Cloud Automation for I.T. Governance, Risk, and Compliance (GRC) in Healthcare

It has been said that the “hero of a successful digital transformation is GRC.” The ISACA website states, “to successfully manage the risk in digital transformation you need a modern approach to governance, risk and regulatory compliance.” For GRC program development, it is important to understand the health information technology resources and tools available to enable long term success.

What is GRC and why it important?

According to the HIPAA Journal, the average cost of a healthcare data breach is now $9.42 million. In the first half of 2021, 351 significant data breaches were reported, affecting nearly 28 million individuals. The needs have never been more acute among healthcare providers, insurers, biotechnology and health research companies for effective information security and controls. Protecting sensitive data and establishing a firm security posture is essential.  Improving health care and reducing cost relies on structured approaches and thoughtful implementation of available technologies to help govern data and mitigate risk across the enterprise.

Effective and efficient management of governance, risk, and compliance, or GRC, is fast becoming a business priority across industries. Leaders at hospitals and health systems of all sizes are looking for ways to build operating strategies that harmonize and enhance efforts for GRC. Essential to that mission are effective data governance, risk management, regulatory compliance, business continuity management, project governance, and security. But rather than stand-alone or siloed security or compliance efforts, a cohesive program coupled with GRC solutions allow for organizational leaders to address the multitude of challenges more effectively and efficiently.

What are the goals for I.T. GRC?

For GRC efforts, leaders are looking to:

  • Safeguard Protected Healthcare Data
  • Meet and Maintain Compliance to Evolving Regulatory Mandates and Standards
  • Identify, Mitigate and Prevent Risk
  • Reduce operational friction
  • Build in and utilize best practices

Managing governance, risk, and compliance in healthcare enterprises is a daunting task. GRC implementation for healthcare risk managers can be difficult, especially during this time of rapid digital and cloud transformation. But relying on internal legacy methods and tools leads to the same issues that have been seen on-premises, stifling innovation and improvement. As organizations adapt to cloud environments as a key element of digital transformation and integrated health care, leaders are realizing that now is the time to leverage the technology to implement GRC frameworks that accelerate their progress toward positive outcomes. What’s needed is expertise and a clear roadmap to success.

Cloud Automation of GRC

The road to success starts with a framework, aligned to business objectives, that provides cloud automation of Governance, Risk, and Compliance. Breaking this into three distinct phases, ideally this would involve:

  1. Building a Solid Foundation – within the cloud environment, ensuring infrastructure and applications are secured before they are deployed.
  • Image/Operation System hardening automation pipelines.
  • Infrastructure Deployment Automation Pipelines including Policy as Code to meet governance requirements.
  • CI/CD Pipelines including Code Quality and Code Security.
  • Disaster Recovery as a Service (DRaaS) meeting the organization’s Business Continuity Planning requirements.
  • Configuration Management to allow automatic remediation of your applications and operating systems.
  • Cost Management strategies with showback and chargeback implementation.
  • Automatic deployment and enforcement of standard security tools including FIM, IDS/IPS, AV and Malware tooling.
  • IAM integration for authorization and authentication with platforms such as Active Directory, Okta, and PingFederate, allowing for more granular control over users and elevated privileges in the clouds.
  • Reference Architectures created for the majority of the organization’s needs that are pre-approved, security baked-in to be used in the infrastructure pipelines.
  • Self-service CMDB integration with tools such ServiceNow, remedy and Jira ServiceDesk allowing business units to provision their own infrastructure while providing the proper governance guardrails.
  • Resilient Architecture designs
  1. Proper Configuration and MaintenanceInfrastructure misconfiguration is the leading cause of data breaches in the cloud, and a big reason misconfiguration happens is infrastructure configuration “drift,” or change that occurs in a cloud environment post-provisioning. Using automation to monitor and self-remediate the environment will ensure the cloud environment stays in the proper configuration eliminating the largest cause of incidents. Since workloads will live most of their life in this phase, it is important to ensure there isn’t any drift from the original secure deployment. An effective program will need:
  • Cloud Integrity Monitoring using cloud native tooling.
  • Log Management and Monitoring with centralized logging, critical in a well-designed environment.
  • Application Monitoring
  • Infrastructure Monitoring
  • Managed Services including patching to resolve issues.
  • SLAs to address incidents and quickly get them resolved.
  • Cost Management to ensure that budgets are met and there are no runaway costs.
  • Perimeter security utilizing cloud native and 3rd party security appliance and services.
  • Data Classification
  1. Use of Industry Leading Tools – for risk assessment, reporting, verification and remediation. Thwart future problems and provide evidence to stakeholders that the cloud environment is rock solid. Tools and verification components would include:
  • Compliance reporting
  • Risk Registry integration into tools
  • Future attestations (BAAs)
  • Audit evidence generation

