At the end of the day, for us in DevSecOps teams, everything revolves around risk management, even in the highly regulated healthcare industry. Compliance to medical records and privacy concerns is a driver, so development and security professionals must take aggressive steps to prioritize risk management as the healthcare industry continues to be a frequent target by bad actors. According to Gartner, global end-user spending on public cloud services is projected to increase 18.4% to $ 304.9 billion in 2021, compared to $ 275.5 billion in 2020. “The pandemic has confirmed the value proposition of the cloud “Said Gartner Research Vice President Sid Nag said.
According to McAfee, the financial loss from cybercrime goes beyond healthcare, at an estimated cost of $ 945 billion in 2020. For those working in the healthcare industry, know that a 2020 security breach analysis report from IBM and the Ponemon Institute found that healthcare breaches are the most costly. In other words, risk management is not expensive.
Gartner also reported that COVID-19 has forced companies to save cash and optimize IT costs, support and protect remote workers, and ensure resilience. And the cloud has become a convenient means of addressing all three. If this scenario sounds familiar to your business, here are four things to keep in mind that will help protect data in the cloud.
1. Health organizations need to improve their security position
There are few industries outside of healthcare where the data stored is personal enough that if lost, it can last a lifetime. From medical records to insurance information to financial accounts and social security numbers (SSNs), health organizations store a lot of personally identifiable information (PII). For example, if this valuable data is accessed and SSNs are stolen, that breach can have a long-lasting, lifelong effect on your patients because these PIIs never change. Aside from the regulatory concerns, this could also lead to long-term reputational damage for a healthcare organization.
In order to improve a company’s data collection and security status, there are two things you need to keep in mind: Store and manage only business-relevant data and ensure that the relevant data is stored securely.
First, let’s look at data storage. Before your company collects, stores, or manages data, it is critical to understand the data. By adopting a minimal data collection concept, organizations can filter out unnecessary information collection by asking a simple question: Do we even need this data? Then conduct an analysis to determine whether the data is sensitive and whether the storage and management of the data is actually necessary to maintain business functionality.
Take care of security now. A significant number of recent security breaches have resulted from simple data storage misconfigurations. Organizations need to understand what data needs to be collected and how it needs to be stored, and there needs to be automated security scanning processes in place to regularly review the attack surface. This automation protects against unintentional configuration changes that leave data exposed. Security scans could include the implementation of automated tools to ensure that external attack surfaces are not easily accessible to script kiddies who are also running similar tools on the Internet. Make it harder for them to perform manual penetration tests to identify exploitable areas.
2. Threat modeling is critical to threat detection
To take these threat detection initiatives to the next level, organizations should begin investigating design flaws that tools and automation cannot detect. DevSecOps teams can do this through threat modeling.
Organizations need to use threat modeling to uncover the ins and outs of how their systems work and interact and determine if they pose a threat. Identify who is trying to attack your systems and where resources are located in order to understand potential attack vectors and best enable appropriate security controls.
Threat modeling requires people to think critically and be smart. With threat modeling, you identify which assets are in your systems and which threat actors to watch out for. On this basis, you define the threat vectors that the attackers would use to try to gain access to your assets. With this information, you can begin assigning trust zones in your systems, see how these interactions are happening, and verify that you have the correct controls in place, such as authentication, authorization, encryption, and error handling and logging.
3. Bring design and security together with secure code review
A recent report from the Ponemon Institute showed that 71% of application security professionals believe security is being undermined by developers who do not include appropriate security features at the beginning of the software development lifecycle (SDLC). However, by bringing together application security and DevOps teams in a collaborative Secure Code Review (SCR) process, vulnerabilities can be addressed prior to cloud deployment.
Like threat modeling, SCR is a manual process that identifies vulnerabilities that automated scanners cannot detect. By adopting SCR before the first line of code is written – or as soon as possible in SDLC – organizations can identify real vulnerabilities before deploying them to the cloud. This helps increase team productivity and prevents future outside attacks. Advantageously, this also has the positive effect that the test costs for weak points recognized too late in the SDLC are reduced.
4. Being in the cloud does not guarantee security
Never take security for granted. For example, just because you’re in the cloud and have vendors who provide certain basics of security control and protection doesn’t mean you don’t have to worry about security and protection anymore. Case in point: You might deploy your software in the cloud, but if the software has vulnerabilities, current protections might not make sense. It’s important to continue to insist on the fundamentals such as SCR, threat modeling, and other practices that are part of traditional deployments to understand the risk implications of the decisions you make prior to deploying to the cloud.
For example, AWS and Azure have implemented extensive security efforts in the cloud computing space, but it is important to understand that cloud security is a shared responsibility of vendors and organizations. While cloud providers provide the underlying security for the platform infrastructure, customers still need to securely configure cloud services.
This is where cloud pen testing becomes critical for businesses. Cloud pen tests are used to identify security flaws in cloud infrastructures and provide actionable guidance on how to fix the vulnerabilities in order to improve security and compliance.
Unfortunately, one of the challenges today is that organizations view security as an obstacle or overhead, a belief that can have a negative impact, especially when data is stored in the cloud. On the positive side, the whole purpose of cloud-based systems is the ability to scale on demand and be elastic.
In fact, security can also help make systems of much better quality scalable and reusable while at the same time managing risk. Over time, in building a safety culture, mature health organizations – preferably all organizations – should not only develop standards for accessibility, usability, and availability, but also insist on safe design standards for risk management.
About the author
Nabil Hannan is the managing director of NetSPI. He leads the company’s consulting practice, focused on helping clients resolve their cybersecurity assessment and threat and vulnerability management needs. Hannan has over 13 years of experience in cybersecurity consulting from his work at the Cigital / Synopsys Software Integrity Group, where he built and improved effective software security projects such as risk analysis, pen testing, SCR and vulnerability remediation, among others.