Careful planning is key to mitigate risks of moving to the cloud
Creating a safe and compliant cloud infrastructure is a challenging task, but it’s far easier to achieve up front than it is to retrofit and remediate later.
As more organizations migrate to the cloud, many assume the risks are similar to their internal data centers—nothing new to worry about. Others assume their cloud service providers will take on whatever risks are uniquely associated with the cloud.
So it can come as a costly and time-consuming surprise when organizations not only discover new risks in the cloud, but also find they're responsible for managing and mitigating them.
To complicate matters, the cloudscape is in continuous flux as risks and compliance demands evolve. Regulations are increasing, including SOX (U.S. Congress’s Sarbanes-Oxley Act), PII (Personally Identifiable Information), PCI (Payment Card Industry) and the European Union's recent GDPR (General Data Protection Regulation). Threat actors expose organizations to ever-evolving dangers, including data breaches (such as Equifax) and cryptojacking (such as Tesla).
Organizations that consider and address these risks in their cloud strategy are better equipped to make a successful migration. Creating a safe and compliant cloud infrastructure is a challenging task, but it's far easier to achieve up front than it is to retrofit and remediate later.
If an organization is thinking about migrating to the cloud, now's the time to look at the security and compliance issues that are unique to the environment.
Secure your data’s new home
The cloud presents security and compliance issues in which healthcare IT executives need to be aware as they plan a migration.
With data centers, security and controls are fortress-like, with a centralized infrastructure and specific entry and exit points. The perimeters are managed to ensure that everything inside can be safe and trusted.
The cloud, on the other hand, is comprised of a group of independent services, with each group responsible for its connectivity, security and operations. For many non-infrastructure engineering teams, this will be a new responsibility and, worse yet, these teams may not even realize it is their responsibility in the first place.
Data security is not the only consideration; costs must be controlled differently, too. Cloud scalability means that both internal employees and external threat actors can spin up unlimited amounts of compute or storage at significant costs. This differs from data centers, where users are physically constrained by the number of machines available for use.
Just as the risks differ, so do the approaches to mitigation. Applying the same methods in the cloud as would be used in a data center will limit the value and flexibility executives hoped to gain from the cloud—eroding the reasons for migrating in the first place. New risks call for new methods.
Identifying the risks
There is no "one size fits all" set of methods to manage risks in the cloud. The risks are unique to each environment and use case.
When an organization has a specific use case, the IT team can build controls around it. Develop a cloud control framework based on those identified security risks. Consider current applicable regulations—including SOX, PCI, PII and GDPR. For guidance, look at previous risk models and at best practices on cloud risks.
Be alert to control overlap when developing a framework to avoid multiple controls addressing the same risk. Leverage the cloud service provider and internal risk/security experts to mitigate these risks as part of an overall migration plan. Finally, never underestimate the value of identifying all the risks, or the time it will take to do it right.
Controls not inherent to the cloud
Cloud service providers, such as Amazon Web Services, take a "building blocks" approach by providing tools that can help organizations gain compliance in the cloud, but they do not manage compliance directly. Furthermore, the same cloud service providers make it exceedingly simple for individual teams to begin their migrations independent from the organization.
For example, we’ve seen teams independently move applications and data to the cloud using personal credit cards, under the assumption that it is as secure as it was with the data center. In some cases, this has unknowingly enabled direct inbound access to migrated data, in a manner that could not otherwise be detected in a centralized method by IT.
As an organization starts its migration, consider the IT teams, the progress they may have already made and their understanding of cloud risks. Ensure that the team has an effective method of communicating and reinforcing the cloud strategy, as well as monitoring and enforcing compliance right from the start.
Cloud controls are evolving
Cloud controls are rapidly evolving in response to the world around them. Today, the big headline may be cryptojacking. Tomorrow, it will be something else. But most major issues never really go away; they just recede into the background as new ones emerge.
Regulatory compliance issues are also changing in response to demands on emerging issues. Auditors face a learning curve that may impact business as new technology shakes up their previous understanding of the world. And as data privacy regulation matures, the requirements are growing more arduous (PCI, GDPR).
Fierce competition drives cloud service providers in the race to offer continuous innovation and improvements, with a major focus on controls. Expect to see new solutions come up on a regular basis.
Plan on new vendor relationships
Vendor relationships and engagement models will change significantly when an organization moves to the cloud. How will support organizations and processes need to change to work with them? Who's in control of what?
Plan ahead and ask security teams what questions and expectations they have for cloud service providers. Pay close attention to matters of access, privacy and compliance.
