It has been said that the “hero of a successful digital transformation is GRC.” The ISACA website states, “to successfully manage the risk in digital transformation you need a modern approach to governance, risk and regulatory compliance.” For GRC program development, it is important to understand the health information technology resources and tools available to enable long term success.
What is GRC and why it important?
According to the HIPAA Journal, the average cost of a healthcare data breach is now $9.42 million. In the first half of 2021, 351 significant data breaches were reported, affecting nearly 28 million individuals. The needs have never been more acute among healthcare providers, insurers, biotechnology and health research companies for effective information security and controls. Protecting sensitive data and establishing a firm security posture is essential. Improving health care and reducing cost relies on structured approaches and thoughtful implementation of available technologies to help govern data and mitigate risk across the enterprise.
Effective and efficient management of governance, risk, and compliance, or GRC, is fast becoming a business priority across industries. Leaders at hospitals and health systems of all sizes are looking for ways to build operating strategies that harmonize and enhance efforts for GRC. Essential to that mission are effective data governance, risk management, regulatory compliance, business continuity management, project governance, and security. But rather than stand-alone or siloed security or compliance efforts, a cohesive program coupled with GRC solutions allow for organizational leaders to address the multitude of challenges more effectively and efficiently.
What are the goals for I.T. GRC?
For GRC efforts, leaders are looking to:
Safeguard Protected Healthcare Data
Meet and Maintain Compliance to Evolving Regulatory Mandates and Standards
Identify, Mitigate and Prevent Risk
Reduce operational friction
Build in and utilize best practices
Managing governance, risk, and compliance in healthcare enterprises is a daunting task. GRC implementation for healthcare risk managers can be difficult, especially during this time of rapid digital and cloud transformation. But relying on internal legacy methods and tools leads to the same issues that have been seen on-premises, stifling innovation and improvement. As organizations adapt to cloud environments as a key element of digital transformation and integrated health care, leaders are realizing that now is the time to leverage the technology to implement GRC frameworks that accelerate their progress toward positive outcomes. What’s needed is expertise and a clear roadmap to success.
Cloud Automation of GRC
The road to success starts with a framework, aligned to business objectives, that provides cloud automation of Governance, Risk, and Compliance. Breaking this into three distinct phases, ideally this would involve:
Building a Solid Foundation – within the cloud environment, ensuring infrastructure and applications are secured before they are deployed.
Image/Operation System hardening automation pipelines.
Infrastructure Deployment Automation Pipelines including Policy as Code to meet governance requirements.
CI/CD Pipelines including Code Quality and Code Security.
Disaster Recovery as a Service (DRaaS) meeting the organization’s Business Continuity Planning requirements.
Configuration Management to allow automatic remediation of your applications and operating systems.
Cost Management strategies with showback and chargeback implementation.
Automatic deployment and enforcement of standard security tools including FIM, IDS/IPS, AV and Malware tooling.
IAM integration for authorization and authentication with platforms such as Active Directory, Okta, and PingFederate, allowing for more granular control over users and elevated privileges in the clouds.
Reference Architectures created for the majority of the organization’s needs that are pre-approved, security baked-in to be used in the infrastructure pipelines.
Self-service CMDB integration with tools such ServiceNow, remedy and Jira ServiceDesk allowing business units to provision their own infrastructure while providing the proper governance guardrails.
Resilient Architecture designs
Proper Configuration and Maintenance – Infrastructure misconfiguration is the leading cause of data breaches in the cloud, and a big reason misconfiguration happens is infrastructure configuration “drift,” or change that occurs in a cloud environment post-provisioning. Using automation to monitor and self-remediate the environment will ensure the cloud environment stays in the proper configuration eliminating the largest cause of incidents. Since workloads will live most of their life in this phase, it is important to ensure there isn’t any drift from the original secure deployment. An effective program will need:
Cloud Integrity Monitoring using cloud native tooling.
Log Management and Monitoring with centralized logging, critical in a well-designed environment.
Managed Services including patching to resolve issues.
SLAs to address incidents and quickly get them resolved.
Cost Management to ensure that budgets are met and there are no runaway costs.
Perimeter security utilizing cloud native and 3rd party security appliance and services.
Use of Industry Leading Tools – for risk assessment, reporting, verification and remediation. Thwart future problems and provide evidence to stakeholders that the cloud environment is rock solid. Tools and verification components would include:
Risk Registry integration into tools
Future attestations (BAAs)
Audit evidence generation
Where do you go from here?
