Welcome!

@CloudExpo Authors: Pat Romanski, Yeshim Deniz, Liz McMillan, Elizabeth White, Zakia Bouachraoui

Blog Feed Post

Cloudy with a Chance of Pharma Security

pharmaceutical compliance HIPAA Compliance Cloud Security Cloud HIPAA Cloud Encryption  pharm cloud security Cloudy with a Chance of Pharma SecurityCloud computing changes the way companies consume IT resources. It shifts the burden of purchasing and maintaining IT infrastructure to specialized IT providers and allows the users to pay only for the resources they need, when they need them. In this new paradigm, cloud security is a top concern.  Companies want to reap the benefits of cloud computing, but are often hesitant because of concerns about security and compliance. In the 21CFR11 regulation, the FDA focused on requirements for ensuring electronic record integrity, accuracy, and availability for agency review throughout the retention period.  The regulation emphasizes record protection from unauthorized access and system validation. Other international agencies have similar regulations. This article captures key points from an interview with Gilad Parann-Nissany, a cloud security pioneer. He addressed some hard questions that have been the main obstacles to getting more regulated healthcare and life sciences companies to adopt cloud infrastructures.

Gilad Parann-Nissany built SaaS Clouds for medium and small enterprises and contributed to SAP products reaching more than 8 million users. He created a consumer Cloud at G.ho.st – a cloud operating system that provided browser-based and mobile access to data, people and applications.  He is now CEO of Porticor, a cloud security company.

AG: We realize the benefits of public clouds, mainly our ability to use and pay for what we need at any given time and not having to deal with the hassle of buying and managing our own data centers, but is there a way we can truly trust that our systems are still compliant with FDA regulations and our data is secured in a public cloud and is protected to ensure record integrity and confidentiality?

GPN: Yes, the FUD is that public cloud seems open to hackers, corporate spies, government surveillance, and the like. When you analyze this perception, it comes down to the fact that people are used to having walls around their servers and data storage. In the cloud, you manage your servers and disks using a browser, and the concern is that the bad guys can access you servers and disks with equal convenience. It’s actually a reasonable concern.

Yet there is a serious way to replace walls.  Strong data encryption, of course, is the accepted best practice.  Basically you are replacing physical walls with mathematical walls. If you do it right, you end up more secure in the cloud then you would be at the typical company.

You must choose the right encryption techniques. Once your data is encrypted, the management of the encryption keys becomes critical.

If you encrypt your data and store your encryption keys in the same place, the keys become vulnerable to the same threats.  If you give the keys to your cloud provider, then you have lost control of your data. People worry whether cloud provider employees are trustworthy, and of course from a regulatory point of view – you are simply not allowed to farm out ownership of your sensitive healthcare data. So the way to keep ownership and still enjoy the cloud, is to encrypt data and keep ownership of your encryption keys.

A technical solution to this need is split key encryption.  It’s like the safety deposit box systems, which have two keys.  Your data is encrypted, and the encryption key is split into two parts where one part is held only by you.  Both parts are always required to access the data.  This way, only you control your data and the public cloud becomes effectively private and confidential.

AG: Regulatory agencies require that electronic records be available for inspection throughout their retention period, which can be many years. Is it possible to ensure record availability in 15-20 years, considering technology changes and the risk that the vendor will no longer provide the service?

GPN: The possibility that technology will change or that a vendor will stop providing the service does of course need to be taken into account. The most basic answer involves ensuring ease of copying out data and meta-data from one solution and into another.

Copying out your terabyte of data to some new place may take some time, yet it’s not something you do every day. The important point is to ensure that your technology of choice, and your vendor of choice, make it possible if necessary. This should be a standard operation – for example, for copying out data, it is best to ensure that standard copying commands are available; for copying out meta-data, ensure you have standard APIs, such as RESTful APIs.

You do need to be thoughtful choose the right approach to the cloud, but for the typical small to medium company – building out such capabilities yourself is ridiculous compared with the price/performance of the cloud solution.

AG: For validated systems, will adding a security layer require revalidation of the applications?  Will it modify the way our applications handle data? Will the applications require any modification?

GPN: By default, the best solutions out there will give you a transparent encryption and key management solution. They should also allow you to do something special (with an API), if that is justified by your needs – but they should not require it.

Your chosen security solution should be able to be inserted transparently between the application layer and the data layer. Deployment models could be as an agent (which you install on your servers, but does not change your application), or as a Virtual Appliance (which does not touch your servers at all, and is available as a virtual machine running independently in your cloud). Good solutions will offer both options and let you choose.

AG: Are security technologies platform independent? Will adding a security layer require us to limit our systems to certain platforms?

GPN: The good ones will work on all the major cloud platforms and with all the major operating systems (Windows, Linux, Unix, etc).

AG: Will the cost of adding a security layer negate the cost benefit of using a cloud?

GPN: Hell no. But you need to choose right. Some vendors out there are trying to sell you the old economic model even when you move to the cloud, which means in practice a high up front cost for getting a solution. You should look for a solution that is pay as you go, so that you pay only for what you use and only when you use it. That’s the cloud economic model, it should be a no brainer. If you select right – you’ll actually end up better than before.

Cloud security and Cloud encryption can protect your data in the public cloud, and meet the regulatory requirements. Bottom line, for many of the Healthcare workloads out there, it is a strong and secure contender.

The post Cloudy with a Chance of Pharma Security appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

CloudEXPO Stories
Everyone wants the rainbow - reduced IT costs, scalability, continuity, flexibility, manageability, and innovation. But in order to get to that collaboration rainbow, you need the cloud! In this presentation, we'll cover three areas: First - the rainbow of benefits from cloud collaboration. There are many different reasons why more and more companies and institutions are moving to the cloud. Benefits include: cost savings (reducing on-prem infrastructure, reducing data center foot print, reducing IT support costs), enabling growth (ensuring a highly available, highly scalable infrastructure), increasing employee access & engagement (by having collaboration tools that are usable and available globally regardless of location there will be an increased connectedness amongst teams and individuals that will help increase both efficiency and productivity.)
SYS-CON Events announced today that Silicon India has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Published in Silicon Valley, Silicon India magazine is the premiere platform for CIOs to discuss their innovative enterprise solutions and allows IT vendors to learn about new solutions that can help grow their business.
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use of real time applications accelerate, legacy networks are no longer able to architecturally support cloud adoption and deliver the performance and security required by highly distributed enterprises. These outdated solutions have become more costly and complicated to implement, install, manage, and maintain.SD-WAN offers unlimited capabilities for accessing the benefits of the cloud and Internet. SD-WAN helps enterprises to take advantage of the exploding landscape of cloud applications and services, due to its unique capability to support all things cloud related.
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buyers learn their thoughts on their experience.