7 Tips for Cloud Preparedness
August 31, 2015 No CommentsFeatured article by Gerry Grealish, Senior Marketing Executive, Perspecsys (a Blue Coat company)
September is National Preparedness Month, which in part, is designed to help businesses plan for and protect against natural or human-caused disasters. Certainly, CISOs and information security pros working in the healthcare industry know that the importance of preparedness extends to the management and security of networks, systems and assets. Aggressive cloud adoption in the U.S., in particular, requires awareness of a specific set of challenges and opportunities in order to build a secure and resilient cloud program.
When it comes to managing risks and data privacy in the cloud, there are several factors to consider. It’s important to note that cloud computing is a modern system, and with it, comes a range of new data privacy and compliance challenges that are unique to cloud-based application approaches. On the flip side, CISOs commonly find themselves grappling with the security challenges associated with legacy IT applications that have outlived their usefulness to the business and the unique benefits of the cloud are readily apparent. Gartner advises CIOs to “consider cloud solutions when modernizing your legacy systems. Cloud provides opportunities that — when carefully managed — positively outbalance the risks.”
Since SaaS clouds are not heavily standardized, in some regards they provide a more complicated security and compliance challenge. And the issues can be exacerbated when dealing with regulated data that is now being placed in the hands of a third party service provider. Cloud architectures require a well thought out security and data governance program to make them work. Here are seven tips for cloud preparedness:
- Demonstrate cloud compliance from the start
HIPAA regulations offer specific guidance on handling of PHI and ensuring sensitive data is maintained in a compliant fashion. The good news is that it is possible to put cloud data controls in place that satisfy HIPAA regulations. Establishing clear business objectives allows organizations to better evaluate different types of cloud offerings that map to their needs and fulfill their compliance requirements. In particular,healthcare organizations realize that they can’t simply toss their data into a third party SaaS application and rely completely on the Cloud Service Provider for the security and compliance of their data. Governance needs to be clearly established and policies need to be put in place to ensure compliance with the internal and external data privacy mandates defined within the HIPAA guidelines. Data should be classified based on sensitivity and the correct data security techniques need to be applied to each class of data – and clearly articulated to regulators.
- Understand what types of tools and strategies work best from a security perspective
Implementing best practices in cloud security begins with the organization’s need to learn which security methods enable them to keep control over their data and also ensure that their data is kept private and protected. A healthcare organization will want to fully vet cloud security solutions to determine specifically where cloud data resides at all times, how secure it is and if it meets necessary compliance and regulation standards. Organizations should consider all security techniques available to them and how they do or do not align with business and data protection objectives. There are two primary obfuscation strategies most consider – tokenization or encryption.
- Know how much cloud your organization is already using and what for
Cloud monitoring refers to the process of identifying cloud use within an organization and then evaluating if there are data privacy and/or compliance risks that need to be mitigated. Cloud monitoring includes the idea of fully understanding what clouds are being used and how employees are accessing and updating information, from where and when. This becomes more complicated with the proliferation of BYOD policies as well as when business units deploy clouds without the IT department knowing about it.
- Don’t rely on SLAs
There is a call for clarity in contracts made with cloud application providers and Software-as-a-Service (SaaS) vendors in the areas of data security, data integrity and data recovery in case of a security breach. It is Gartner’s position that the lack of security requirements in current service-level agreements (SLAs) is not going to be resolved quickly, with the firm predicting 80 percent of customers will remain dissatisfied through 2015. While stated security requirements may be improved in these contracts over the coming years, the best strategy for any organization is to avoid reliance on cloud vendors for cloud data security assurances. The ideal solution is to keep sensitive and regulated data onsite and only allow encrypted or tokenized data to be handled by the cloud service provider.
- Bridge the skills gap
People, processes and technology all need to play critical roles when it comes to creating assurance in the cloud. “Enhance the skillset of your security pros to have more specific cloud usage experience,” said Cloud Security Alliance CEO Jim Reavis during the recent RSA Conference Asia Pacific and Japan. “Make sure they know how to spin up virtual machines in a variety of different infrastructure environments and know how to use popular SaaS applications and understand the security options and controls that are in there.”
- Create a cloud security framework that aligns with the organization’s own information security management system
The Cloud Security Alliance (CSA) offers a Cloud Controls Matrix (CCM)to guide the creation of such a framework. According to the CSA website, the CCM “is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the CSA guidance in 13 domains.” It’s best to develop a security platform that allows the business to implement consistent data protection policies across multiple cloud services, preferably one that does not involve complex key management or policy administration.
- Look at building more futuristic security programs that use cloud
According to Reavis, “Understand that the elasticity that is associated with cloud computing can be a cheap way to mitigate DDoS, for example. Forensics become very simple if you can image a virtual machine and instantiate a brand new system and continue the business application while you do your forensics with no downtime. So it actually creates a lot of advantages from a security perspective. Start building that future security program that actually takes advantage of cloud as you are learning more about cloud and as you are starting to build that cloud security framework within your enterprise.”
This checklist is intended to help healthcare organizations implement smart strategies to prepare for and effectively manage risks in the cloud. Surveys of IT and security pros continually highlight the concern that organizations have related to data stored and processed in the cloud being at risk of unauthorized access by third parties. As a result, forward thinking organizations are putting in place plans for implementing data protection strategies that meet the obligations they have to their patients, employees, partners, and internal stakeholders. While this checklist is not exhaustive, it is a helpful jumping off point for any healthcare organization implementing a new cloud program or conducting an audit of the use of current cloud applications.