Welcome!

Cloud Expo Authors: Roger Strukhoff, Elizabeth White, Pat Romanski, Liz McMillan, Jason Bloomberg

Blog Feed Post

Cloudy with a Chance of Pharma Security

pharmaceutical compliance HIPAA Compliance Cloud Security Cloud HIPAA Cloud Encryption  pharm cloud security Cloudy with a Chance of Pharma SecurityCloud computing changes the way companies consume IT resources. It shifts the burden of purchasing and maintaining IT infrastructure to specialized IT providers and allows the users to pay only for the resources they need, when they need them. In this new paradigm, cloud security is a top concern.  Companies want to reap the benefits of cloud computing, but are often hesitant because of concerns about security and compliance. In the 21CFR11 regulation, the FDA focused on requirements for ensuring electronic record integrity, accuracy, and availability for agency review throughout the retention period.  The regulation emphasizes record protection from unauthorized access and system validation. Other international agencies have similar regulations. This article captures key points from an interview with Gilad Parann-Nissany, a cloud security pioneer. He addressed some hard questions that have been the main obstacles to getting more regulated healthcare and life sciences companies to adopt cloud infrastructures.

Gilad Parann-Nissany built SaaS Clouds for medium and small enterprises and contributed to SAP products reaching more than 8 million users. He created a consumer Cloud at G.ho.st – a cloud operating system that provided browser-based and mobile access to data, people and applications.  He is now CEO of Porticor, a cloud security company.

AG: We realize the benefits of public clouds, mainly our ability to use and pay for what we need at any given time and not having to deal with the hassle of buying and managing our own data centers, but is there a way we can truly trust that our systems are still compliant with FDA regulations and our data is secured in a public cloud and is protected to ensure record integrity and confidentiality?

GPN: Yes, the FUD is that public cloud seems open to hackers, corporate spies, government surveillance, and the like. When you analyze this perception, it comes down to the fact that people are used to having walls around their servers and data storage. In the cloud, you manage your servers and disks using a browser, and the concern is that the bad guys can access you servers and disks with equal convenience. It’s actually a reasonable concern.

Yet there is a serious way to replace walls.  Strong data encryption, of course, is the accepted best practice.  Basically you are replacing physical walls with mathematical walls. If you do it right, you end up more secure in the cloud then you would be at the typical company.

You must choose the right encryption techniques. Once your data is encrypted, the management of the encryption keys becomes critical.

If you encrypt your data and store your encryption keys in the same place, the keys become vulnerable to the same threats.  If you give the keys to your cloud provider, then you have lost control of your data. People worry whether cloud provider employees are trustworthy, and of course from a regulatory point of view – you are simply not allowed to farm out ownership of your sensitive healthcare data. So the way to keep ownership and still enjoy the cloud, is to encrypt data and keep ownership of your encryption keys.

A technical solution to this need is split key encryption.  It’s like the safety deposit box systems, which have two keys.  Your data is encrypted, and the encryption key is split into two parts where one part is held only by you.  Both parts are always required to access the data.  This way, only you control your data and the public cloud becomes effectively private and confidential.

AG: Regulatory agencies require that electronic records be available for inspection throughout their retention period, which can be many years. Is it possible to ensure record availability in 15-20 years, considering technology changes and the risk that the vendor will no longer provide the service?

GPN: The possibility that technology will change or that a vendor will stop providing the service does of course need to be taken into account. The most basic answer involves ensuring ease of copying out data and meta-data from one solution and into another.

Copying out your terabyte of data to some new place may take some time, yet it’s not something you do every day. The important point is to ensure that your technology of choice, and your vendor of choice, make it possible if necessary. This should be a standard operation – for example, for copying out data, it is best to ensure that standard copying commands are available; for copying out meta-data, ensure you have standard APIs, such as RESTful APIs.

You do need to be thoughtful choose the right approach to the cloud, but for the typical small to medium company – building out such capabilities yourself is ridiculous compared with the price/performance of the cloud solution.

AG: For validated systems, will adding a security layer require revalidation of the applications?  Will it modify the way our applications handle data? Will the applications require any modification?

GPN: By default, the best solutions out there will give you a transparent encryption and key management solution. They should also allow you to do something special (with an API), if that is justified by your needs – but they should not require it.

