Developing a Cloud Security Roadmap March 2, 2016 Gary Seay Chris - - PowerPoint PPT Presentation

Gary Seay

Former CIO, Community Health Systems

Chris Bowen

Founder, CPSO, ClearDATA

Developing a Cloud Security Roadmap

March 2, 2016

Conflict of Interest

Gary Seay Has no real or apparent conflicts of interest to report. Chris Bowen, MBA, CISSP, CIPP/US, CIPT Has no real or apparent conflicts of interest to report.

Agenda

Healthcare Data Under Attack

• Trends and Sources of Healthcare Data Breaches

Security Roadmap Essentials

• Defense in Depth
• A Closer Look
• Shared Responsibility Model

Threat Diligence: On or Off Premise Conclusion

CB

Learning Objectives

• Evaluate primary causes of data breaches as it relates to current

health system infrastructure

• List major considerations for selecting a cloud computing vendor
• Assess benefits of cloud platforms beyond security, including cost-

savings and data analytics

• Recognize key layers of a “Defense in Depth” approach to

healthcare data security

1 2 3 4

CB

Our Healthcare Data is under Attack!

Health records breached

In 2015 alone

115,000,000

An increase

• f 10 x

more than in 2014

CB

Source: CSO Online http://www.csoonline.com/article/3026661/data-breach/over-113-million-health-records-breached-in-2015-up-10-fold-from-2014.html

The Role of the Healthcare Network

Regional Medical Center Physician Home Office Secondary Care Hospital Affiliate Office Community Health Center Military, Prison Health

Enterprise Wireless VOIP Phone Immersive Telepresence Enterprise Wireless Telemedicine VoIP Conference phone Data Exchange Patient Consent Mobile EMR Access SMB Wireless EMR Integrati

• n

Health Collaboratio n SMB Wireless VOIP Phone EMR Integrati

• n

Telemedicine Enterprise Wireless Telemedicine Remote Radiology Remote Monitoring Enterprise Wireless

 Learning Objective: 1

CB

Injury Occurs Patient Transferred to Hospital Ambulance Takes Patient to Clinic Post Procedure Care Preliminary Treatment at Local Clinic

Patient Record Patient Monitoring Care Collaboration Monitorin g System Patient X-ray EMR Patient Consent Patient Management Patient Service s Continuo us Monitori ng Further Tests Patien t Care Telemedicine Med Mgmt Home Monitoring

The Role of HIT in the Patient Journey

 Learning Objective: 1

CB

• 91% of small North American

healthcare practices have been breached.

• 70% aren’t confident that their

budget meets risk management, compliance, and governance requirements.

• Six in ten security systems aren’t

mature enough to detect or react to data breaches.

 Learning Objective: 1

CB

The Data Security Imperative

• 94% of providers have

suffered at least one data breach in the last two years.

• Nearly 50% have experienced

more than five data breaches.

 Learning Objective: 1

CB

The Data Breach Epidemic

Source: Verizon 2015 Protected Health Information Data Breach Report

 Learning Objective: 1

93% of PHI Breaches

Exhibit Nine Incident Patterns

Just 3 Patterns

Describe 85% of Incidents

Incident Patterns

Verizon’s Nefarious Nine

Lost & Stolen Assets Privilege Misuse Miscellaneous Errors Everything Else Point of Sale Web Applications Crimeware Cyber-Espionage Card Skimmers 807 (45.4%) 361 (20.3%) 357 (20.1%) 119 (6.7%) 68 (3.8%) 33 (1.9%) 25 (1.4%) 6 (0.3 %) 0 (0.0%)

CB

Most Hackers Invest Limited Time

CSO Online - Survey: Average successful hack nets less than $15,000

http://www.csoonline.com/article/3028787/cyber-attacks-espionage/survey-average-successful-hack-nets-less-than-15-000.html

Average Hacker Time Investment

• 70 hours per attack against "typical" IT security infrastructure
• 147 hours battling "excellent" IT security infrastructure
• Give up completely after 209 hours.

Average Return

• Make Less Than $15,000 per attack
• Average less that $29,000 per year

Cyber Attacks

“If you can delay them by two days, you can deter 60 percent of attacks.”

