The secret to cloud security: elasticity
As healthcare organizations increasingly move systems and data to the cloud, the inevitable question of security arises. How do I secure the cloud? Where do I secure the cloud? What do I secure in the cloud? How do I protect cloud-based data from ransomware attacks? These are critical questions for healthcare CIOs and CISOs.
“A lot of standard practices we use on our premise don’t usually get implemented in the cloud, which is a common challenge we see with organizations moving data to the cloud,” said Donald Meyer, head of marketing, data center and cloud security at Check Point Software Technologies, a cybersecurity technology and consulting firm. “Healthcare organizations invest a lot of money and time in building out a very robust infrastructure to protect physical networks they own, but when they move to the cloud, they tend not to bring those same technologies over.”
When thinking about protecting cloud assets from ransomware and other threats, security professionals must be cognizant of how security is built for physical networks and who is responsible for what in a cloud setting.
“The build of many security technologies is for static, manually intensive networks, and the cloud is much more dynamic; the static networks we are accustomed to don’t translate well to the cloud,” Meyer said. “And then there is the shared responsibility model. Cloud providers will protect the infrastructure, but as a consumer or an organization, whatever I carve out of the cloud, it is my responsibility to protect the data I place there.”
Cybercriminals use many techniques to probe the Internet for IP addresses that stem from cloud providers. When they see new IP addresses and IP ranges, the criminals immediately start probing them to see what kinds of protection they have and how the infrastructure is organized so they can start planning a targeted attack.
Another way cybercriminals get to cloud-based systems and data is through social media.
“Spear-phishing is still a very common vector that organizations get fooled into, especially organizations that use cloud infrastructure for their model,” Meyer said. “Things will get started with spear-phishing and users will inappropriately click things and infect their machines and through their machines hackers will look at what else users have access to and they can then get access to the cloud resources there.”
Don’t forget the human element to cloud security and that includes IT and development staff. The solution is intensive security training.
“The people who are now defining the cloud infrastructure, the dev-ops or the cloud architecture, are not necessarily trained with a security discipline, and a lot of the time they are doing things that have security implications,” Meyer said. “Best practices for security may not be translated into these new elements.”
As for technological security answers to protecting the cloud, they must be designed quite specifically with the cloud in mind, something that can be overlooked as healthcare executives get increasingly comfortable with security systems for physical networks.
“To work with the cloud, it has to be designed to be as dynamic and elastic and automatic as the cloud,” Meyer said. “You don’t want something manually intensive because it will slow down the cloud in what it is best used for. So you don’t want to be locked into a technology that will hinder the ability of the cloud to deliver its great benefits, or, at the same time, open you to malware being able to propagate itself within that cloud and potentially find a way to get back into your offices.”
With physical and cloud networks in operation, Meyer said, healthcare CIOs and CISOs should be able to see everything from a single point of view for consistent enforcement no matter the location.