developing a cloud security roadmap
play

Developing a Cloud Security Roadmap March 2, 2016 Gary Seay Chris - PowerPoint PPT Presentation

Developing a Cloud Security Roadmap March 2, 2016 Gary Seay Chris Bowen Former CIO, Community Health Systems Founder, CPSO, ClearDATA Conflict of Interest Gary Seay Has no real or apparent conflicts of interest to report. Chris Bowen, MBA,


  1. Developing a Cloud Security Roadmap March 2, 2016 Gary Seay Chris Bowen Former CIO, Community Health Systems Founder, CPSO, ClearDATA

  2. Conflict of Interest Gary Seay Has no real or apparent conflicts of interest to report. Chris Bowen, MBA, CISSP, CIPP/US, CIPT Has no real or apparent conflicts of interest to report.

  3. Agenda Healthcare Data Under Attack • Trends and Sources of Healthcare Data Breaches Security Roadmap Essentials • Defense in Depth • A Closer Look • Shared Responsibility Model Threat Diligence: On or Off Premise Conclusion CB

  4. Learning Objectives • Evaluate primary causes of data breaches as it relates to current 1 health system infrastructure • List major considerations for selecting a cloud computing vendor 2 • Assess benefits of cloud platforms beyond security, including cost- 3 savings and data analytics • Recognize key layers of a “Defense in Depth” approach to 4 healthcare data security CB

  5. Our Healthcare Data is under Attack! An increase of 10 x more than in Health 2014 records breached In 2015 alone 115,000,000 Source: CSO Online CB http://www.csoonline.com/article/3026661/data-breach/over-113-million-health-records-breached-in-2015-up-10-fold-from-2014.html

  6.  Learning Objective: 1 The Role of the Healthcare Network Regional Medical Physician Home Secondary Care Center Office Hospital SMB Health VOIP Data Patient Wireless Telemedicine EMR Collaboratio Phone Exchange Consent Integrati n on Enterprise VOIP Enterprise Immersive Wireless Phone Wireless Telepresence Enterprise Telemedicine Telemedicine Enterprise Remote Wireless Wireless Radiology EMR Mobile EMR VoIP Conference Remote Integrati SMB Access phone Monitoring on Wireless Community Health Affiliate Office Military, Prison Health Center CB

  7.  Learning Objective: 1 The Role of HIT in the Patient Journey Injury Ambulance Occurs Takes Patient to Clinic Preliminary Patient Treatment at Patient Care Record Monitoring Local Clinic Collaboration Patient Transferred to Hospital Patient Monitorin Patient Patient EMR X-ray g Management Consent System Post Procedure Care Continuo Patient us Service Monitori s ng Med Home Further Telemedicine Patien Mgmt Monitoring Tests t Care CB

  8.  Learning Objective: 1 The Data Security Imperative 91% of small North American • healthcare practices have been breached. 70% aren’t confident that their • budget meets risk management, compliance, and governance requirements. Six in ten security systems aren’t • mature enough to detect or react to data breaches. CB

  9.  Learning Objective: 1 The Data Breach Epidemic • 94% of providers have suffered at least one data breach in the last two years. • Nearly 50% have experienced more than five data breaches. CB

  10.  Learning Objective: 1 Incident Patterns Verizon’s Nefarious Nine 93% of PHI Breaches Just 3 Patterns Exhibit Nine Incident Patterns Describe 85% of Incidents Lost & Stolen Assets 807 ( 45.4%) Privilege Misuse 361 ( 20.3%) Miscellaneous Errors 357 ( 20.1%) Everything Else 119 ( 6.7%) Point of Sale 68 ( 3.8%) Web Applications 33 ( 1.9%) Crimeware 25 ( 1.4%) Cyber-Espionage 6 ( 0.3 %) Card Skimmers 0 ( 0.0%) Source: Verizon 2015 Protected Health Information Data Breach Report CB

  11. Most Hackers Invest Limited Time Average Hacker Time Investment • 70 hours per attack against "typical" IT security infrastructure • 147 hours battling "excellent" IT security infrastructure • Give up completely after 209 hours. Average Return • Make Less Than $15,000 per attack • Average less that $29,000 per year Cyber Attacks “If you can delay them by two days, you can deter 60 percent of attacks.” Scott Simkin, senior threat intelligence manager at Palo Alto Networks CSO Online - Survey: Average successful hack nets less than $15,000 http://www.csoonline.com/article/3028787/cyber-attacks-espionage/survey-average-successful-hack-nets-less-than-15-000.html