Scott Simkin, senior threat intelligence manager at Palo Alto Networks

Security Roadmap Essentials

 Learning Objective: 4

Multi-level Security

User, Process, Device

Data & Application Security Physical Infrastructure Network Security

Air-tight - properly configured

System Security DEFENSE IN DEPTH DEFENSE IN BREADTH Applied Across Each Use Case to Appropriate Level

REDUCE ATTACK SURFACES DEPLOY CRYPTO KEYS CREATE SECURE PEOPLE, PROCESSES & SYSTEMS APPLYING DEFENSE IN DEPTH & BREADTH

JGS

• Leverage CSP policies and procedures

as extensions of your own

• Leverage RBAC tools
• Use CSP team for Segregation of Duties
• Regular security awareness training
• Cyclical policies and procedure review
• Convenient policies & procedures access
• Background checks
• On and Off boarding checklists
• Minimum Necessary, Role Based Access

Controls (RBAC)

• Segregation of Duties
• Fair and equal sanctions
• Whistleblower hotline

Multi-Level User Cloud Service Provider

 Learning Objective: 4

Defense in Depth: Multi-level User

JGS

• Leverage Anti Virus / Malware
• Leverage Content Filters
• Leverage password expiration & support

policies

• Leverage remote wipe features
• Prohibit storing PHI on devices or

workstations leveraging controls

• Screen lock (15 minutes)
• One user, one account
• Anti-virus, anti-malware
• Appropriate use of network resources

(questionable sites, prevent drive-by downloads)

• Keep credentials secure and fresh
• Enable remote-wipe
• Prohibit PHI storage on device or

workstation

Device & Workstation Cloud Service Provider

 Learning Objective: 4

Defense in Depth: Device & Workstation

JGS

• Keep your data in secure physical facility

at no extra cost to you

• Use Physical access controls: gates,

guards, biometric two factor authentication, surveillance

• CSP can be your hands on the ground -

No need to access the data center

• Access controls
• Surveillance
• Workstation timeouts
• Appropriates use of locks for sensitive areas
• Limited entry points
• Physical barriers

Physical Infrastructure Cloud Service Provider

 Learning Objective: 4

Defense in Depth: Physical Infrastructure

JGS

• Leverage IDS / IPS
• Reduce inventory of Firewalls, VPNs,

and other network assets

• Leverage SIEM for your own use.
• Let CSP analyze logs for you.
• Let CSP manage your port restrictions

and regular port reviews

• Let CSP detect and alert you of

anomalous activity

• Formal network and acceptable use policy
• Active network asset inventory:
• Firewalls, VPNs, IPS/IDS, Content Security,

Wireless Access Points, Identity Management

• Know your data, and its logical flows
• Lock down traffic that could touch PHI
• Review settings regularly
• Visualize network activity
• Implement a SIEM
• Manage logs effectively

Network Security Cloud Service Provider

 Learning Objective: 4

Defense in Depth: Network

JGS

• Leverage hardening templates of your CSP
• Let your CSP do patching for you.
• Leverage your CSP’s tools for

backup/restore testing.

• Let your CSP collect audit artifacts required

for compliance, and investigation

• Understand server relationships to sensitive

data

• Maintain up-to-date vendor software

versions/patches

• Perform penetration tests and vulnerability

scans on server ecosystem

• Server/OS hardened to standards
• Backup/restore testing regularly performed
• Logging enabled and preserved

System Server / OS Cloud Service Provider

 Learning Objective: 4

Defense in Depth: System Server / OS

JGS

• Leverage Web Application Firewalls from

your CSP

• Let CSP help design your Tier-based system
• Leverage security expertise of CSP to restrict

traffic in secure zones

• Let CSP help you perform penetration testing
• Use CSP’s solution for vulnerability scanning
• Let CSP manage log preservation
• Understand application relationship to

sensitive data

• Maintain up-to-date software versions
• Ensure vendor provides support and patches
• Perform security and privacy reviews on

applications

• Perform penetration tests and vulnerability

scans on key applications

• Enabled and preserved logs

Data & Applications Cloud Service Provider

 Learning Objective: 4

Defense in Depth: Data & Applications

JGS

• Automated port reviews and network traffic

analysis

• Opinionated, purpose-built hardening

templates

• Vulnerability management
• 24x7 security monitoring
• Automated policy enforcement

General

• Secure the Right Boundary

Network Surface

• Close unnecessarily open ports
• Adopt white-list models to reduce port traffic
• Keep things simple - eliminate expired or

unnecessary rules Software Surface

• Build security into applications
• Reduce the amount of running code

Physical Surface

• Enforcing strong authentication
• Laptop encryption

Reduce Attack Surfaces Cloud Service Provider

 Learning Objective: 4

Defense in Breadth: Reduce Attack Surfaces

JGS

• Security awareness training
• Social engineering drills
• Background checks
• Proper onboarding and offboarding
• Sanctions
• Workstation security
• Security awareness training
• Social engineering drills
• Background checks
• Proper onboarding and offboarding
• Sanctions
• Workstation security