Any major IT change comes with risks. To make a successful migration to the cloud, an organization needs to identify and address these risks early on. Plan ahead for the journey, and the transition will be safer and smoother, ensuring optimal use of the new environment.
So it can come as a costly and time-consuming surprise when organizations not only discover new risks in the cloud, but also find they're responsible for managing and mitigating them.
To complicate matters, the cloudscape is in continuous flux as risks and compliance demands evolve. Regulations are increasing, including SOX (U.S. Congress’s Sarbanes-Oxley Act), PII (Personally Identifiable Information), PCI (Payment Card Industry) and the European Union's recent GDPR (General Data Protection Regulation). Threat actors expose organizations to ever-evolving dangers, including data breaches (such as Equifax) and cryptojacking (such as Tesla).
Organizations that consider and address these risks in their cloud strategy are better equipped to make a successful migration. Creating a safe and compliant cloud infrastructure is a challenging task, but it's far easier to achieve up front than it is to retrofit and remediate later.
If an organization is thinking about migrating to the cloud, now's the time to look at the security and compliance issues that are unique to the environment.
Secure your data’s new home
The cloud presents security and compliance issues in which healthcare IT executives need to be aware as they plan a migration.
With data centers, security and controls are fortress-like, with a centralized infrastructure and specific entry and exit points. The perimeters are managed to ensure that everything inside can be safe and trusted.
The cloud, on the other hand, is comprised of a group of independent services, with each group responsible for its connectivity, security and operations. For many non-infrastructure engineering teams, this will be a new responsibility and, worse yet, these teams may not even realize it is their responsibility in the first place.
Data security is not the only consideration; costs must be controlled differently, too. Cloud scalability means that both internal employees and external threat actors can spin up unlimited amounts of compute or storage at significant costs. This differs from data centers, where users are physically constrained by the number of machines available for use. Just as the risks differ, so do the approaches to mitigation. Applying the same methods in the cloud as would be used in a data center will limit the value and flexibility executives hoped to gain from the cloud—eroding the reasons for migrating in the first place. New risks call for new methods.
Identifying the risks
There is no "one size fits all" set of methods to manage risks in the cloud. The risks are unique to each environment and use case.
When an organization has a specific use case, the IT team can build controls around it. Develop a cloud control framework based on those identified security risks. Consider current applicable regulations—including SOX, PCI, PII and GDPR. For guidance, look at previous risk models and at best practices on cloud risks.
Be alert to control overlap when developing a framework to avoid multiple controls addressing the same risk. Leverage the cloud service provider and internal risk/security experts to mitigate these risks as part of an overall migration plan. Finally, never underestimate the value of identifying all the risks, or the time it will take to do it right.
Controls not inherent to the cloud
Cloud service providers, such as Amazon Web Services, take a "building blocks" approach by providing tools that can help organizations gain compliance in the cloud, but they do not manage compliance directly. Furthermore, the same cloud service providers make it exceedingly simple for individual teams to begin their migrations independent from the organization.
For example, we’ve seen teams independently move applications and data to the cloud using personal credit cards, under the assumption that it is as secure as it was with the data center. In some cases, this has unknowingly enabled direct inbound access to migrated data, in a manner that could not otherwise be detected in a centralized method by IT.
As an organization starts its migration, consider the IT teams, the progress they may have already made and their understanding of cloud risks. Ensure that the team has an effective method of communicating and reinforcing the cloud strategy, as well as monitoring and enforcing compliance right from the start.
Cloud controls are evolving
Cloud controls are rapidly evolving in response to the world around them. Today, the big headline may be cryptojacking. Tomorrow, it will be something else. But most major issues never really go away; they just recede into the background as new ones emerge.
Regulatory compliance issues are also changing in response to demands on emerging issues. Auditors face a learning curve that may impact business as new technology shakes up their previous understanding of the world. And as data privacy regulation matures, the requirements are growing more arduous (PCI, GDPR).
Fierce competition drives cloud service providers in the race to offer continuous innovation and improvements, with a major focus on controls. Expect to see new solutions come up on a regular basis.
Plan on new vendor relationships
Vendor relationships and engagement models will change significantly when an organization moves to the cloud. How will support organizations and processes need to change to work with them? Who's in control of what?
Plan ahead and ask security teams what questions and expectations they have for cloud service providers. Pay close attention to matters of access, privacy and compliance.
Any major IT change comes with risks. To make a successful migration to the cloud, an organization needs to identify and address these risks early on. Plan ahead for the journey, and the transition will be safer and smoother, ensuring optimal use of the new environment.
More for you
Loading data for hdm_tax_topic #better-outcomes...