Your Adopted Cloud: How to Address Fears from Internal Teams about Privacy, Security, and Compliance
by Chris Bowen
Chief Privacy & Security Officer
This is the second in a three-part series on enabling your journey to the cloud and understanding the beneficial role a cloud security architect can play in informing your cloud decisions.
In part one of this series, we talked about healthcare’s broad adoption of cloud and the advantages that are driving that transformation. Now let’s explore what you need to be considering with regard to security and compliance as you migrate to the cloud.
Even as the journey to the cloud has become the preference for healthcare organizations, security, privacy and compliance teams must still bless the solution. If the members of those internal teams are familiar with hosting their applications within their premises, fear of the cloud creeps into the diligence process. It’s important to understand what these fears are so they can be adequately addressed. The basis for these fears tends to lie in the following areas:
1. Physical Security
As it relates to on-premises datacenters and colocation spaces, technologists feel great control by having oversight for all aspects of purchasing, provisioning, configuring and operating the technology and securing the physical space. If traditional security veterans can see the walls of the data center, or if they can physically touch server hardware and network gear, or even if they can test physical access controls, chances are they feel a sense of safety and security. They can see the edge and touch the cold concrete barriers that keep out unauthorized visitors. This false sense of security quickly gives way to a sense of desperation when power units fail, or network connectivity is interrupted.
When moving to the Cloud, physical access is often restricted, and visitor access is prohibited. Losing physical access to physical equipment and replacing it with logical access via a web console can be a massive shift in mindset. It’s one worth encouraging your team to make because this shift aids in securing the physical environment at scale.
2. Logical Security
Often when organizations begin their first cloud initiatives, they attempt to apply the same security methodologies and workflows to the cloud that they operated with in their on-premises or colocation environments. For example, in the legacy world, organizations patch servers. In the cloud world, there are faster, better and more thorough ways to address concerns. In the cloud, the same organization can re-deploy entirely new compute instances from patched machine images in minutes. The same strategies can be applied to containers and storage – whether an organization is scaling up or down from peak hours or project-specific workloads, secure resources can be provisioned in a matter of minutes.
3. Advances in Cloud Technology
In addition to traditional compute, many organizations opt to run their workloads in containers, a method to package an application so it can be run, with its dependencies, isolated from other processes. Kubernetes, an open-source container technology available on AWS, Azure, and Google, provides a platform upon which organizations can directly develop and deploy. This technology can lower costs and deployment time as well as increase the organization’s ability to scale up on-demand, and when you partner with ClearDATA you can have the assurance of compliant, secure containerization on your choice of the three big public clouds.
4. Automation Know-How
You may not have DevOps expertise on your team or certified cloud architects. ClearDATA does. ClearDATA’s Automated Safeguards for AWS, GCP, and Azure have enabled organizations to ease their transition to the public cloud while ensuring environments remain in a secure and compliant state. These Automated Safeguards provide the confines that enable healthcare customers to run workloads in the cloud using native services while remaining compliant with HITRUST, CIS, NIST, GDPR, HIPAA, Good Manufacturing Practices, and AICPA Trust Service Principles.Enabling Automated Safeguards around cloud-native services lets the organization move workloads out of the data center and into the cloud without the concern and overhead of maintaining your own compliant platform.ClearDATA ensures deployment to traditional compute and container services pre-hardened to CIS standards while working with customer engineers to determine pre-approved port whitelists and ranges and locks this configuration into Security Groups. Also, ClearDATA ensures a constant state of encryption for storage services and database services and allows customers to deploy load balancers in front of compute functions while providing traffic encryption, for example.
Knowing how to do this takes dedicated expertise, large development budgets, patience, and discipline to stay abreast of cloud service deployment thousands of times per year. This know-how and expertise is difficult to find and retain in today’s competitive cloud, security, privacy and compliance world. And it’s why so many healthcare executives are turning to ClearDATA.
5. Fear of the Unknown
Whether an organization's cloud security posture is mature, or it is just beginning its cloud journey, legacy security tooling can significantly influence architectural decisions. Sometimes these tools stand in the way of properly architected cloud environments. Moving to the cloud is usually not a "lift and shift" migration. Cloud orchestration methods that include infrastructure as code, full automation, redeployment, and vulnerability management require different approaches, different mindsets, and entirely different skillsets than deploying virtual machines in a local data center.All of this can be daunting. For some organizations who lack the in-house cloud knowledge, the cloud journey can be seemingly insurmountable. The role of the Cloud Security Architect is to provide expertise in designing a cloud environment that protects sensitive information in a manner that facilitates its intended use. This role must consider privacy and security-by-design principles and apply compliance framework requirements into the solutions.