People Cloud Service Provider

 Learning Objective: 4

Defense in Breadth: People

JGS

Summary of Cloud Cost Factors

Year 1 Year 2 Year 3 Year 4 Year 5

CAPEX (Self-Provisioning) Depreciation OPEX (Cloud Partner) Cost = Fixed monthly + Tax Deduction Direct Costs

• Server Hardware
• Network Hardware
• Hardware Maintenance
• Power and Cooling
• Data Center Space
• Personnel/Sophistication

Indirect Considerations

• Server Economies of

scale/Pay as you grow

• Initial capital expenses or

savings

• Move from CapEx to OpEx
• Reduced data center capital

expenses

• Reduced data center
• perational expenses
• Reduced disaster recovery risk
• Transparency of compute

resources used/cost

• Infrastructure peak load

avoidance

• Increased control and

automation

• Enhanced interoperability

 Learning Objective: 5

JGS

Unmanaged Shared Responsibility Model

 Learning Objective: 3

Your Responsibility Cloud Provider Responsibility

Endpoints

Foundation Services

Compute Storage Database Networking

Global Infrastructure

Regions Availability Zones

Edge Locations

Operating System & Network Configuration at Rest Platform & Application Management

Network Traffic Protection Provided by the Platform Production of Data in Transit Server-side Encryption Provided by the Platform Protection of Data at Rest

Client-side Data Encryption & Data Integrity Authentication

Customer Data

Optional – Opaque Data OS and 1S (in transit / at rest) Identity & Access Management (IAM)

JGS

Managed Shared Responsibility Model

 Learning Objective: 3

Your Responsibility Managed Cloud Provider Responsibility

Endpoints

Foundation Services

Compute Storage Database Networking

Global Infrastructure

Regions Availability Zones

Edge Locations

Operating System & Network Configuration at Rest Platform & Application Management

Network Traffic Protection Provided by the Platform Production of Data in Transit Server-side Encryption Provided by the Platform Protection of Data at Rest

Client-side Data Encryption & Data Integrity Authentication

Customer Data

Identity & Access Management (IAM) Optional – Opaque Data OS and 1S (in transit / at rest)

JGS

Misconceptions About Moving to the Cloud

• Cloud is unattainable b/c my

infrastructure costs have already been accrued

• I can’t transfer my software licenses

to a third party cloud provider

• I simply cannot move everything to

the cloud

• Authentication systems are not yet

equipped to traverse a hybrid cloud environment

?

• Workloads require extremely low

latency and our bandwidth may not support demand

• Software versions are a little dated

and don’t allow us to take advantage

• f new technologies
• Our systems are architected in a

manner that does not take advantage

• f content delivery via content deliver

network

? ? ? ? ? ?

 Learning Objective: 5

JGS

Cloud Security Benefits

Security rigorously updated for regulatory compliance & cyber threats. Security Best Practices are followed Security features, services and competency out of reach to most can be provided at attractive price points Security Teams dedicated to helping customers: SAs, TAMs, Consultants, Trainers, Auditors, Security Engineers – all up to date

• n latest skills in security and compliance

Integration of cloud security controls into existing control frameworks Regular third party audit / verification of robust security & cyber threat operations. Certifications, physical and network security, data privacy, encryption, auditability, and security best practices as part of the cloud solution

 Learning Objective: 5

CB

Choosing a Healthcare Cloud Partner

Technical Expertise & Industry Depth

• Flexible and sophisticated network
• High level of engineering and deployment

experience

• Speed and quality of execution
• Understand healthcare uptime requirements,

regulatory requirements, data flows, and integration points

• Expert at safeguarding at each stage of the

data lifecycle

TRUST Third Party Validation

• Flexible Risk Assessments
• HITRUST CSF Certification
• SSAE 16 (eg. SOC 1, 2, etc.)

 Learning Objective: 5

CB

Our Healthcare Data is under Attack!

Health records breached

Since 2009 101,000,000

Source: Data Motion Health

70% Occurred in first 8 months

• f 2015

alone

CB

Questions

Chris Bowen

MBA, CISSP, CIPP/US, CIPT Founder, Chief Privacy & Security Officer chris.bowen@cleardata.com Twitter: @chris_bowen LinkedIn: https://www.linkedin.com/in/cbowen1

Gary Seay

Former CIO, Community Health Systems

Principal, josephgseay, llc. Advisory Services