Robust security in the public cloud depends on both cloud service providers and clients committing to a shared security model.
While considering the use of cloud, healthcare organizations need to assess the adequacy of a cloud service provider’s processes and controls to assure the availability, confidentiality, and integrity of data stored in the cloud.
Data privacy and integrity is only as good as the layers of security, governance technologies, operational practices, and compliance policies that the cloud provider puts in place.
Leading cloud platforms—such as Microsoft Azure—comply with regulations such as Center for Financial Industry Information Systems (FISC), Payment Card Industry Data Security Standards (PCI DSS), and Service Organization Controls (SOC) 1, 2 and 3.
Leveraging decades of experience building enterprise software, Microsoft has incorporated security-aware software development, operational management, and threat-mitigation best practices into Microsoft Azure.
The result is a secure public cloud platform that can be even more secure than on-premise, private cloud installations.
But that’s only one piece of the piece of the puzzle. While Microsoft Azure secures an organization’s overall global cloud infrastructure, each Azure client still needs to deploy the layers of security required to secure their own applications, content, and customer data.
Shared security requires the implementation of a comprehensive set of operating procedures and best practices based on internationally accepted standards including ISO, NIST, PCI, and HIPAA.
Following a risk-based approach with multiple layers of security and best practices, SecureCloud P2P’s host environment encompasses a set of 16 necessary operating procedures and practices that continuously evolve according to industry trends and regulatory policies.
- AC: Access Control Policy
- AT: Awareness and Training
- AU: Audit and Accountability
- CA: Security Assessment and Authorization
- CM: Configuration Management
- CP: Contingency Planning
- IA: Identification and Authentication
- IR: Incident Response
- MP: Media Protection
- PE: Physical and Environmental Protection
- PL: Planning
- PS: Personnel Security
- RA: Risk Assessment
- SA: System and Services Acquisition
- SC: System and Communications Protection
- SI: System and Information Integrity
For a deeper dive and explanation of these necessary operating procedures and practices, see our whitepaper on the subject here.