Last month, Salesforce.com and Philips announced their plan to build an open cloud-based healthcare platform. In the initial application, this “platform” will allow healthcare software developers, producers of medical services, insurance companies, and healthcare providers to monitor patients with chronic conditions. Healthcare information utilizing digital patient-sensing devices (internet of things) send information to the cloud to be remotely processed and monitored, allowing healthcare providers to prioritize care.
The choice of healthcare as the first industry play by a customer management software-as-a-service (SaaS) company like Salesforce.com makes sense as the healthcare industry requires the most collaboration.
It’s also a bold choice from a security perspective. If you’ve ever sat down and filled out insurance and healthcare provider forms, you know that there is a lot of confidential information that is shared – from social security numbers, bank information to personal healthcare history. The healthcare industry was warned by the FBI in April that they were “not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely”, and attacks have already been documented, in this example of the Romanian hacker who attacked the Vermont health exchange.
The reality is that the healthcare industry is just one of many that will tap into the innovation possibilities of the cloud and Internet of things. The world of cloud computing will become infinitely more interesting and at the same time more challenging. Imagine mass transit networks with thousands of sensors that send information about the status of buses, trains and light rail environments to the cloud to be processed, or remote oil, gas and mining stations with management sensors because of their hard-to-get-to locations. Application enablement platforms for the Internet of things are being developed as we speak.
Privacy and Security Concerns
Of course, this means that the intersection of cloud and Internet of Things (IoT) will also usher in a new era of privacy and security concerns.
Today, significant enterprise files, spreadsheets and proprietary intellectual data already reside in cloud applications like Salesforce.com, Google Apps and Box. As the era of Internet of Things dawns, the amount of data within these applications and other cloud applications developed for unique industries will increase, and be accessed by an interconnected ecosystem of organizations, networks and devices.
In order to truly embrace this intersection of cloud and Internet of things, security is a key requirement that requires collaboration between cloud providers and enterprises.
Understanding the Responsibilities
The division of security responsibilities between cloud providers and enterprises need to be understood. Attacks at the physical or infrastructure layer–physical security, data center security, denial-of-service attacks–these are all the domain of the cloud provider. Cloud providers that offer software-as-as-a-service provide additional application layer capabilities like protection against web vulnerabilities, SQL injection attacks and configuration error vulnerabilities. As part of the due diligence to identity the right cloud provider application, enterprises can investigate the security controls that have been deployed, and negotiate for access to incident and vulnerability data.
However, access to, usage and security of the data being hosted at the cloud provider continues to be the responsibility of the enterprise. Think of it like making sure your cars are locked and valuables hidden when you park at a parking garage. Or locking your door and windows even when you have signed up for a burglar alarm service at your house.
Rethinking Security
Unfortunately, while some legacy security controls can extend to infrastructure-as-a-service (think virtualized firewalls on Amazon EC2), they fall short for software-as-a-service. Existing security solutions like firewalls may provide some visibility into the cloud application, for example, when user “John Doe” accesses salesforce.com, but will not understand the myriad of transactions within the application, how data can be exfiltrated, and the unique attack vectors. VPN solutions enable secure access to the cloud application, but are completely blind when the user is accessing via an unmanaged mobile device or unsecured networks.
Security for SaaS applications is also different from legacy malware and APT prevention solutions. The likely culprits for a breach will be insiders – malicious insiders downloading inappropriate data, errant insiders that accidentally expose files to the public, and compromised insiders whose credentials have been stolen. This can only be detected with anomaly detection capabilities that can set the baseline for normal behaviors (and transactions) and detect deviations from the norm.
Enterprises (and any entity planning on using cloud exchanges or cloud applications delivered as a service) MUST consider new cloud security solutions that provide visibility into user activities, application transactions, and deliver governance and security. For example:
• Data Sharing Management – ensure content is being used and shared in a safe manner
• User Management – monitor user activities, monitor users with excessive privileges and deprovision users who have left the company
• Compliance Management – comply with regulatory mandates and legal eDiscovery mandates
• Security Management – understand vulnerabilities, and risky and anomalous behaviors that may be indicative of a breach
It is only when we start looking at security for cloud and IOT differently from traditional enterprise security challenges can the promises of innovation truly become a reality.