Where do you go from here?

Your organization needs to innovate faster and drive value with the confidence of remaining in compliance. You need to get to a proactive state instead of being reactive. Consider an assessment to help you evaluate your organization’s place in the cloud journey and how the disparate forms of data in the organization are collected, controlled, processed, stored, and protected.

Start with an assessment that includes:

  • Identification of security gaps
  • Identification of foundational gaps
  • Remediation plans
  • Managed service provider onboarding plan
  • A Phase Two (Foundational/Remediation) proposal and Statement of Work

About 2nd Watch

2nd Watch is a trusted and proven partner, providing deep skills and advisory to leading organizations for over a decade. We earned a client Net Promoter Score of 85, a good way of telling you that our customers nearly always recommend us to others. We can help your organization with cloud native solutions. We offer skills in the following areas:

  • Developing cloud first strategies
  • Migration of workloads to the cloud
  • Implementing automation for governance and security guardrails
  • Implementing compliance controls and processes
  • Pipelines for data, infrastructure and application deployment
  • Subject matter expertise for FHIR implementations
  • Managed cloud services

Schedule time with an expert now, contact us.

-Tom James, Sr. Marketing Manager, Healthcare

Why You Should Invest in Managed Cloud Security Services

Cloud adoption throughout all industries has become incredibly pervasive in recent years. With cloud management as a relatively newer concept, business organizations may struggle to understand each aspect that is required to effectively run a cloud environment. One aspect that should be involved at every layer of the cloud is security, yet many organizations fail to implement a strong security system in their cloud until an attack happens and it is too late.

A cloud environment and the controls necessary to orchestrate a robust security and governance platform is not the same as your traditional on-premises environment.

The State of Cloud Security Today

As beneficial as the public cloud is for companies globally today, lack of security in the cloud can be a major issue. A report from Sophos indicated that iMost of these attacks are simply from misconfigurations of these organizations’ cloud security. Thus, the attacks can be prevented if configured and managed properly. Orca Security’s 2020 State of Public Cloud Security Report revealed that 80.7% of organizations have at least one neglected, internet-facing workload – meaning the OS is unsupported or unpatched. Attackers can use one small vulnerability as leverage to move across an organization, which is how most data breaches occur.

Managed cloud security services help lay a strong foundation for security in the cloud that is automated and continuous with 24/7 management. With constant management, threats and attacks are detected before they occur, and your business avoids the repercussions that come with security misconfigurations.

What are managed cloud security services?

Managed cloud security services provide security configurations, automation, 24/7 management, and reporting from an external cloud security provider. If an attack should occur, the result is downtime and the loss of money and data. Additionally, the lack of a well-rounded security system can lead to regulatory compliance challenges.

Monitoring and maintaining strong security requires continuous attention to be effective. Employing a managed security service gives businesses the protection they need while simultaneously providing IT departments with additional time to focus on other business concerns. Redirecting cybersecurity efforts to an external provider not only provides IT departments with flexibility, but also reduces costs compared to handling cybersecurity in house. Managing cybersecurity independently creates costs such as staffing, software licensing, hardware, implementation costs, and management costs. All the costs and management required for effective security can be overwhelming and managed security services takes the weight of maintaining the security of your data off your shoulders.

What are the benefits of using cloud security services?

Implementing strong cloud security may seem like an obvious choice for a business to make, but many businesses may not want to devote the time, resources, or money to building and maintaining a strong cybersecurity system. Investing your resources into cloud security is imperative for your business and pays off in the long run.

