Cloud Security and Lessons Learned from Healthcare.gov
There are 2 truths related to security in "The Cloud." Number one, "The Cloud" is not secure. Number two, applications in "The Cloud" can be secure.
Considering moving to "The Cloud?" Concerned about security?
OK, so that is probably everyone these days. As I have been reflecting on this topic for the last several weeks--and have been watching the nightly news--I wanted to see what lessons we can learn from the rollout of Healthcare.gov as they apply to Cloud security. (Note that this is not a political piece and pointing out the documented concerns related to the website is by no means meant to act as a commentary on the Affordable Care Act. Seriously.)
At the recent STC conference in Snowbird during the first week in October, I attended a fascinating session on Cloud security from the service provider perspective. Larry Bump, VP Operations at Echopass, gave a presentation that brought up several salient points to consider when evaluating the security of Cloud providers. Though Mr. Bump did not directly speak to the then-brand-new Healthcare.gov site, the general concerns that he addressed seemed to me, in the weeks that followed, to be rather timely as the now infamous rollout of Healthcare.gov proceeded.
Mr. Bump's presentation was centered on what areas prospective customers should evaluate when looking at different Cloud providers. One of the things he said that really stood out to me was that the most serious threat to many Cloud providers--the things that keep their security folks awake at night--are internal threats.
So much focus goes into protecting the data from the outside world, but what about the inside world? Who on the inside might have access to the data? Have these people been screened? Have background checks been completed to ensure they can be trusted with sensitive data?
In the case of Healthcare.gov, Secretary Sebelius says no. In fact, she even acknowledges that a convicted felon could possibly be hired as a "Navigator." While this is a pretty wildly hypothetical situation, it points out a critical point in evaluating cloud providers. Would you hand over your customer's data to a cloud provider who did not conduct regular background checks on their employees?
And it's not just Healthcare.gov either. Remember Wikileaks and Chelsea Manning? Remember the 250,000+ State Department cables released to the entire world? This was not an attack from the outside--this was a disgruntled employee copying the data onto a memory stick and giving it away to be posted on the Web.
The risk is obvious. There is an enormous responsibility on all organizations to protect their data from inside and outside attacks. And outsourcing to the cloud does not completely remove all responsibility--turning customer data over to an outside company without doing your homework could be seen as negligence in legal proceedings.
Another valuable lesson highlighted from the Healthcare.gov rollout was also a topic highlighted by Mr. Bump weeks before in his session. He emphasized the need to have an end-to-end security plan, along with proper testing. It is one thing to secure a database, but what about backups? Is the path to the backup process encrypted? Are all of the boundary crossings secure? Seems like common sense, right?
Once again, we learned from congressional hearings that this was not the case with the Healthcare.gov rollout. And while the hearings were predictably partisan, both sides expressed concern over the security issues, going so far as to recommend the site be shut down until the problems could be corrected.
Hindsight is 20/20, right? Well in this case, foresight was 20/20 as well, as the AP reported the following:
The Sept. 27 memo to Medicare chief Marylin Tavenner said a website contractor wasn't able to test all the security controls in one complete version of the system. Insufficient testing "exposed a level of uncertainty that can be deemed as a high risk," the memo said.
There are 2 truths related to security in "The Cloud." Number one, "The Cloud" is not secure. Number two, applications in "The Cloud" can be secure. The answer to the question of "who can you trust?" is to do your homework and draw the conclusion that your research suggests.
And asking about background checks and validation of end-to-end security testing is a good place to start.
The Society of Telecommunications Consultants is an international organization of independent information and communication technology (ICT) professionals serving clients in all business sectors and government worldwide.