Secure in the Cloud: What You Need to Know About the Cloud Before Taking the Plunge – Part 2

As the life sciences industry is discovering, the cloud presents many opportunities for improvement enabled by fast deployment, delivery and scaling of IT resources, but that doesn’t detract from some nervousness – whether valid or not.

By Dawn Waite, Manager, Life Sciences in the Cloud

In my last blog I spoke about concerns over validation and compliance, as well as an often-overlooked issue – extricating yourself from an agreement with a vendor.

This week I’d like to do a little myth busting around the much-discussed topic of security while also addressing some valid concerns. And talk about the important issue of location – does your cloud vendor have the scale you may need to respond to specific location requirements?

Will my system be safe in the cloud?

It’s not uncommon for companies to be concerned that the data will be less secure if it’s not in their own environment. In reality, the larger, more experienced cloud vendors work with many industries that have very strict security requirements – such as the financial industry and government organizations – and will likely have employees who are specifically dedicated to security. In CSC’s case for instance we have a dedicated cybersecurity practice that is skilled in securing cloud environments.

HeartbleedPrt2

However, it’s a valid question and to my mind companies looking to move into the cloud should have a clear understanding of their vendor’s security credentials. I’d recommend pharma companies request a security audit, which provides a thorough examination of the cloud vendor to ensure requirements are met. This is a process that is commonly done for a company moving into the cloud, but we have also done security audits that assess how vendors support security within their organization: how is it managed, what checks and balances do they have in place to ensure security, and what technology do they have to support the security aspects? Asking a vendor to complete a well-defined security audit is valuable for any company thinking of moving into the cloud.

It’s also worth checking what types of clients the vendor hosts: do they host mainly consumers or is it businesses, and if so, what type of businesses? Do they have like-minded organizations with regulatory constraints, such as others in the pharma or healthcare sectors, or the highly regulated financial and government sectors?

But one myth that continually crops up is that multi-tenant cloud solutions are vulnerable and that there is a risk that one client’s data can bleed into another’s or that your data could be accessed by another client. Let’s be quite clear – for experienced cloud vendors this is simply not the case.  Companies should ensure that the cloud vendors they are reviewing design their multi-tenant systems so that each client is entirely isolated from others through secure firewalls. There are various ways the security and isolation of data is managed, but suffice to say it would be extremely difficult for an attack to be triggered from another client in a multi-tenant cloud environment if it’s designed in the correct way. On top of this, the most experienced cloud vendors offer dedicated compute and networking options to further alleviate risk.

Do I get a choice about where my system is based?

While data in the cloud can be accessed anywhere, anytime – with the relevant security checks and balances, of course – the data itself should be able to be held in a specific location.

For a number of life sciences companies the location of the data warehouse does matter. For example, a lot of European pharma companies prefer – or are required – to have their systems housed in Europe. Where these concerns are important, then a priority should be to confirm that a vendor has the ability to house data in the country of choice or that they adhere to the U.S. – E.U./Swiss Safe Harbor framework. In the United States, we have life sciences clients that have been specifically told by the governing body that they have to have their data based in the United States due to the product in question. Not only that, but they must ensure that only U.S. personnel can access their data for any reason – be that support or business processes.

One of the beauties with the cloud is that you can have people worldwide supporting your infrastructure. Being subject to a high level of scrutiny could make it very hard for small vendors to provide the necessary support, since it requires resourcing in one country or region 24 hours a day, 7 days a week, 52 weeks a year. This is costly because it means hiring staff to work specifically on that account to secure both the data center and disaster recovery.

A further consideration is that while you may require your data center and disaster recovery site to be kept in the same country or region, you still want enough distance between the two to avoid potential issues.

For example, we had a situation where we thought we’d have to go into disaster recovery because of a massive storm due to hit the U.S. East Coast. Our whole cloud team geared up for potential issues that could affect the data center including loss of power – both the primary source and auxiliary power – and possible flooding. Our team was on standby to flick the switch to disaster recovery if need be. As it turned out, the data center stood up in that storm extremely well while other businesses around it went down. But the point is that if the data centers were only a few miles away from one another, that could have been a potential issue for any client involved. That’s why you want to be sure that your vendor has the capacity to support data centers and disaster recovery in well-spread out locations, for example, across the U.S. East Coast, West Coast and Midwest, and in multiple countries in Europe.

Certainty Required

The priority for companies will be to determine that their cloud vendor takes the protection of their data as seriously as they do and has the scale to manage your needs. In reality, a cloud vendor can often do a better job in terms of security – and at less cost – simply because of the experience they have accrued in supporting secure infrastructure for other clients.

For those of you coming to the Transform Conference in Orlando, Florida, at the end of the month, you’ll have an opportunity to hear more about cloud deployment. I also encourage you to sign up for the webinar: “RIM in the Cloud: Life Sciences Companies Enter New Era” to be held on November 17, 2015.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: