In this interview, the CISO of an American healthcare provider offers insights into cloud security. We’ve left the company and the identification of the CISO anonymous for privacy and security reasons. Thank you for understanding.
Is your organization in the cloud and why did you select that option?
Yes. We chose to go to the cloud for a combination of reasons, including speed to-market and the ability to consume services that we are not capable of building ourselves; whether for time-related reasons or due to cost barriers.
We’ve been a strong adopter of Software-as-a-Service solutions for many years, however within the last couple of years, we’ve started to go into the public cloud space, which is your traditional Infrastructure and Platform-as-a-Service.
At this point, with our cloud capabilities, we’re working on consolidation projects in order to know exactly where our data is, how our data is being utilized and to potentially obtain better data insights.
What are the keys to successful cloud security?
Cloud security is multi-faceted. There are different strategies pertaining to cloud security depending on where you are in the shared responsibility model with respect to where your workloads reside in public cloud, IaaS, PaaS, or SaaS and other capabilities that one might be using.
When working with traditional SaaS services, it’s all about third-party risk and management. You’re really relying on that organization’s security posture. Therefore, a strong third-party risk management program to assess an organizations data protection and asset resilience capabilities is key.
Securing the public cloud is very different but has similar basic principles to on-prem in that it should be data-centric. You’re protecting the data, and trying to get your controls as close to that data as possible.
Do you have multiple public cloud or hybrid clouds? And if so, how do you enforce consistency between your different clouds?
When I think of public cloud, you’re dealing with the big providers; Microsoft Azure, Amazon AWS, Google GCP, maybe Oracle. Today, we are hybrid with on-prem datacenters and leveraging only a single cloud provider. We’re still very early on in our cloud journey and that’s Azure. We may have a need to go multi-cloud in the future but need to ensure we have designed a model that is scalable and secure. Related to consistency around security across multiple public cloud vendors, that is definitely a concern of mine. I have a small team and don’t want to have different tooling and managing of separate policies for each provider.
It’s definitely a shift from the on-prem thinking to the cloud. There are some parallels where, if you have internet facing services, you must at minimum have a web application firewall. Although there are some vendors that claim that they can protect both cloud and on-prem, there aren’t many that can do it well. But there’s a similar mindset in that particular case. Most have distinctive solutions that focus strengths in one area but that don’t necessarily translate to the other instance.
When you’re doing IaaS, there are a lot of parallels between security solutions to protect Google GCP, Microsoft Azure and AWS. When you start getting into the Platform-as-a-Service, that’s where things get a little trickier. You need to ask questions like ‘What type of partnerships are there between the security companies and the respective cloud providers?’ And then, ‘When do you use that cloud provider’s native security versus augmenting with the third-party?’
But among healthcare payers like us, we’re trying to find as much consistency as we can between our on-prem and cloud tool sets. However, we will drift as necessary to best of breed, if we believe that there’s not sufficient coverage, automation and ultimate security to protect the workloads and data that are within the public cloud.
How do you know if your cloud journey has been successful? What criteria or parameters are you looking for? And, similarly, how will you know if your cloud security journey is on target?
Well, with any journey, it’s ‘are we seeing value?’, ‘are we delivering customer outcomes quicker than before?’ There are so many initiatives that we have right now that aren’t moving as quickly and where we’re not reaping the value that we expect out of it.
That’s really what success looks like. ‘Are we seeing that quick value?’ And, as an organization that has acknowledged that we’re too risk averse, and that we spend way too much time in the planning phases, we’re looking for that minimum viable product. To that point actually, I was at a recent event, where an organization said, “Well, is minimum viable really what you were striving for? Or is it minimum lovable?” This really stuck with me!
I mean, you can iterate and keep getting out capabilities, but if nobody sees value in it, and nobody loves it, then you aren’t ultimately successful.
On the security side of things is, it’s a similar mindset to being on-prem. Ensure that you have appropriate oversight; that you are performing threat modeling, applying appropriate levels of risk mitigation in respect to your risk tolerance…etc., understand where the vulnerable points are within the respective design and platforms that you’re producing.
And really, at the end of the day to judge whether our security journey is on target, and are we building in security as far Left in the process as possible? Shift Left is usually coined as, ‘starting with development’. Well, that ‘Left’ must go all the way back to the planning, design phase and requirements. As long as you have that seat at the table, from the beginning through the end, you can feel quite confident that your cloud security journey is on target, and is successful.
The fact is that not only does your cloud journey require budget and resources in order to achieve success, but also buy-in from the organization, and support from the top down.
Can you tell us a little bit about how you adhere to specific healthcare requirements, like HIPAA?
HIPAA is all about privacy of healthcare data. Therefore within the CIA triad (confidentiality, integrity and availability) we prioritize the confidentiality of data.
Now, integrity of data is a close second priority because if you can’t trust the data, that reflects as poorly on an organization’s reputation as failing to protect the confidentiality of the respective data.
Therefore, we ensure least privilege leveraging that data-centric security mindset. Additionally, appropriate key management and encryption of data in transit and at rest are critical controls, along with appropriate segmentation and access control.
What are your recommendations for other companies in the healthcare arena?
When you’re dealing with healthcare, you need to understand how you are servicing your customers/members. For instance, from a hospital perspective, their priorities are different from those of our group, as an insurer/payer. For example, privacy (confidentiality) is important, but from their side of things, availability is actually most important. If somebody is seeking care, and in their tools, their IOT devices are not serviceable, then they can’t care for the individual.
So, an individual seeking care would probably react and say, “At this moment, as long as you can service me in my time of need, confidentiality is secondary.” You need to have a good understanding of exactly what’s most important in that triad of security, confidentiality, integrity and availability.
It’s knowing what is most critical to you in your respective area and focusing there, first and foremost. And then, looking at the other areas that are secondary and making sure that you really understand what the various threat vectors are to your organization.
Especially now that we’re talking about the war in Ukraine and Russia, and what are the potential downfalls based on sanctions and what we’re doing to support the Ukrainians and where could we get hit the hardest? Well, it’s those critical infrastructure sectors, including healthcare.
If you just start thinking outside of the box in terms of non-traditional ways of being attacked — it’s those areas that you’re not tuned into, in which you’re probably the most vulnerable.
What recommendation do you have for companies that are just starting out in their cloud migration journeys?
Have an understanding of your respective outcomes. What is it that you want to achieve? It’s one thing to just place data in the public cloud, but what is your intent with it afterwards? Is that being used as a pivot point for data interoperability, and you’re going to use it to be pushing and pulling data from other third-party entities? There’s not a “one size fits all” function. And then ask yourself: “What are the priorities?”
There are hundreds of different security technologies out there, that span from the edge, all the way down into containers and data security. Start with understanding how your data may be exposed, and think about what your intent is for the data.
In our case, we started with understanding the health and configuration of the environment. We purchased cloud security posture management (CSPM). Secondly we chose a solution to protect the edge; a cloud WAF which also includes DDoS protection. That’s sort of what your table stakes are.
Then you have to start to look to see how your cloud journey evolves and be ready to adapt to it, whether or not it’s cloud workload protection (CWPP). Do you need micro-segmentation? Do you have multiple identity types as well as a need for federation, forcing you to adopt a big player within the identity access management space?
There’s no real one size fits all. As I talked through our journey, we started with heavy SaaS, and then started to move into public cloud with the IaaS and PaaS workloads. Just understand what that journey’s going to look like, have your seat at the table in order to work with the respective folks that are building out the strategy, and remain in sidestep with them with the respective security to protect the data and the services.