During day two of the HITRUST 2019 conference yesterday, I attended a panel called Shared Responsibility – Understanding How to Share Control Responsibility in the Cloud.
The panel was composed of:
- Becky Swain: Director, Standards Development, HITRUST
- Kurt Hagerman: CxO Advisor, Cyber Strategy, Coalfire
- Blaise Wabo: Senior Manager, A-LIGN
It was moderated by Mike Annand: Director of Customer Compliance at Armor Cloud Security.
Shared Responsibility – Understanding How to Share Control Responsibility in the Cloud – My Takeaways
Here are my takeaways:
- “There’s no such thing as perfect security.” (Kurt Hagerman)
- What does it mean to share responsibility?
- Becky stressed the need to start a dialogue around similar language
- Who owns the control and how is it written? Is it relevant to the organization?
- The whole idea is to provide clarity to customers, providers and assessors
- “Cloud is the new version of I.T.” (Kurt)
- AWS IAM was used as an example of joint control ownership
- Becky is looking for more members to the work group
- “Once we’re speaking the same language, then we can have a healthy dialogue.” (Becky Swain)
- A draft of the shared responsibility matrix is still in the works
- The working group is in the middle of a reboot
- Cost model: No additional cost to HITRUST applicants
- Looking at version 10 having this functionality
- “Their business is about security.” Becky on cloud vendors like AWS
- “People are the biggest security risk.” (Becky)
HITRUST 2019 Conference
HITRUST 2019 positions itself is the most comprehensive and definitive information risk management conference for privacy, security, and compliance professionals.
The conference is held at the Gaylord Texan Resort in Grapevine, Texas.