Five different benefits resulting from a strong cloud security system include:

  • Automation: Once your configurations have been set up, there is reduced reliance on human intervention. This minimizes time spent managing security while also reducing the risk for error.
  • Efficiency: Cloud services improve the security of your data and maintain regulatory compliance through timely patching and automated updates with less downtime.
  • Safety: Data is well-protected with cloud security due to 24/7 monitoring and real-time threat detection.
  • Proactive Defense: Threats are identified quickly and treated proactively in the cloud should an incident occur.
  • Cost-effective: The cloud requires a unique approach to security. While managed cloud security services can seem costly upfront, they prove to be worthwhile in the long run by utilizing expertise that may not be available in-house. Additionally, cloud security services will ensure the safety of your workloads and data, and prevent the costs associated with a data breach.

2nd Watch Managed Cloud Security

At 2nd Watch, we understand cloud security is important at every step of your cloud journey. 2nd Watch has a dedicated Managed Security Team that monitors your cloud environments 24/7/365, remediating vulnerabilities quickly. Rather than putting security on the backburner, we believe security is a pillar of business, and building it into the foundation of a company is important to meet evolving compliance needs in a cost-effective manner.

Companies just getting started in the cloud can rely on 2nd Watch to get security right for them the first time. Even for companies already established in the cloud, we can take an in-depth look at security and compliance maturity, existing capabilities, and growth trajectory to provide a prescriptive security roadmap. No matter where you are in your cloud journey, we ensure your security is well-integrated into your cloud environments.

At 2nd Watch we are with you from beginning to end, monitoring your security even after implementation. At a glance, our end-to-end services include:

  • Security Review: Ensures the proper safeguards are utilized for your multi-cloud environments with a single point of contact for your security needs. Our security assessment and remediation offering can reveal how your cloud security posture stacks up to industry standards such as CIS, GDPR, CCPA, HIPAA, NIST, PCI DSS, and SOC 2.
  • Environment Monitoring: 24/7/365 multi-cloud monitoring protects against the most recent vulnerabilities.
  • Threat Analysis: Managed Reliability Operations Center (ROC) proactively analyzes and remediates potential threats.
  • Issue Resolution: Identified issues are quickly resolved providing enterprise class and proactive defense.

Other solutions we provide include:

Security should be integrated into every layer of your public cloud infrastructure. We can help you achieve that through our comprehensive suite of security services and a team of experts that cares about your success in the cloud. To learn more about our managed cloud security services, visit our Cloud, Compliance, Security, & Business Continuity page or talk to someone directly through our Contact Us page.

-Tessa Foley, Marketing

Why Media Companies Should Adopt the Cloud

The Advantages of Cloud Computing for Media & Entertainment

We are living in a revolutionary era of digital content and media consumption. As such, media companies are reckoning with the new challenges that come with new times. One of the biggest changes in the industry is consumer demand and behavior. To adapt, M&E brands need to digitally transform their production, distribution, and monetization processes. Cloud solutions are a crucial tool for this evolution, and M&E organizations should prioritize cloud strategy as a core pillar of their business models to address industry-wide shifts and stay relevant in today’s ultra-competitive landscape.

The Challenge: Addressing Greater Audience Expectations and Volatility

Viewing behavior and media distribution has greatly impacted the M&E industry. Entertainment content consumption is at an all-time high, and audiences are finding new and more ways to watch media. Today, linear television is considered old-school, and consumers are favoring platforms that give them the power of choice and freedom. Why would you tune in to your cable television at a specific time to watch your favorite show when you can watch that same show anytime, anywhere, on any device or platform?

With new non-linear television services, media companies have less control over their audiences’ viewing experience. Before, viewers were constrained by broadcasting schedules and immobile, unconnected TVs. Now, audiences have taken viewership into their own hands, and M&E brands must discover ways to retain their viewers’ attention and loyalty in the era of endless options of content creators and streaming platforms.

