprit: So for less than $20K a year, a healthcare provider can sleep better at night knowing it has taken steps to lessen his or her risk of $6 million + breach and showing up on the DHS wall of shame.