[BreachExchange] CISO security tips for managing hybrid cloud deployments

[Destry Winant]

https://www.healthcareitnews.com/news/ciso-security-tips-managing-hybrid-cloud-deployments

Quite rapidly, healthcare providers have evolved from a deep
skepticism, if not outright opposition to cloud deployment, to
something approaching enthusiastic embrace. Indeed, with their
security concerns having been allayed in recent years, more than a few
security professionals are pushing toward cloud-first, if not
cloud-exclusive hosting strategies.

As this increased comfort level has pushed greater exploration, many
healthcare organizations are now grappling with dozens, even hundreds
of different cloud vendors. Most have done yeoman’s work gaining the
maturity and certifications required to prove their mettle for
handling protected health information. But the challenges of managing
multi-cloud deployments are hardly a walk in the park.

A lot of nuances remain

“There’s still a lot of nuances in a cloud environment. There’s a lot
of specific security settings (that have to be) properly configured,”
explained Winston Armstrong, chief information security officer at the
San Diego Super Computer Center.

“There’s definitely a place for the cloud,” he said. “There’s cost
benefits, there’s a lot of great capabilities and automation. But
there’s also a lot to do still, from whoever is managing these
applications, whoever is managing the security. It’s not all just plug
and play. It’s a great environment. You’ve just got to put in the work
to get it done.”

Anahi Santiago, CISO at Wilmington, Delaware-based Christiana Care
Health System, knows that from first-hand experience. In the past
several years, the organization’s cloud infrastructure has kept
expanding in size and complexity.

>From a database to manage human resources data to cloud-based desktop
apps, from a warehouse hosting PHI and a cloud-based EHR, “we continue
to further grow our footprint,” Santiago said.

Niche cloud solutions

Moreover, she said, “we continue to partner with organizations that
are cloud-based to provide us with niche solutions that serve our
needs. So we have moved our patient billing to the cloud. We are now
looking at using cloud services to engage with our patients from a
communication perspective. And one of our huge projects is now looking
at moving our second data center to the cloud. So that’s a lot.”

Christiana Care is still a hybrid environment, given that it hosts
data onsite too, but “we definitely have a cloud-first strategy,” said
Santiago. “I don’t know that we’ll ever be completely in the cloud.
But we’ll be more in the cloud than on-premise, for sure.”

But even now, she has her work cut out for her, dealing with
“hundreds” of different cloud vendors at any given time, she said.

So what’s the secret to juggling not only that large number, but also
the huge variety of different applications and vendors?

“It all starts with risk assessments,” Santiago stated. “We don’t
engage with any cloud-based party until my team has done a risk
assessment of the cloud environment.

Not perfunctory assessments

And these are not perfunctory affairs, she said.

“What that entails is taking a look at the type of information that is
going to be stored in the cloud, the criticality from a business
perspective of having that cloud service be available at all times and
the overall workflow that our caregivers are going to utilize in the
cloud,” Santiago explained.

“And then my team reaches out. They do the typical questionnaire, they
ask for a SOC2 Type II report – and what’s really important is that we
require a report for the specific instance of the vendor’s cloud
environment,” she said. “The cloud is a shared responsibility model.
And so we need SOC2 Type II that’s specific for that vendor’s
configuration and instance of the cloud, so that we know they have
taken steps to protect their environment.”

While that’s a “huge” must-have from Christiana Care’s point of view,
“a lot of times it surprises vendors asking for that,” Santiago said.
“That can be a deal-breaker, depending on the criticality of that
information.”

Next steps: Assessing security controls

Santiago also requires that other steps be taken, such as ensuring the
vendor is going to “authenticate to our SML environments to our
identity store, so that we’re not managing, you know, 100 different
identity and access management stores. We want everything to go in
through our authentication.”

In addition, “we require a very long list of hosting security terms
that hold them accountable for making sure that they have a risk
management program, a security and awareness program, that our data is
going to remain in the United States and that we know it is going to
be accessible offshore.”

Basically, it’s all meant to ensure that “we know, from a risk
perspective, that we would have some decision point there in terms of
what we will and will not allow,” she added.

“Everything from making sure that they are doing vulnerability scans,
penetration testing, a right to audit – all the way down to criminal
background checks. It’s an extensive list of security requirements.
And then we also require them to provide us with some kind to report
again on their own incidents on an annual basis – and, depending on
the criticality, an attestation that they’ve done a vulnerability
assessment and an attestation that they had done a failover or
disaster recovery exercise.”

What’s in place?

It’s all about “making sure we understand what security controls they
have in place and what their due diligence is, to give us a comfort
level that they are meeting our security standards,” Santiago
explained.

The good news is that more and more cloud vendors are up to the task,
she said. “They’ve been getting a lot better. When I first started
here four years ago, requiring a SOC 2 Type II report of their own
instance surprised a lot of people. But now we’re getting a lot more.
We’re also getting more folks that will go as far as to get HITRUST
certification or ISO certification, which certainly gives us a far
greater comfort level that they are prioritizing security.”

Even if the vendor does everything right, however, multi-cloud
deployments won’t work optimally if the providers’ own staff aren’t up
the new demands of operating in a mostly remote-hosted environment.

“The one really important lesson that we learned when we first started
really looking at moving our infrastructure over to the cloud is how
different the skill-sets are from a security perspective and even an
infrastructure perspective when you’re doing things in the cloud, as
opposed to when you’re doing them in the data center,” Santiago said.

Slowing down to better prepare

“We’ve slowed down some projects in the past – a project that was
supposed to take maybe a few months has taken longer due to the fact
that we’ve had to really take a step back, re-educate ourselves,
upscale our staff, hiring different consultants that know the cloud so
that we can move forward doing it well from a security perspective,”
she said. “And I think that I think we were surprised at how different
the skill-sets really are that are needed to function in the cloud.”

Managing a complex multi-cloud environment is a shared responsibility
model, Santiago added, and healthcare organizations have to look
closely at their processes to make sure they’re taking the right steps
to manage the fast-evolving nature of cloud applications.

“One of the things that we’re seeing now is change management,” she
concluded. “The cloud changes almost on a daily basis. And you can
fall in love with all the brand new features and functionality. But
that can also open up risk. And so I think it’s really important to
make sure that you have a really strong change management program,
along with a risk management program, that keeps an organization
regimented about how to adapt all the different functionalities in the
cloud – so you’re not introducing undue risk for the sake of a shiny
new piece of functionality.”