The Cloud Has the Flexibility and Scalability to Handle Complex Workflows

OTT streaming services are the most popular alternative to linear television broadcasting. It is a solution that meets the audience’s expectation of access to content of their choosing whenever and wherever they want. However, OTT platforms require formatting multiple video files to be delivered to any device with varying connection speeds. As such, OTT streaming services need advanced video streaming workflows that encode and transcode, protect content, and possess storage capacities that continuously grow.

Because OTT broadcasting has complicated workflows and intense infrastructure needs, M&E companies need to consider scalability. OTT streaming that utilizes on-premises data centers will stymie growth for media organizations because legacy applications and software are resource and labor intensive. When OTT services are set up with on-premises streaming, it requires a group of configured live encoding and streaming services to deliver content to audiences.

The in-house services then need to have the computing capacity and capabilities in order to deliver content without interruptions. On top of that, technical staff are necessary to maintain the proprietary hardware, ensure its security, and continuously upgrade it as audiences grow. If companies opt for on-premises OTT streaming, they will not be able to achieve the scalability and quality of experience that they need to keep up with audience expectations.

A cloud-based infrastructure solves all of these issues. To reiterate, on-premises OTT platforms are very resource-intensive with complex ongoing maintenance and high upfront costs. Using cloud services for OTT streaming addresses the downfalls of on-premises streaming by leveraging a network for services dedicated to delivering video files. The benefits of cloud computing for OTT workflows immensely impact streaming latency and distribution, leading to a better end user experience. Cloud infrastructures have the following advantages to on-premises infrastructure:

  • Geography: Unlike in-house data centers, cloud servers can be located around the world, and content can be delivered to audiences via the closest data center, thereby reducing streaming latency.
  • Encoding and transcoding: Cloud services have the ability and capacity to host rendered files and ensure they are ready for quick delivery.
  • Flexible scalability: Providers can easily scale services up or down based on audience demands by simply adding more cloud resources, rather than having to purchase more infrastructure.
  • Cost optimization: Cloud cost is based on only the resources a business uses with none of the maintenance and upkeep costs, and the price adjusts up or down depending on how much is consumed. on-premises costs include server hardware, power consumption, and space. Furthermore, on-premises is inflexible based on actual consumption.

The Cloud Can Help You Better Understand Your Audiences to Increase Revenue

Another buzzword we hear often these days is “big data.” As audiences grow and demonstrate complex behaviors, it’s important to capture those insights to better understand what will increase engagement and loyalty. Cloud computing is able to ingest and manage big data in a way that is actionable: it is one thing to collect data, but it is another thing to process and do something with it. For M&E organizations, utilizing this data helps improve user experiences, optimize supply chains, and monetize content better.

Big data involves manipulating petabytes of data, and the scalable nature of a cloud environment makes it possible to deploy data-intensive applications that power business analytics. The cloud also simplifies connectivity and collaboration within an organization, which gives teams access to relevant and real time analytics and streamlines data sharing. Furthermore, most public cloud providers offer machine learning tools, which makes processing big data even more efficient.

From a data standpoint, a cloud platform is an advantageous option for those who are handling big data and want to make data-driven decisions. The compelling benefits of cloud computing for data are as follows:

  • Faster scalability: Large volumes of both structured and unstructured data requires increased processing power, storage, and more. The cloud provides not only readily-available infrastructure, but also the ability to scale this infrastructure very rapidly to manage large spikes in traffic or usage.
  • Better analytic tools: The cloud offers a number of instant, on demand analytic tools that enable extract, transform, and loading (ETL) of massive datasets to provide meaningful insights quickly.
  • Lowers cost of analytics: Mining big data in the cloud has made the analytics process less costly. In addition to the reduction of on-premises infrastructure, companies are reducing costs related to system maintenance and upgrades, energy consumption, facility management, and more when switching to a cloud infrastructure. Moreover, the cloud’s pay-as-you-go model is more cost-efficient, with little waste of resources.
  • Better resiliency: In cases of cyber-attacks, power outages or equipment failure, traditional data recovery strategies are slow, complex, and risky. The task of replicating a data center (with duplicate storage, servers, networking equipment, and other infrastructure) in preparation for a disaster is tedious, difficult, and expensive. On top of that, legacy systems often take very long to back up and restore, and this is especially true in the era of big data and large digital content libraries, when data stores are so immense and expansive. Having the data stored in cloud infrastructure will allow your organization to recover from disasters faster, thus ensuring continued access to information and vital big data insights.

