HITRUST Unveils Model for Assigning Security, Privacy Responsibility Among Cloud Service Providers

March 4, 2020
Shared Responsibility Program and Matrix seeks to clarify roles and responsibilities regarding ownership and operation of security controls

HITRUST, a cybersecurity standards development and certification organization, has unveiled a common model for communicating and assigning security and privacy responsibility between cloud service providers and their tenants or customers.

Called the Shared Responsibility Program and Matrix Version 1.0, it is part of HITRUST’s Shared Responsibility Program, which was established to address what it calls the growing misunderstandings, risks, and complexities when leveraging service providers.

 IDC has reported that 48 percent of organizations have applications in one public cloud that communicate regularly with applications in a different public cloud. The Matrix will help organizations more easily come to agreements with their cloud service providers as to which party is responsible for individual security and privacy controls, in turn ensuring that all applicable controls are properly addressed.

 The Shared Responsibility Program clarifies the roles and responsibilities regarding ownership and operation of security controls while automating and streamlining the assurance process when privacy and security controls are shared or inherited.

 HITRUST said organizations will benefit from streamlined communication processes as well as reduced inefficiencies and burdens of compliance when leveraging services from cloud providers.

 The Shared Responsibility Program is led by Becky Swain, director of standards development at HITRUST, and supported by a Working Group comprised of representatives of several cloud service providers, including Armor, AWS, Google, Microsoft Azure and Salesforce, as well as enterprise cloud customers, cloud professional services firms, and solution providers.

 “With the continued adoption of cloud services, being able to understand and accurately inherit controls from service providers in an automated manner will be key to an organization’s information risk management and assurance process,” said Swain, in a release. “The next milestone will be HITRUST continuing to work with leading CSPs to ensure they provide the Matrix to their customers.”