Your organization needs to innovate faster and drive value with the confidence of remaining in compliance. You need to get to a proactive state instead of being reactive. Consider an assessment to help you evaluate your organization’s place in the cloud journey and how the disparate forms of data in the organization are collected, controlled, processed, stored, and protected.
Start with an assessment that includes:
Identification of security gaps
Identification of foundational gaps
Managed service provider onboarding plan
A Phase Two (Foundational/Remediation) proposal and Statement of Work
About 2nd Watch
2nd Watch is a trusted and proven partner, providing deep skills and advisory to leading organizations for over a decade. We earned a client Net Promoter Score of 85, a good way of telling you that our customers nearly always recommend us to others. We can help your organization with cloud native solutions. We offer skills in the following areas:
Developing cloud first strategies
Migration of workloads to the cloud
Implementing automation for governance and security guardrails
Implementing compliance controls and processes
Pipelines for data, infrastructure and application deployment
Cloud adoption throughout all industries has become incredibly pervasive in recent years. With cloud management as a relatively newer concept, business organizations may struggle to understand each aspect that is required to effectively run a cloud environment. One aspect that should be involved at every layer of the cloud is security, yet many organizations fail to implement a strong security system in their cloud until an attack happens and it is too late.
A cloud environment and the controls necessary to orchestrate a robust security and governance platform is not the same as your traditional on-premises environment.
The State of Cloud Security Today
As beneficial as the public cloud is for companies globally today, lack of security in the cloud can be a major issue. A report from Sophos indicated that iMost of these attacks are simply from misconfigurations of these organizations’ cloud security. Thus, the attacks can be prevented if configured and managed properly. Orca Security’s 2020 State of Public Cloud Security Report revealed that 80.7% of organizations have at least one neglected, internet-facing workload – meaning the OS is unsupported or unpatched. Attackers can use one small vulnerability as leverage to move across an organization, which is how most data breaches occur.
Managed cloud security services help lay a strong foundation for security in the cloud that is automated and continuous with 24/7 management. With constant management, threats and attacks are detected before they occur, and your business avoids the repercussions that come with security misconfigurations.
What are managed cloud security services?
Managed cloud security services provide security configurations, automation, 24/7 management, and reporting from an external cloud security provider. If an attack should occur, the result is downtime and the loss of money and data. Additionally, the lack of a well-rounded security system can lead to regulatory compliance challenges.
Monitoring and maintaining strong security requires continuous attention to be effective. Employing a managed security service gives businesses the protection they need while simultaneously providing IT departments with additional time to focus on other business concerns. Redirecting cybersecurity efforts to an external provider not only provides IT departments with flexibility, but also reduces costs compared to handling cybersecurity in house. Managing cybersecurity independently creates costs such as staffing, software licensing, hardware, implementation costs, and management costs. All the costs and management required for effective security can be overwhelming and managed security services takes the weight of maintaining the security of your data off your shoulders.
What are the benefits of using cloud security services?
Implementing strong cloud security may seem like an obvious choice for a business to make, but many businesses may not want to devote the time, resources, or money to building and maintaining a strong cybersecurity system. Investing your resources into cloud security is imperative for your business and pays off in the long run.
Five different benefits resulting from a strong cloud security system include:
Automation: Once your configurations have been set up, there is reduced reliance on human intervention. This minimizes time spent managing security while also reducing the risk for error.
Efficiency: Cloud services improve the security of your data and maintain regulatory compliance through timely patching and automated updates with less downtime.
Safety: Data is well-protected with cloud security due to 24/7 monitoring and real-time threat detection.
Proactive Defense: Threats are identified quickly and treated proactively in the cloud should an incident occur.
Cost-effective: The cloud requires a unique approach to security. While managed cloud security services can seem costly upfront, they prove to be worthwhile in the long run by utilizing expertise that may not be available in-house. Additionally, cloud security services will ensure the safety of your workloads and data, and prevent the costs associated with a data breach.
2nd Watch Managed Cloud Security
At 2nd Watch, we understand cloud security is important at every step of your cloud journey. 2nd Watch has a dedicated Managed Security Team that monitors your cloud environments 24/7/365, remediating vulnerabilities quickly. Rather than putting security on the backburner, we believe security is a pillar of business, and building it into the foundation of a company is important to meet evolving compliance needs in a cost-effective manner.