The Cloud is Secure

There is a misconception that the public cloud is less secure than traditional data centers. Of course, these are valid concerns: media companies must protect sensitive data, such as customers’ personally identifiable information. As a result, security and compliance is crucial for an M&E business’s migration to the cloud.

We have read about cloud security breaches in news headlines. In most cases, these articles fail to accurately point out where the problem occurred. Usually, these breaches occur not due to the security of the cloud itself, but due to the policies and technologies for security and control of the technology. In nearly all cases, it is the user, not the cloud provider, who fails to manage the controls used to protect an organization’s data. The question for M&E business should not be “Is the cloud secure?” but rather “Am I using the cloud securely?”

Whether M&E organizations use a public cloud, private cloud, or hybrid cloud, they can be confident in the security of their data and content. Here is how the cloud is as secure, if not more secure, than in-house data centers:

  • Cloud architecture is homogenous: In building their data centers, cloud providers used the same blueprint and built-in security capabilities throughout their fabrics. The net effect is a reduced attack footprint and fewer holes to exploit since the application of security is ubiquitous.
  • Public cloud providers invest heavily in security measures: The protection of both the infrastructure and the cloud services is priority one and receives commensurate investment. Public cloud providers collectively invest billions in security research, innovation, and protection.
  • Patching and security management is consistent: Enterprises experience security breaches most often because of errors in configuration and unpatched vulnerabilities. Public cloud providers are responsible for the security of the cloud, which includes patching of infrastructure and managed services.

-Anthony Torabi, Strategic Account Executive, Media & Entertainment

Cloud Crunch Podcast: You’re on the Cloud. Now What? 5 Strategies to Maximize Your Cloud’s Value

You migrated your applications to the cloud for a reason. Now that you’re there, what’s next? How do you take advantage of your applications and data that reside in the cloud? What should you be thinking about in terms of security and compliance? In this first episode of a 5-part series, we discuss 5 strategies you should consider to maximize the value of being on the cloud. Listen now on Spotify, iTunes, iHeart Radio, Stitcher, or wherever you get your podcasts.

We’d love to hear from you! Email us at CloudCrunch@2ndwatch.com with comments, questions and ideas.

You’re on AWS. Now What? 5 Strategies to Increase Your Cloud’s Value

Now that you’ve migrated your applications to AWS, how can you take the value of being on the cloud to the next level? To provide guidance on next steps, here are 5 things you should consider to amplify the value of being on AWS.

3 Security and Compliance Must-Haves to Meet Any Regulation

The security processes and controls you put in place must meet the compliance standards required for your industry. Whether it’s GDPR, CCPA, or any other state, federal, or industry specific regulation, there are at least three things you need to do to meet the minimum requirements. Of course, each regulation comes with its unique conditions, but these are the first steps to take when moving toward a more secure and compliant environment.

1. Data discovery and data mapping

Most of the compliance standards today surround the data an organization collects from consumers. The first step to understanding your data, for both compliance and to inform decision making, is to collect and analyze all of your data from the various sources it originates. In addition to data discovery, you need to have a process for data mapping as well. Data mapping matches the data fields of data from one database to another.

It’s important to have data flows so you know how your data gets to you, how it’s entered into various systems, what resources it hits, and where it finally ends up. Knowing, at every point, were your data lives is the key first step, regardless of which law you need to comply with.

A strict tagging strategy that is uniform and specific across departments aids in ongoing data mapping. Review your strategy regularly to make sure your teams are following it and it still works as expected with any advancements made in the data you’re collecting. You can also use the tools available through cloud providers to help with these governance tasks. Some recommended tools include Amazon Macie and AWS Config, as well as Azure Security Center.