Your chosen security solution should be able to be inserted transparently between the application layer and the data layer. Deployment models could be as an agent (which you install on your servers, but does not change your application), or as a Virtual Appliance (which does not touch your servers at all, and is available as a virtual machine running independently in your cloud). Good solutions will offer both options and let you choose.

AG: Are security technologies platform independent? Will adding a security layer require us to limit our systems to certain platforms?

GPN: The good ones will work on all the major cloud platforms and with all the major operating systems (Windows, Linux, Unix, etc).

AG: Will the cost of adding a security layer negate the cost benefit of using a cloud?

GPN: Hell no. But you need to choose right. Some vendors out there are trying to sell you the old economic model even when you move to the cloud, which means in practice a high up front cost for getting a solution. You should look for a solution that is pay as you go, so that you pay only for what you use and only when you use it. That’s the cloud economic model, it should be a no brainer. If you select right – you’ll actually end up better than before.

Cloud security and Cloud encryption can protect your data in the public cloud, and meet the regulatory requirements. Bottom line, for many of the Healthcare workloads out there, it is a strong and secure contender.

The post Cloudy with a Chance of Pharma Security appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Cloud Expo Latest Stories
The emergence of cloud computing and Big Data warrants a greater role for the PMO to successfully manage enterprise transformation driven by these powerful trends. As the adoption of cloud-based services continues to grow, a governance model is needed to orchestrate enterprise cloud implementations and harness the power of Big Data analytics. In his session at 15th Cloud Expo, Mahesh Singh, President of BigData, Inc., to discuss how the Enterprise PMO takes center stage not only in developing the appropriate governance model but also in collaborating with key stakeholders to ensure a successful transformation.
SYS-CON Events announced today that TechXtend (formerly Programmer’s Paradise), a leading value-added provider of server and storage virtualization, and r-evolution will exhibit at SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. TechXtend (formerly Programmer’s Paradise) is a leading value-added provider of software, systems and solutions for corporations, government organizations, and academic institutions across the United States and Canada. TechXtend is the Exclusive Reseller in the United States for r-evolution
The consumption economy is here and so are cloud applications and solutions that offer more than subscription and flat fee models and at the same time are available on a pure consumption model, which not only reduces IT spend but also lowers infrastructure costs, and offers ease of use and availability. In their session at 15th Cloud Expo, Ermanno Bonifazi, CEO & Founder of Solgenia, and Ian Khan, Global Strategic Positioning & Brand Manager at Solgenia, will discuss this shifting dynamic with an example of a top European Telco provider. Find out how they are leveraging the power of acloud-based consumption model services to offer more value to the mass market and enable a new revenue model that embraces the true meaning of the Third Industrial Revolution.
Every healthy ecosystem is diverse. This is especially true in cloud ecosystems, where portability and interoperability are more important than old enterprise models of proprietary ownership. In his session at 15th Cloud Expo, Mark Baker, Server Product Manager at Canonical/Ubuntu, will discuss how single vendors used to take the lead in creating and delivering technology, but in a cloud economy, where users want tools of their preference, when and where they need them, it makes no sense.
SYS-CON Events announced today that Cloudian, Inc., the leading provider of hybrid cloud storage solutions, has been named “Bronze Sponsor” of SYS-CON's 15th International Cloud Expo®, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Cloudian is a Foster City, Calif.-based software company specializing in cloud storage. Cloudian HyperStore® is an S3-compatible cloud object storage platform that enables service providers and enterprises to build reliable, affordable and scalable hybrid cloud storage solutions. Cloudian actively partners with leading cloud computing environments including Amazon Web Services, Citrix Cloud Platform, Apache CloudStack, OpenStack and the vast ecosystem of S3 compatible tools and applications. Cloudian's customers include Vodafone, Nextel, NTT, Nifty, and LunaCloud. The company has additional offices in China and Japan.
In today's application economy, enterprise organizations realize that it's their applications that are the heart and soul of their business. If their application users have a bad experience, their revenue and reputation are at stake. In his session at 15th Cloud Expo, Anand Akela, Senior Director of Product Marketing for Application Performance Management at CA Technologies, will discuss how a user-centric Application Performance Management solution can help inspire your users with every application transaction.
