De-Risking the Cloud with a Shift Left Mindset
by Chris Bowen
Chief Privacy & Security Officer and Founder
I recently had the opportunity to have a round table discussion with fellow CISOs on De-Risking the Cloud. While that specific discussion was private, part of the Q&A I had with Tom Field, SVP of Information Security Media Group, which led up to the event may be of interest to you. We talked about the mindset in DevSecOps of “Shifting Left” and building security and privacy into the software lifecycle, early and often.
Enjoy, and if you’d like additional guidance on this topic, you can reach out to me here.
Tom: We hear a lot about the rapid acceleration of digitization. What innovative solutions are you seeing healthcare organizations bringing to the market during this pandemic?
Chris: A lot is happening around remote telemedicine and remote monitoring. Care providers are broadly introducing chatbots. And lots of machine learning and natural language processing applications are being consumed to service the patient in a convenient way to that patient. I see many different cloud services used across the board. A prevalent use case is the big data query scenario where all this data is coming at you as a healthcare provider. You need to understand how to work with it and determine what gems you can pull from it to better prepare yourself to address this pandemic and whatever may be in the future.
Tom: Chris, we hear a lot about risk. What security and privacy concerns do you feel may not be properly addressed as some healthcare organizations move at warp speed?
Chris: If you think about the application they are trying to deploy quickly, one of the often-overlooked things is secure software development. They need to think about how they integrate those apps and interfaces into the large datasets they have to consume. They should be paying attention to the basic standards of secure software development and ensuring they integrate security, privacy, and compliance by design into those interfaces in a way that addresses some of those challenges. Unfortunately, sometimes that gets missed when they’re trying to deploy quickly. They may not have the mindset to guide them in those principals.
Tom: We hear so much about building in security and privacy, and it often ends up being lip service. Why do you think it gets overlooked in practice when we talk about the software development life cycle?
Chris: I think it’s partially a matter of mindset and partially a matter of understanding what DevSecOps means vs DevOps. If you think about some of the terminologies about shifting left, you’ll see a lot of the more mature organizations integrating and building it into the planning, development, and building stage of that software lifecycle, so they have the tooling necessary to say, “let’s look at this code before it goes into production.” It’s a mindset, including a cultural mindset.
Tom: Talk to me about how healthcare organizations can better understand their own threat landscape by practicing shift left.
Chris: I think it’s just a matter of testing, integrating the tooling, and using the tooling to give the feedback necessary on that development loop. If you deploy an app and haven’t done a penetration test, and that app is touching PHI, you are ripe for a data breach. Think about open enrollment for health insurance – that’s coming soon. If you haven’t validated the input mechanisms into the fields and forms on the enrollment applications…if you haven’t tightened that down, you are ripe for a SQL injection attack, which can lead to data exposure. That kind of attack is made possible by not testing earlier. It can yield some massively negative potential consequences if it’s not addressed earlier. There are real breaches caused exactly this way.
Tom: How do you help de-risk the cloud for your customers at ClearDATA?
Chris: One of the challenges of using the cloud is also a blessing – cloud helps people quickly innovate on a massive scale. New services are coming to market in a way that allows us to transform like never before. But that brings a challenge of “How do I use this service in a way that allows me to comply with HIPAA or GDPR, or whatever regulation it is?” Customers want to know how to comply with HIPAA while using these cloud services. They are asking how they can take HIPAA-eligible services and make them HIPAA compliant. We bake that into the reference architectures for our customers so they can consume those HIPAA-eligible services in a way that not only starts HIPAA compliant but also stays compliant for the entire lifecycle of their app.