2. Notification and purge mechanisms with identity validation and an audit trail

A person’s data belongs to them, regardless of which company holds it. In order to field data requests from consumers, you need to have some sort of notification mechanism that allows you to understand and deliver what the consumer wants. They may want to know what data you have and how it is being used. People may want to update inaccurate data or, depending on the regulations in your area, they may request that it be deleted.

In order to fulfil a consumer’s request to delete or update data, you need a purge mechanism. A purge mechanism clears data once such action has been approved. In order to complete any data request, you must first validate the identity of the requesting consumer.

While this step is necessary, there is not yet an industry gold standard on how best to verify data without threatening the personal information provided. Additionally, data requests need to be checked against any compliance exceptions that may complicate your ability to do what the consumer wants. You may need the data because the person is still using your services, or, depending on the compliance standards you adhere to, you may be required to maintain certain pieces of data for a set period of time.

Meeting consumer requests for data management can be tricky depending on the compliance standards in your location and industry. A proper audit trail that proves your best attempt at compliance is critical, should a lawsuit or formal complaint ever come your way. Hopefully all of these processes will be automated through machine learning one day, but for now, notification and purge mechanisms, identity validation, and a comprehensive audit trail are the most important factors in proving compliance.

3. Encryption

Data is the life blood of most organizations and it needs to be protected. Simply put, encrypt everything! Additionally, make sure your identity and access management (IAM) policies are up to date. The most common vulnerabilities are problems with an organization’s IAM. There might be an abundance of keys spread across the business or keys might not have been rotated regularly. Unauthorized employees might have admin credentials, or there’s no incident response policy in place.

If your data is breached, either by cyber attack or human error, you need a process to get servers back up and running again as soon as possible. You also need to preserve the evidence of the attack, or accidental deletion, in order to prevent a recurrence. Don’t assume your data is safe, instead, be ready to quickly recover from data loss.

While these three necessities are required for most compliance standards, there are certainly more you need to be following. Let 2nd Watch provide a prescriptive security roadmap to ensure compliance no matter where your business is going. You can also take advantage of our four-phased security assessment that runs an automatic skim of your environment to identify vulnerabilities. Contact Us to make sure the next step you take in your cloud journey is a compliant one.

-Chris Garvey, EVP of Product

Cloud for New Users – The 4 Most Important Lessons Learned Over a Decade

Over the past ten years we’ve learned quite a bit about cloud migration and achieving success across various platforms. Over that time, a lot has changed, and ongoing innovations continue to provide new opportunities for the enterprise. Here, we’re recapping the four most important lessons we’ve learned for new cloud users.

1. Close the knowledge gap.

With the rate of innovation in the cloud, the knowledge gap is wider than ever, but that innovation has reduced complexity in many ways. To maximize these innovations, businesses must incentivize employees to continue developing new skills.

Certifications and a desire to continue learning and earning credentials are the traits businesses want in their IT employees. Fostering a company culture that encourages experimentation, growth, and embracing new challenges creates an environment that helps employees develop to the next level.

At 2nd Watch, we create a ladder of success that challenges associates to move from intermediate to advanced capabilities. We foster employees’ natural inclinations and curiosities to build on their passions. Exposing people to new opportunities is a great way to invest in their aptitudes and backgrounds to evolve with the company. One way to do this is by setting up a Cloud Center of Excellence (CCOE), a multi-stakeholder group that includes subject matter experts from various areas of the business. With the multi-skilled group, the collective become the subject matter experts in cloud services and solutions. By setting up a CCOE, silos are eliminated and teams work together in an iterative fashion to promote the cloud as a transformative tool.

2. Assemble the right solutions.

Cloud is not always cheaper. If you migrate to the cloud without mapping to the right solutions, you risk increasing cost. For example, if you come from a monolithic architectural environment, it can be tempting to try and recreate that architecture in the cloud.

But, different than your traditional on-prem environment, many resources in the cloud do not require a persistent state. You have the freedom to allow jobs like big data and ETL (extract, transform and load) to run just once a day, rather than 24 hours a day. If you need it for an hour, spin it up for the hour, access your data in your cloud provider’s storage area, then turn it off to minimize usage and costs.

