Genomic Health: Protecting business in the cloud, public and private

About five years ago Genomic Health began to introduce cloud-based business applications. Ken Stineman, senior director of enterprise architecture and security, quickly became aware of the security risks these apps posed.

CSO contributor Bob Violino recently interviewed Stineman on the topic of cloud security.

CSO: Please describe your organizations cloud environment, including the types of cloud services and how the company is using the cloud.

Ken Stineman, Genomic Health: Public and private cloud services have become a strategic part of Genomic Health’s information technology strategy. We initially leveraged public cloud providers for commoditized Internet infrastructure services such as spam filtering, domain naming services and worldwide content distribution. Over the past three years we have significantly expanded our cloud bias and use of software as-a-service [SaaS] applications. We now utilize more than 20 SaaS providers for key business applications including payroll and human resources, expense reporting, performance management, project management, learning management, document collaboration, identity management, financial analysis, retirement planning, applicant tracking, and stock options management.

Also read Cloud computing tools: Improving security through visibility and automation

We are in the process of expanding our hybrid cloud and accelerating our use of public and virtual-private Amazon Web Services and Microsoft Azure. These cloud providers will be essential to providing burstable high-performance compute, storage and messaging for our world-wide laboratory business. We are in the process of migrating our on-premise ERP and CRM solutions to a private cloud SaaS provider.

CSO: What assurances have your cloud providers given you that the data is protected?

Stineman: As a healthcare provider and lifescience company, the security and privacy of patient information and intellectual property is critical. We conduct security assessments of our vendors and ensure they have certified processes such as SSAE16 and/or ISO and review their security whitepapers, business continuity and encryption processes. Our contractual commitments must include physical, technical, and administrative safeguards, as well as data breach notification.

We have been extremely cautious and careful in our plans to store health information in the cloud. We require encryption or healthcare business associate agreements with cloud vendors who process or store protected health information. Cloud vendors are just beginning to be positioned and ready to commit to HIPAA, HITECH, and international data protection requirements.

CSO: What concerns do you have about emerging security threats and cloud technology flaws?

Stineman: Coordinated denial of service attacks and cybercrime networks characterized as advanced persistent threats are both concerns for Genomic Health. At the same time, our greatest risk and entry point for malware continues to be social engineering attacks such as spearphishing and Web-based trojans [through which] users inadvertently introduce malware to our networks.

We are concerned that cloud providers today do not offer a consistent set of protections, monitoring, encryption and vulnerability threat detection. Especially from smaller providers, we continue to find failures in best-practices in password security. Many of these vendors do not take full responsibility in their contract agreements for the security of information. Premiere cloud providers have made extensive investments in security and have applied more dedicated engineers, auditors, code review and deep security process to better secure virtual machines, harden their networks and keep their platforms patched.

CSO: Are your organization or its cloud providers doing anything to sure up security in light of these emerging threats, and if so what?

Stineman:

• Security awareness training of employees using cloud and social networking services is critical.
• Traditional firewalls and anti-virus end-point protection continue to be essential, but they are no longer sufficient to protect against emerging threats.
• IPS/IDS, log monitoring, security event correlation and 24×7 security monitoring are essential to detecting and responding to intrusions on our network.
• Malware content filtering using technologies on premise and in the cloud for laptops have become an indispensable part of our defense-in-depth strategy.
• Automated vulnerability scanning of our Web properties using services, human expert vulnerability testing, OS patching, and application vulnerability patching have also become critical to securing weak spots.

CSO: What are some best practices youd recommend for improved cloud security?

Stineman: Understand what data you will be storing in the cloud and assess the risk to your business and customers if that data is breached. Select a provider to consolidate the identity and access management and facilitate centralized employee access to your cloud applications. Ensure your cloud vendor contract includes specific terms requiring timely notification of security failures and information breach. Require your cloud vendor to share their vulnerability assessment results or collaborate with them to execute your own due-diligence vulnerability tests. Provide ongoing security awareness and social media training to your employees.