Developing a Cloud Security Strategy
By Shefali Mookencherry, MPH, MSMIS, RHIA, CHPS, HCISPP, CISO, Edward-Elmhurst Health
The mitigation of security risks in cloud computing is a challenge to many healthcare organizations. As organizations move to the cloud more frequently, cloud security is a major concern for CIOs and CISOs.
Most organizations fear the loss of control by moving to the cloud. The discussion around security risk in the cloud requires organizations to find the difference between real risk and uneasiness. They may worry about losing control of the data and fear the risks that come with this approach.
Organizations need to invest time to develop a cloud security strategy.
Cloud Security Strategy
What follows is a high-level cloud strategy for evaluating security risks and identifying what an organization should consider when mitigating those risks.
Review cloud risk implications
- Review all areas of risk. Decision-makers contemplating cloud computing adoption face several challenges relating to policy, procedures, technology, guidance, security, and standards. In the cloud, data is entrusted to a third party and shares tenancy with other people’s data requiring stringent access security. Regulatory compliance might require visibility into where data is stored and who has access.
- Discuss cloud risk implications and stakeholder concerns. Most cloud projects are driven by IT and focus on specific technologies. To deliver organizational value and minimize risk exposure, such initiatives should be aligned to the organization’s business strategies. The Board or risk management governance committees’ active engagement and oversight are essential prerequisites for the success of a cloud security program.
Mitigate cloud security and compliance threats
- Identify key security threats in the cloud. Security risks of cloud computing may include compliance violations, identity theft, malware infections, data breaches, diminished customer trust, and potential revenue loss.
- Evaluate the role and limits of assurance. Identify and review data storage issues raised by multi-tenancy, such as how different clients’ assets are segregated and what assurances about separation can be provided to the data owners.
- Review compliance requirements. Legal opinion should be sought to ensure that regulatory requirements are addressed for specific organizational needs related to HIPAA, PCI-DSS, and other security regulations.
- Develop an action plan of steps to mitigate cloud security threats. Consider utilizing a Single Sign-on solution and implementing end-to-end encryption.
Address cloud availability and reliability challenges
- Discuss availability and reliability challenges. Confirm that the cloud solution will be available and reliable; consider continuity planning and ensure that a defined set processes are in place to manage and reclaim data should the service cease permanently.
- Review current recovery capabilities and requirements. Ensure the organization has the required network connectivity, bandwidth, and proper technology to enable adequate services from a cloud provider. For example, when the internal network goes down or becomes unstable, employees cannot access any applications hosted on the cloud.
- Assess mitigation tactics for availability and reliability risks. Organizations have to make sure that security is built into their cloud infrastructure – which includes selecting the right cloud deployment option from a supplier who can offer the right security measures.
Assess cloud integration challenges
- Understand integration challenges in the cloud. Integration plays a vital role in the cloud as it ensures that applications, infrastructure, and data with interdependencies maintain their connections.
- Review current integration processes and plans. Consider cloud service brokers, which provide an intermediate layer between multiple cloud vendors and users while offering services such as selection, aggregation, integration, performance management, and security. They should be able to unify legacy services and new multi-sourced cloud-based offers into a common management platform and provision preconfigured applications as part of a service integration solution.
- Outline application relationships and integration challenges. Review list of applications that may potentially move to the cloud. Determine if any applications should remain on-premise.
Identify the impact on internal infrastructure
- Identify impacted infrastructure and data components. Putting in place the right enterprise architecture framework, which contains the processes, products, tools, and techniques needed to create a complete IT system architecture for all infrastructure.
- Determine cloud infrastructure requirements. A security architecture model may be useful during security architecture design. Conceptual security services can be grouped into high-level areas such as hosting, security governance, compliance, integrity, availability, cryptography, risk, and access management.
Identify required staff resources and costs
- Understand the shift in IT responsibility. To effectively manage cloud service providers and appropriately staff the internal IT department, IT expertise and roles must be inventoried and appropriately resourced. Identify changes to existing staff resourcing.
- Review Service Level Agreements (SLAs) and contract. The help desk team may need to contact vendors directly to log tickets or go through the IT vendor management team. SLAs should clearly set expectations with users about the time to resolve issues. If these expectations are realistic and based on vendor SLAs, end-users should remain satisfied. Some internal SLAs may need to change to accommodate new cloud vendor SLAs.
- Evaluate Total Cost of Ownership (TCO) for cloud services. A TCO analysis involves creating a breakdown of expenses related to implementing cloud services. These costs are generally divided into four categories: ISP bills, staffing, hardware, and software. Vendors may provide calculators to help determine costs but consider the physical environment, application, process, and people. Keep in mind the different cloud deployment and support models, noting which models might be the best for you, as they affect the cost.
Although this list is a high-level review of a cloud security strategy, organizations should gain buy-in from senior leadership. Providing awareness training to senior leadership and the Board may improve chances for cloud computing adoption. Cloud computing presents many security issues. The organization should understand its respective role and the security issues inherent in cloud computing.