Cloud Security: Hope is Not A Strategy

Thomas Finn - May 24, 2012 6:32 PM | Categories: Healthcare Providers, Intermediaries/GPOs +, Supply Chains, Technology
Tags: cloud computing, denial of service attacks, healthcare, network security, shared environments, virtual environments

Back in 1995, I hit the pavement with a good friend of mine who was a network security expert. By the way, he’s a network security consultant to this day and his business is excellent. Back then, the Internet was all the rage and “home pages” were giving way to actual business applications. In fact, the concept of a “fire wall” was even new. IT professionals were authorizing web-based interfaces to corporate databases and couldn’t be bothered with questions about security.

My, how things really haven’t changed:

An employee walking out the door with sensitive data on a laptop (or a flash drive, memory stick, etc.) was the biggest culprit back then and it’s still the #1 problem today;

Poorly equipped, inexperienced technicians and/or phenomenally equipped, but poorly trained network administrators was a big problem back then, and it remains #2 on the list today;

Disgruntled employees can be vindictive. Their ability to set traps remains a popular “exit card”;

IT departments that don’t set aside beefy emergency budgets to immediately deal with new attack schemes –when they are discovered– are probably more nuts today than they were back then;

Remotely executed “hacks” or robot launched attacks that lead to denial-of-service at best or complete compromise at worse are increasing in their relative sophistication. They continue to drive the innovation in the security marketplace, because it only takes one breach, one bad episode, to set an organization so far back on its heels that “falling over” isn’t out of the question.

End user education. Employees with no regard for security continue to open emails or download applications from unknown sources. This may seem harmless enough, but it is on the short list of root causes for numerous disasters.

Common sense tells us that putting our faith in a reputable cloud computing provider is a logical path forward. After all, most healthcare providers will never spend the time, energy or dollars required to develop and maintain a security environment that favorably compares with the provisions made by companies that do this stuff for a living. And while that statement seems hard to argue with, it’s so superficial as to be precisely the wrong approach to take.

Here’s an alternative approach: use your need to responsibly assess the security infrastructure offered by your prospective cloud provider to get educated. Although you may be signing up for what is widely regarded as a state of the art service, keep the following top of mind: data in the cloud is in a shared environment, by design, to get economies of scale. Indeed, the cloud is all about leverage (i.e. shared network, shared server hardware –processors, memory, local disk– shared storage, shared backup and shared security).

What the industry needs is a way to securely compartmentalize and privatize each customers virtual environment, despite the fact that the physical environment is shared. And, of course, that’s where a lot of R&D is currently focused. In fact, there are several new technologies on the near horizon that will address an organization’s ability to “privatize” in the cloud, so start to ask about them.

Despite our collective enthusiasm for what the cloud means to us –and don’t get me wrong, it means a lot– a little fear or hesitation is healthy. It will drive your educational experience. And security fears should never go away. As my partner used to say to prospective clients, if you want a 100% security guarantee, allow me to unplug you from the Internet.

Taking the leap into the cloud is an exercise in risk management. You need to know what you’re doing and be committed to staying on top of things. Saying “no” to the cloud, simply because there’s risk involved should be laughable in a healthcare context, given the life and death risks that get managed every day. But those risks are taken by highly educated and experienced professionals. And that’s exactly the type of person who should be managing a provider’s cloud computing decisions and spearheading its internal network security education.

No one loves an experienced decision maker more than a smart vendor with a good product to sell.

—Tom Finn

Healthcare in the Cloud: Forecast Still Hazy : HIMSS 2013: Top Takeaways Gathering Clouds said: [...] to David McCament’s mind, the future of healthcare cloud is not so clear. In a gue... more
Time Definite Logistics –MNX Expands Global Network and Adds Track & Trace : Daniel said: Everything is very open with a precise description of the issues. It was definitely inform... more
Varian Runs a “Clinic” in Effective Lobbying –Harry Reid Rides Shotgun : Thomas Finn said: Thanks for your comment Bo. I do not fully comprehend the differences between the two opti... more
Varian Runs a “Clinic” in Effective Lobbying –Harry Reid Rides Shotgun : Barton 'Bo' Cooke said: Tom, you nailed it. This rider, put in at the last minute and was rushed into the Congres... more