Come learn about what you need to consider when moving your data to the cloud. In her session at 15th Cloud Expo, Skyla Loomis, a Program Director of Cloudant Development at Cloudant, will discuss the security, performance, and operational implications of keeping your data on premise, moving it to the cloud, or taking a hybrid approach. She will use real customer examples to illustrate the tradeoffs, key decision points, and how to be successful with a cloud or hybrid cloud solution.
Cloud computing started a technology revolution; now DevOps is driving that revolution forward. By enabling new approaches to service delivery, cloud and DevOps together are delivering even greater speed, agility, and efficiency. No wonder leading innovators are adopting DevOps and cloud together! In his session at DevOps Summit, Andi Mann, Vice President of Strategic Solutions at CA Technologies, will explore the synergies in these two approaches, with practical tips, techniques, research data, war stories, case studies, and recommendations.
The 16th International Cloud Expo announces that its Call for Papers is now open. 16th International Cloud Expo, to be held June 9–11, 2015, at the Javits Center in New York City brings together Cloud Computing, APM, APIs, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal today!
14th International Cloud Expo, held on June 10–12, 2014 at the Javits Center in New York City, featured three content-packed days with a rich array of sessions about the business and technical value of cloud computing, Internet of Things, Big Data, and DevOps led by exceptional speakers from every sector of the IT ecosystem. The Cloud Expo series is the fastest-growing Enterprise IT event in the past 10 years, devoted to every aspect of delivering massively scalable enterprise IT as a service.
Hardware will never be more valuable than on the day it hits your loading dock. Each day new servers are not deployed to production the business is losing money. While Moore’s Law is typically cited to explain the exponential density growth of chips, a critical consequence of this is rapid depreciation of servers. The hardware for clustered systems (e.g., Hadoop, OpenStack) tends to be significant capital expenses. In his session at 15th Cloud Expo, Mason Katz, CTO and co-founder of StackIQ, to discuss how infrastructure teams should be aware of the capitalization and depreciation model of these expenses to fully understand when and where automation is critical.
Over the last few years the healthcare ecosystem has revolved around innovations in Electronic Health Record (HER) based systems. This evolution has helped us achieve much desired interoperability. Now the focus is shifting to other equally important aspects – scalability and performance. While applying cloud computing environments to the EHR systems, a special consideration needs to be given to the cloud enablement of Veterans Health Information Systems and Technology Architecture (VistA), i.e., the largest single medical system in the United States.
In his session at 15th Cloud Expo, Mark Hinkle, Senior Director, Open Source Solutions at Citrix Systems Inc., will provide overview of the open source software that can be used to deploy and manage a cloud computing environment. He will include information on storage, networking(e.g., OpenDaylight) and compute virtualization (Xen, KVM, LXC) and the orchestration(Apache CloudStack, OpenStack) of the three to build their own cloud services. Speaker Bio: Mark Hinkle is the Senior Director, Open Source Solutions, at Citrix Systems Inc. He joined Citrix as a result of their July 2011 acquisition of Cloud.com where he was their Vice President of Community. He is currently responsible for Citrix open source efforts around the open source cloud computing platform, Apache CloudStack and the Xen Hypervisor. Previously he was the VP of Community at Zenoss Inc., a producer of the open source application, server, and network management software, where he grew the Zenoss Core project to over 10...
Most of today’s hardware manufacturers are building servers with at least one SATA Port, but not every systems engineer utilizes them. This is considered a loss in the game of maximizing potential storage space in a fixed unit. The SATADOM Series was created by Innodisk as a high-performance, small form factor boot drive with low power consumption to be plugged into the unused SATA port on your server board as an alternative to hard drive or USB boot-up. Built for 1U systems, this powerful device is smaller than a one dollar coin, and frees up otherwise dead space on your motherboard. To meet the requirements of tomorrow’s cloud hardware, Innodisk invested internal R&D resources to develop our SATA III series of products. The SATA III SATADOM boasts 500/180MBs R/W Speeds respectively, or double R/W Speed of SATA II products.
As more applications and services move "to the cloud" (public or on-premise) cloud environments are increasingly adopting and building out traditional enterprise features. This in turn is enabling and encouraging cloud adoption from enterprise users. In many ways the definition is blurring as features like continuous operation, geo-distribution or on-demand capacity become the norm. NuoDB is involved in both building enterprise software and using enterprise cloud capabilities. In his session at 15th Cloud Expo, Seth Proctor, CTO at NuoDB, Inc., will discuss the experiences from building, deploying and using enterprise services and suggest some ways to approach moving enterprise applications into a cloud model.