You can also perform simple tweaks to your architecture to improve performance. We recommend exploring containerization and serverless models to implement automation where possible. New cloud users should adapt to the new environment to allow for future use cases, provision resources for future states, and use assets based on scalability. Cloud allows you to map solutions to scale. Partners like 2nd Watch help create a roadmap based on forecasting from current usage.

3. Combine services based on desired outcomes.

There is a plethora of cloud service options available, and the way you use them should be driven by the outcomes you want. Are you looking to upgrade? Lift and shift? Advance the business forward? Once you have a clear outcome defined, you can begin your cloud journey with that goal in mind and start planning how best to use each cloud service.

4. Take an active role in the shared responsibility model.

In traditional IT environments, security falls solely on the company, but as a cloud user, the model is significantly different. Many cloud service providers utilize a shared security responsibility model where both the cloud provider and the user take ownership over different areas of security.

Often times, cloud providers can offer more security than your traditional datacenter environment ever could. For example, you are not even permitted to see your cloud provider’s data center. Their locations are not known to the public, nor is where your customer data resides known to the datacenter employees.

Although your cloud provider handles much of the heavy lifting, it’s your responsibility to architect your applications correctly. You need to ensure your data is being put into the appropriate areas with the proper roles and responsibilities for access.

Are you ready to explore your options in the cloud? Contact 2nd Watch to learn more about migration, cloud enabled automation, and our multi-layered approach to security.

-Ian Willoughby, Chief Architect and Skip Barry, Executive Cloud Enablement Director

Cloud Crunch Podcast: Unraveling Cloud Security, Compliance and Regulations

Cloud compliance, cloud security…NOT the same thing. Victoria Geronimo, Security & Compliance Product Manager at 2nd Watch who also happens to have an internet law and internet policy background, joins us today as we look at how security, compliance, and state regulations affect architecting your cloud environment and the farther-reaching effects they have on business. We’d love to hear from you! Email us at CloudCrunch@2ndwatch.com with comments, questions and ideas. Listen now on Spotify, iTunes, iHeart Radio, Stitcher, or wherever you get your podcasts.

CCPA and the cloud

Since the EU introduced the General Data Protection Regulation (GDPR) in 2018, all eyes have been on the U.S. to see if it will follow suit. While a number of states have enacted data privacy statutes, California’s Consumer Protection Act (CCPA) is the most comprehensive U.S. state law to date. Entities were expected to be in compliance with CCPA as of January 1, 2020.

CCPA compliance requires entities to think about how the regulation will impact their cloud infrastructures and development of cloud-native applications. Specifically, companies must understand where personally identifiable information (PII) and other private data lives, and how to process, validate, complete, and communicate consumer information and consent requests.

What is CCPA and how to ensure compliance

CCPA gives California residents greater privacy rights their data that is collected by companies. It applies to any business with customers in California and that either has gross revenues over $25 million or that acquires personal information from more than 50,000 consumers per year. It also applies to companies that earn more than half their annual revenue selling consumers’ personal information.

In order to ensure compliance, the first thing firms should look at is whether they are collecting PII, and if they are, ensuring they know exactly where it is going. CCPA not only mandates that California consumers have the right to know what PII is being collected, it also states that customers can dictate whether it’s sold or deleted. Further, if a company suffers a security breach, California consumers have the right to sue that company under the state’s data notification law. This increases the potential liability for companies whose security is breached, especially if their security practices do not conform to industry standards.

Regulations regarding data privacy are proliferating and it is imperative that companies set up an infrastructure foundation which help them evolve fluidly with these changes to the legal landscape, as opposed to “frankensteining” their environments to play catch up. The first is data mapping in order to know where all consumer PII lives and, importantly, where California consumer PII lives. This requires geographic segmentation of the data. There are multiple tools, including cloud native ones, that empower companies with PII discovery and mapping. Secondly, organizations will need to have a data deletion mechanism in place and an audit trail for data requests, so that they can prove they have investigated, validated, and adequately responded requests made under CCPA. The validation piece is also crucial – companies must make sure the individual requesting the data is who they say they are.