  12.  Learning Objective: 4 Security Roadmap Essentials DEFENSE IN DEPTH DEFENSE IN BREADTH Applied Across Each Use Case to Appropriate Level Multi-level Security User, Process, Device Physical Infrastructure Network Security Air-tight - properly configured System Security Data & Application Security APPLYING DEFENSE IN DEPTH & BREADTH REDUCE DEPLOY CREATE SECURE PEOPLE, ATTACK SURFACES CRYPTO KEYS PROCESSES & SYSTEMS JGS

  13.  Learning Objective: 4 Defense in Depth: Multi-level User Cloud Service Provider • Leverage CSP policies and procedures Multi-Level User as extensions of your own • Leverage RBAC tools • Regular security awareness training • Use CSP team for Segregation of Duties • Cyclical policies and procedure review • Convenient policies & procedures access • Background checks • On and Off boarding checklists • Minimum Necessary, Role Based Access Controls (RBAC) • Segregation of Duties • Fair and equal sanctions • Whistleblower hotline JGS

  14.  Learning Objective: 4 Defense in Depth: Device & Workstation Cloud Service Provider • Leverage Anti Virus / Malware Device & Workstation • Leverage Content Filters • Leverage password expiration & support • Screen lock (15 minutes) policies • One user, one account • Leverage remote wipe features • Anti-virus, anti-malware • Prohibit storing PHI on devices or • Appropriate use of network resources workstations leveraging controls (questionable sites, prevent drive-by downloads) • Keep credentials secure and fresh • Enable remote-wipe • Prohibit PHI storage on device or workstation JGS

  15.  Learning Objective: 4 Defense in Depth: Physical Infrastructure Cloud Service Provider • Keep your data in secure physical facility Physical Infrastructure at no extra cost to you • Use Physical access controls: gates, • Access controls guards, biometric two factor authentication, surveillance • Surveillance • CSP can be your hands on the ground - • Workstation timeouts No need to access the data center • Appropriates use of locks for sensitive areas • Limited entry points • Physical barriers JGS

  16.  Learning Objective: 4 Defense in Depth: Network Cloud Service Provider • Leverage IDS / IPS Network Security • Reduce inventory of Firewalls, VPNs, and other network assets • Formal network and acceptable use policy • Leverage SIEM for your own use. • Active network asset inventory: • Let CSP analyze logs for you. - Firewalls, VPNs, IPS/IDS, Content Security, Wireless Access Points, Identity Management • Let CSP manage your port restrictions and regular port reviews • Know your data, and its logical flows • Let CSP detect and alert you of • Lock down traffic that could touch PHI anomalous activity • Review settings regularly • Visualize network activity • Implement a SIEM • Manage logs effectively JGS

  17.  Learning Objective: 4 Defense in Depth: System Server / OS Cloud Service Provider • Leverage hardening templates of your CSP System Server / OS • Let your CSP do patching for you. • Understand server relationships to sensitive • Leverage your CSP’s tools for data backup/restore testing. • Maintain up-to-date vendor software • Let your CSP collect audit artifacts required versions/patches for compliance, and investigation • Perform penetration tests and vulnerability scans on server ecosystem • Server/OS hardened to standards • Backup/restore testing regularly performed • Logging enabled and preserved JGS

  18.  Learning Objective: 4 Defense in Depth: Data & Applications Cloud Service Provider • Leverage Web Application Firewalls from Data & Applications your CSP • Let CSP help design your Tier-based system • Understand application relationship to sensitive data • Leverage security expertise of CSP to restrict traffic in secure zones • Maintain up-to-date software versions • Let CSP help you perform penetration testing • Ensure vendor provides support and patches • Use CSP’s solution for vulnerability scanning • Perform security and privacy reviews on applications • Let CSP manage log preservation • Perform penetration tests and vulnerability scans on key applications • Enabled and preserved logs JGS

  19.  Learning Objective: 4 Defense in Breadth: Reduce Attack Surfaces Cloud Service Provider • Automated port reviews and network traffic Reduce Attack Surfaces analysis • Opinionated, purpose-built hardening General templates • Secure the Right Boundary • Vulnerability management Network Surface • 24x7 security monitoring • Close unnecessarily open ports • Automated policy enforcement • Adopt white-list models to reduce port traffic • Keep things simple - eliminate expired or unnecessary rules Software Surface • Build security into applications • Reduce the amount of running code Physical Surface • Enforcing strong authentication • Laptop encryption JGS

  20.  Learning Objective: 4 Defense in Breadth: People Cloud Service Provider • Security awareness training People • Social engineering drills • Security awareness training • Background checks • Social engineering drills • Proper onboarding and offboarding • Background checks • Sanctions • Proper onboarding and offboarding • Workstation security • Sanctions • Workstation security JGS

Recommend


More recommend