Welcome!

Microservices Expo Authors: Liz McMillan, Pat Romanski, Elizabeth White, Yeshim Deniz, Zakia Bouachraoui

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Containers Expo Blog, Cloud Security, @DXWorldExpo

@CloudExpo: Blog Feed Post

Cloud Security and the Omnibus HIPAA

Thoughts on compliance and the shared responsibility model

The new and enhanced HIPAA omnibus standard brings an interesting question with regards to cloud security and the shared responsibility model in IaaS clouds. Since the release of the HIPAA omnibus, we’ve received many questions around “BAA” agreements, and how the responsibility split actually happens between (for example) the cloud provider and an ISV providing a healthcare application in an IaaS environment.

Cloud HIPAA compliance still requires a shared responsibility model
Without getting to the details of what a “Business Associate Agreement” means, I’ll simply say that the updated regulation makes business associates (Healthcare ISVs’, and potentially the cloud providers themselves) of covered entities (i.e. clinics or hospitals) directly liable for compliance with certain requirements of the HIPAA privacy and security rules (read more about it in this excellent HIPAA survival guide post). In other words, the entire “food chain” (The cloud provider, the ISV, and any other business associates in the logical flow to the covered entity), should ideally sign a business associate agreement. But what is the practical meaning of such requirement in an IaaS cloud environment? As one should expect – full compliance can be achieved only if all parties (business associates) will enforce compliance where they can actually do so. The IaaS cloud provider for example, will prove compliance on the physical and hypervisor level, while the Healthcare ISV will prove compliance on the guest OS, the healthcare application, and PHI data stored in the cloud.

Cloud encryption is a critical element
When discussing the HIPAA omnibus standard with some of our healthcare oriented customers, they all say the same: Data encryption is a critical element for cloud security and compliance. It enables them to safely store personal health information (PHI) in a public cloud, knowing that the data will always stay encrypted, for example in a disk snapshot scenario, as well as when the data is backed up. This is critical for them, as encrypted PHI data does not disclose actual information; hence they are well within the compliance requirements, even if an encrypted snapshot is somehow lost. The bigger challenge for them is how to remain in compliance without compromising on critical cloud benefits such as flexibility and elasticity. Using the Porticor technology they were able to secure and encrypt PHI data quickly and effectively (click here for more information and the Porticor white paper), but as important, they integrated data encryption into their product flow without compromising cloud elasticity, by integrating the Porticor API both on the encryption level, as well as on the key management and key distribution level.

The post Cloud security and the omnibus HIPAA – Thoughts on compliance and the shared responsibility model appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Microservices Articles
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
Enterprise architects are increasingly adopting multi-cloud strategies as they seek to utilize existing data center assets, leverage the advantages of cloud computing and avoid cloud vendor lock-in. This requires a globally aware traffic management strategy that can monitor infrastructure health across data centers and end-user experience globally, while responding to control changes and system specification at the speed of today’s DevOps teams. In his session at 20th Cloud Expo, Josh Gray, Chie...
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true ...
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session we'll describe best practices for "configuration as code" in a Kubernetes environment. We will demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure ...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, discussed how to use Kubernetes to set up a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace. H...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term.
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point where organizations begin to see maximum value is when they implement tight integration deploying their code to their infrastructure. Success at this level is the last barrier to at-will deployment. Storage, for instance, is more capable than where we read and write data. In his session at @DevOpsSummit at 20th Cloud Expo, Josh Atwell, a Developer Advocate for NetApp, will discuss the role and value...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
Consumer-driven contracts are an essential part of a mature microservice testing portfolio enabling independent service deployments. In this presentation we'll provide an overview of the tools, patterns and pain points we've seen when implementing contract testing in large development organizations.