And thirdly, having an opt-in or out system in place that allows consumers to consent to their data being collected in the first place is essential for any company doing business in California. If the website is targeted at children, there must be a specific opt-in request for any collection of California consumer date. These three steps must be followed with an audit trail that can validate each of them.

The cloud

It’s here that we start to consider the impact on cloud journeys and cloud-native apps, as this is where firms can start to leverage tools that that Amazon or Azure, for example, currently have, but that haven’t been integral for most businesses in a day-to-day context, until now. This includes AI learning tools for data discovery, which will help companies know exactly where PII lives, so that they may efficiently comply with data subject requests.

Likewise, cloud infrastructures should be set up so that firms aren’t playing catch up later on when data privacy and security legislation is enacted elsewhere. For example, encrypt everything, as well as making sure access control permissions are up to date. Organizations must also prevent configuration drift with tools that will automate closing up a security gap or port if one gets opened during development.

For application development teams, it’s vital to follow security best practices, such as CIS benchmarks, NIST standards and the OWASP Top Ten. These teams will be getting the brunt of the workload in terms of developing website opt-out mechanisms, for example, so they must follow best practices and be organized, prepared, and efficient.

The channel and the cloud

For channel partners, there are a number of considerations when it comes to CCPA and the cloud. For one, partners who are in the business of infrastructure consulting should know how the legislation affects their infrastructure and what tools are available to set up a client with an infrastructure that can handle the requests CCPA mandates.

This means having data discovery tools in place, which can be accomplished with both cloud native versions and third party software. Also, making sure notification mechanisms are in place, such as email, or if you’re on Amazon, SNS (Simple Notification Service). Notification mechanisms will help automate responding to data subject requests. Additionally, logging must be enabled to establish an audit trail. Consistent resource tagging and establishing global tagging policies is integral to data mapping and quickly finding data. There’s a lot from an infrastructure perspective that can be done, so firms should familiarize themselves with tools that can facilitate CCPA compliance that may have never been used in this fashion, or indeed at all.

Ultimately, when it comes to CCPA, don’t sleep on it. GDPR went into effect less than two years ago, and already we have seen huge fines doled out to the likes of British Airways and Google for compliance failures. The EU has been aggressive about ensuring compliance, and California is likely to follow the same game. They know that in order to give CCPA any teeth, they have to make sure that they prosecute it.

If you’re interested in learning more about how privacy laws might affect cloud development, watch our “CCPA: State Privacy Law Effects on Cloud Development” webinar on-demand, at your convenience.

– Victoria Geronimo, Product Manager – Security & Compliance

Protection from Immediate Threats with an AWS Security Rapid Review

Security assessments are a necessity for cloud security, governance, and compliance. Ideally, an assessment will result in a prioritized list of security and compliance gaps within your cloud environment, the context (or standards) for these gaps, and how to fix them. In reality, however, security assessments themselves can have their own vulnerabilities, particularly around scoping and recommendations.

Organizations that do not have in-house security expertise may have trouble defining what they are actually seeking to get out of the assessment. Projects can be ill-scoped, and recommendations may not actually make sense given your security posture and budget. Additionally, many remediation recommendations may just be band-aid solutions and not long-term fixes that will stop the vulnerability from reoccurring. By the end of the engagement, you may end up with a couple of good recommendations, a lot of useless ones, and a month of wasted time and resources.

Enter our AWS Security Rapid Review. This 1-2 week engagement is designed to provide you with a quick turnaround of actionable remediation recommendations. It is scalable from a small sample of accounts to a few hundred. Benefits include:

• Checking your AWS environment against industry-standard benchmarks and 2nd Watch best practices
• List of vulnerabilities
• Threat prioritization
• Prescriptive, actionable remediation recommendations
• Consultation with a 2nd Watch security expert on the underlying systemic issues causing noted vulnerabilities
• 1-2 week turnaround time

This assessment gives you the immediate ability to remediate vulnerabilities as well as the context for why these vulnerabilities are occurring in the first place. You have control over whether you want to just remediate findings or take it a step further and lay down a robust security foundation.

To learn more about our AWS Security Rapid Review, download our datasheet.

-Victoria Geronimo, Product Manager, Security & Compliance