Companies just getting started in the cloud can rely on 2nd Watch to get security right for them the first time. Even for companies already established in the cloud, we can take an in-depth look at security and compliance maturity, existing capabilities, and growth trajectory to provide a prescriptive security roadmap. No matter where you are in your cloud journey, we ensure your security is well-integrated into your cloud environments.
At 2nd Watch we are with you from beginning to end, monitoring your security even after implementation. At a glance, our end-to-end services include:
Security Review: Ensures the proper safeguards are utilized for your multi-cloud environments with a single point of contact for your security needs. Our security assessment and remediation offering can reveal how your cloud security posture stacks up to industry standards such as CIS, GDPR, CCPA, HIPAA, NIST, PCI DSS, and SOC 2.
Environment Monitoring: 24/7/365 multi-cloud monitoring protects against the most recent vulnerabilities.
Threat Analysis: Managed Reliability Operations Center (ROC) proactively analyzes and remediates potential threats.
Issue Resolution: Identified issues are quickly resolved providing enterprise class and proactive defense.
Other solutions we provide include:
Security should be integrated into every layer of your public cloud infrastructure. We can help you achieve that through our comprehensive suite of security services and a team of experts that cares about your success in the cloud. To learn more about our managed cloud security services, visit our Cloud, Compliance, Security, & Business Continuity page or talk to someone directly through our Contact Us page.
The report, although disturbing, is not shocking by any measure. Although businesses continue to migrate to the cloud, many have failed to make it a core part of their business strategy. The reasons for this vary – poorly trained staff, inability to utilize cloud resources effectively, or the absence of a strategy that leverages the power of cloud.
For these reasons and many others, businesses incur unexpected costs, unproductive workflows, and cybersecurity risks to their data on the cloud. These organizations need a set of protocols for utilizing cloud resources efficiently, effectively, and securely. In short, they need a cloud governance framework that enables them to extract the benefits of the cloud.
Organizations can fully realize these benefits only when their cloud policies are designed to leverage them. Therefore, a well-designed cloud governance framework is critical to the success of cloud adoption. What is cloud governance and how does it lay the foundation for the success of your cloud adoption?
The security processes and controls you put in place must meet the compliance standards required for your industry. Whether it’s GDPR, CCPA, or any other state, federal, or industry specific regulation, there are at least three things you need to do to meet the minimum requirements. Of course, each regulation comes with its unique conditions, but these are the first steps to take when moving toward a more secure and compliant environment.
1. Data discovery and data mapping
Most of the compliance standards today surround the data an organization collects from consumers. The first step to understanding your data, for both compliance and to inform decision making, is to collect and analyze all of your data from the various sources it originates. In addition to data discovery, you need to have a process for data mapping as well. Data mapping matches the data fields of data from one database to another.
It’s important to have data flows so you know how your data gets to you, how it’s entered into various systems, what resources it hits, and where it finally ends up. Knowing, at every point, were your data lives is the key first step, regardless of which law you need to comply with.
A strict tagging strategy that is uniform and specific across departments aids in ongoing data mapping. Review your strategy regularly to make sure your teams are following it and it still works as expected with any advancements made in the data you’re collecting. You can also use the tools available through cloud providers to help with these governance tasks. Some recommended tools include Amazon Macie and AWS Config, as well as Azure Security Center.
2. Notification and purge mechanisms with identity validation and an audit trail
A person’s data belongs to them, regardless of which company holds it. In order to field data requests from consumers, you need to have some sort of notification mechanism that allows you to understand and deliver what the consumer wants. They may want to know what data you have and how it is being used. People may want to update inaccurate data or, depending on the regulations in your area, they may request that it be deleted.
In order to fulfil a consumer’s request to delete or update data, you need a purge mechanism. A purge mechanism clears data once such action has been approved. In order to complete any data request, you must first validate the identity of the requesting consumer.
While this step is necessary, there is not yet an industry gold standard on how best to verify data without threatening the personal information provided. Additionally, data requests need to be checked against any compliance exceptions that may complicate your ability to do what the consumer wants. You may need the data because the person is still using your services, or, depending on the compliance standards you adhere to, you may be required to maintain certain pieces of data for a set period of time.
Meeting consumer requests for data management can be tricky depending on the compliance standards in your location and industry. A proper audit trail that proves your best attempt at compliance is critical, should a lawsuit or formal complaint ever come your way. Hopefully all of these processes will be automated through machine learning one day, but for now, notification and purge mechanisms, identity validation, and a comprehensive audit trail are the most important factors in proving compliance.
