Ninety-eight percent of organizations worldwide now use at least one cloud service, with 92% having a multi-cloud strategy (using more than one provider). By the end of 2025, it was estimated that 50% of all global data will be stored in the cloud. This represents a significant jump from 25% in 2015. Security, once the strongest argument for remaining on-premises, has become a key benefit of cloud adoption, with 94% of businesses reporting stronger security post-migration.
This transition is a crucial strategy for businesses seeking to remain agile in today’s rapidly evolving business landscape. Everyone, from the smallest startup to the biggest global player, is trying to harness that agility, but let’s be honest: navigating the complexities of cloud security and compliance can feel like navigating a maze, especially if the compliance framework is HITRUST CSF.
One of the first roadblocks people hit is: Identifying who is actually responsible for security in the cloud.
This is where the Shared Responsibility Model comes in. Think of it as a clear division of labor. Your Cloud Service Provider (CSP) handles security of the cloud, the physical servers, the wiring, and the virtualization layer. You, the customer, are responsible for everything “in” the cloud. That means the security for your data, your apps, and your identity management (IAM) is on your shoulders.
Navigating the Challenges of Shared Responsibility
Organizations must define the boundaries of the CSP’s responsibilities to then correctly implement and manage the controls for which they are accountable. This will help you identify which HITRUST controls are fully inherited, partially inherited, or solely your responsibility. This requires a deep dive into CSP’s documentation, detailed service agreements, etc. But how to do that, and more importantly, how to do that at the right time?
Timing is Crucial for HITRUST Readiness!
Considering the complexity of HITRUST, it’s paramount that an organization has its Shared Responsibility answers ready before entering the mandatory 90-day incubation period.
This is precisely where the power of detailed control walkthroughs comes into play. For controls that are partially inherited or entirely the customer’s responsibility, thorough step-by-step walkthroughs of processes and configurations are essential.
Understanding the practical implementation of each control and identifying any gaps ensures that all necessary measures are in place before the incubation period begins.
The Cornerstones of the Shared Responsibility Model in HITRUST CSF: Inheritance and Reliance
Inheritance and Reliance allow organizations to leverage the security efforts of their CSPs, reducing redundant work and accelerating the assessment process.
If you want to receive a HITRUST certification for your systems, you need to understand Inheritance and Reliance. These are essentially “credit” systems that let you lean on the work your CSP has already done.
- Inheritance: Most major CSPs have successfully achieved a HITRUST certification on their cloud. If they participate in the HITRUST Inheritance Program, you can literally “import” their scores into your own assessment. This doesn’t make you compliant by default, but it means you don’t have to prove that the data center has a locked door or a fire suppression system; HITRUST has already verified that for you. It’s a massive time-saver.
- Reliance: Not every CSP is in the official program. In those cases, you use Reliance. You can’t just click a button in the MyCSF portal here. Instead, you have to do the legwork: This typically involves going through the CSP’s security documentation, such as SOC 2 Type 2 or PCI ROC reports, and requesting specific evidence for controls where the CSP has primary responsibility. Your HITRUST assessor will then evaluate this evidence to grant an appropriate score for controls managed by the CSP.
The Bottom Line
In the modern cloud era, HITRUST isn’t a solo mission. It’s about navigating a partnership. If you get a handle on the Shared Responsibility Model and use inheritance strategically, you’ll do more than just pass an audit. You’ll end up with a resilient security posture, not just “compliant on paper.” It’s a smarter way to work in an environment that never stops changing.