Data is the life blood of most organizations and it needs to be protected. Simply put, encrypt everything! Additionally, make sure your identity and access management (IAM) policies are up to date. The most common vulnerabilities are problems with an organization’s IAM. There might be an abundance of keys spread across the business or keys might not have been rotated regularly. Unauthorized employees might have admin credentials, or there’s no incident response policy in place.
If your data is breached, either by cyber attack or human error, you need a process to get servers back up and running again as soon as possible. You also need to preserve the evidence of the attack, or accidental deletion, in order to prevent a recurrence. Don’t assume your data is safe, instead, be ready to quickly recover from data loss.
While these three necessities are required for most compliance standards, there are certainly more you need to be following. Let 2nd Watch provide a prescriptive security roadmap to ensure compliance no matter where your business is going. You can also take advantage of our four-phased security assessment that runs an automatic skim of your environment to identify vulnerabilities. Contact Us to make sure the next step you take in your cloud journey is a compliant one.
Cloud compliance, cloud security…NOT the same thing. Victoria Geronimo, Security & Compliance Product Manager at 2nd Watch who also happens to have an internet law and internet policy background, joins us today as we look at how security, compliance, and state regulations affect architecting your cloud environment and the farther-reaching effects they have on business. We’d love to hear from you! Email us at CloudCrunch@2ndwatch.com with comments, questions and ideas. Listen now on Spotify, iTunes, iHeart Radio, Stitcher, or wherever you get your podcasts.
In the world of IT, disasters come in all shapes and sizes from infrastructure and application outages, to human error, data corruption, ransomware, malicious attacks, and other unplanned events. Other than perhaps a hurricane or blizzard, we often don’t have visibility into when a disaster will occur. After the immediate impact of the disaster subsides, the focus rapidly shifts to the recovery.
At the core of the disaster recovery is a focus on how quickly applications and data can be restored to resume servicing your customers. Downtime means a loss of productivity, revenue, or even profit from credits being paid out to your customers for failure to maintain service.
But disaster recovery goes well beyond the post-crisis events, and its success hinges on the preparation done well in advance of any disaster occurring. Now, a disaster recovery strategy should not be confused with a business continuity plan. A business continuity plan is far greater in scope, covering not only recovering your IT systems, data, and applications to service customers again, but how to continue running your business even beyond IT system disruptions. For example, a business continuity plan will outline what steps to take when the physical building becomes unavailable and your employees can’t come into the office; how to handle supply chain disruptions, etc.
When discussing disaster recovery strategies, often times back-up and disaster recovery are used synonymously. Back-up should factor into your business continuity planning, and in some cases a back-up may be sufficient in restoring your systems and meeting compliance requirements. However, back-ups are a point-in-time solution and can take significant time to restore your systems, delaying your recovery time. Compounding this dilemma, back-ups are only as up to date as the last snapshot taken, which, for many, could mean losing a complete day’s worth of sales. A solid disaster recovery strategy should not only focus on recovering your systems but do it in a manner that exceeds the business requirements and minimizes the disruption your customers.
Traditional disaster recovery solutions have really required significant investment from both a financial perspective and a human resource perspective. It’s not unusual for enterprises to be required to purchase fully redundant hardware and duplicative software licenses, locate that hardware in geographically disbursed colo facilities, set-up connectivity and replication between the two sites, and have IT admins maintain the second site, which is commonly under-utilized.
Cloud based disaster recovery has solved many of these problems and can do it for a fraction of the price. To help bring this solution to our customers, 2nd Watch has partnered with CloudEndure, an AWS Company, to help enterprises accelerate their adoption of Cloud Disaster Recovery.
The CloudEndure Disaster Recovery solution replicates everything in real time, meaning everything is always up to date, down to the second, allowing you to achieve your Recovery Point Objectives (RPOs). CloudEndure provisions a very low-cost staging area in AWS, eliminating the need for duplicate resource provisioning. Should a disaster occur, automated orchestration combined with machine conversion enables you to achieve a Recovery Time Objectives (RTOs) of minutes and only pay for the cloud instances when actually needed.
Our Cloud Disaster Recovery service provides you a disaster recovery proof of concept for 100 machines in less than 30 days, while allowing you to continue to leverage your entire existing infrastructure. We apply our proven methodology to ensure your organization is getting optimal value from your existing infrastructure while allowing fast, easy, and cost-effective recovery in the AWS cloud.