Welcome!

Open Source Cloud Authors: Elizabeth White, Jyoti Bansal, William Schmarzo, Pat Romanski, Derek Weeks

Blog Feed Post

Cloudy with a Chance of Pharma Security

pharmaceutical compliance HIPAA Compliance Cloud Security Cloud HIPAA Cloud Encryption  pharm cloud security Cloudy with a Chance of Pharma SecurityCloud computing changes the way companies consume IT resources. It shifts the burden of purchasing and maintaining IT infrastructure to specialized IT providers and allows the users to pay only for the resources they need, when they need them. In this new paradigm, cloud security is a top concern.  Companies want to reap the benefits of cloud computing, but are often hesitant because of concerns about security and compliance. In the 21CFR11 regulation, the FDA focused on requirements for ensuring electronic record integrity, accuracy, and availability for agency review throughout the retention period.  The regulation emphasizes record protection from unauthorized access and system validation. Other international agencies have similar regulations. This article captures key points from an interview with Gilad Parann-Nissany, a cloud security pioneer. He addressed some hard questions that have been the main obstacles to getting more regulated healthcare and life sciences companies to adopt cloud infrastructures.

Gilad Parann-Nissany built SaaS Clouds for medium and small enterprises and contributed to SAP products reaching more than 8 million users. He created a consumer Cloud at G.ho.st – a cloud operating system that provided browser-based and mobile access to data, people and applications.  He is now CEO of Porticor, a cloud security company.

AG: We realize the benefits of public clouds, mainly our ability to use and pay for what we need at any given time and not having to deal with the hassle of buying and managing our own data centers, but is there a way we can truly trust that our systems are still compliant with FDA regulations and our data is secured in a public cloud and is protected to ensure record integrity and confidentiality?

GPN: Yes, the FUD is that public cloud seems open to hackers, corporate spies, government surveillance, and the like. When you analyze this perception, it comes down to the fact that people are used to having walls around their servers and data storage. In the cloud, you manage your servers and disks using a browser, and the concern is that the bad guys can access you servers and disks with equal convenience. It’s actually a reasonable concern.

Yet there is a serious way to replace walls.  Strong data encryption, of course, is the accepted best practice.  Basically you are replacing physical walls with mathematical walls. If you do it right, you end up more secure in the cloud then you would be at the typical company.

You must choose the right encryption techniques. Once your data is encrypted, the management of the encryption keys becomes critical.

If you encrypt your data and store your encryption keys in the same place, the keys become vulnerable to the same threats.  If you give the keys to your cloud provider, then you have lost control of your data. People worry whether cloud provider employees are trustworthy, and of course from a regulatory point of view – you are simply not allowed to farm out ownership of your sensitive healthcare data. So the way to keep ownership and still enjoy the cloud, is to encrypt data and keep ownership of your encryption keys.

A technical solution to this need is split key encryption.  It’s like the safety deposit box systems, which have two keys.  Your data is encrypted, and the encryption key is split into two parts where one part is held only by you.  Both parts are always required to access the data.  This way, only you control your data and the public cloud becomes effectively private and confidential.

AG: Regulatory agencies require that electronic records be available for inspection throughout their retention period, which can be many years. Is it possible to ensure record availability in 15-20 years, considering technology changes and the risk that the vendor will no longer provide the service?

GPN: The possibility that technology will change or that a vendor will stop providing the service does of course need to be taken into account. The most basic answer involves ensuring ease of copying out data and meta-data from one solution and into another.

Copying out your terabyte of data to some new place may take some time, yet it’s not something you do every day. The important point is to ensure that your technology of choice, and your vendor of choice, make it possible if necessary. This should be a standard operation – for example, for copying out data, it is best to ensure that standard copying commands are available; for copying out meta-data, ensure you have standard APIs, such as RESTful APIs.

You do need to be thoughtful choose the right approach to the cloud, but for the typical small to medium company – building out such capabilities yourself is ridiculous compared with the price/performance of the cloud solution.

AG: For validated systems, will adding a security layer require revalidation of the applications?  Will it modify the way our applications handle data? Will the applications require any modification?

GPN: By default, the best solutions out there will give you a transparent encryption and key management solution. They should also allow you to do something special (with an API), if that is justified by your needs – but they should not require it.

Your chosen security solution should be able to be inserted transparently between the application layer and the data layer. Deployment models could be as an agent (which you install on your servers, but does not change your application), or as a Virtual Appliance (which does not touch your servers at all, and is available as a virtual machine running independently in your cloud). Good solutions will offer both options and let you choose.

AG: Are security technologies platform independent? Will adding a security layer require us to limit our systems to certain platforms?

GPN: The good ones will work on all the major cloud platforms and with all the major operating systems (Windows, Linux, Unix, etc).

AG: Will the cost of adding a security layer negate the cost benefit of using a cloud?

GPN: Hell no. But you need to choose right. Some vendors out there are trying to sell you the old economic model even when you move to the cloud, which means in practice a high up front cost for getting a solution. You should look for a solution that is pay as you go, so that you pay only for what you use and only when you use it. That’s the cloud economic model, it should be a no brainer. If you select right – you’ll actually end up better than before.

Cloud security and Cloud encryption can protect your data in the public cloud, and meet the regulatory requirements. Bottom line, for many of the Healthcare workloads out there, it is a strong and secure contender.

The post Cloudy with a Chance of Pharma Security appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

@ThingsExpo Stories
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From ...
What sort of WebRTC based applications can we expect to see over the next year and beyond? One way to predict development trends is to see what sorts of applications startups are building. In his session at @ThingsExpo, Arin Sime, founder of WebRTC.ventures, will discuss the current and likely future trends in WebRTC application development based on real requests for custom applications from real customers, as well as other public sources of information,
SYS-CON Events announced today that Infranics will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Since 2000, Infranics has developed SysMaster Suite, which is required for the stable and efficient management of ICT infrastructure. The ICT management solution developed and provided by Infranics continues to add intelligence to the ICT infrastructure through the IMC (Infra Management Cycle) based on mathemat...
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...
Now that the world has connected “things,” we need to build these devices as truly intelligent in order to create instantaneous and precise results. This means you have to do as much of the processing at the point of entry as you can: at the edge. The killer use cases for IoT are becoming manifest through AI engines on edge devices. An autonomous car has this dual edge/cloud analytics model, producing precise, real-time results. In his session at @ThingsExpo, John Crupi, Vice President and Eng...
The taxi industry never saw Uber coming. Startups are a threat to incumbents like never before, and a major enabler for startups is that they are instantly “cloud ready.” If innovation moves at the pace of IT, then your company is in trouble. Why? Because your data center will not keep up with frenetic pace AWS, Microsoft and Google are rolling out new capabilities In his session at 20th Cloud Expo, Don Browning, VP of Cloud Architecture at Turner, will posit that disruption is inevitable for c...
In the enterprise today, connected IoT devices are everywhere – both inside and outside corporate environments. The need to identify, manage, control and secure a quickly growing web of connections and outside devices is making the already challenging task of security even more important, and onerous. In his session at @ThingsExpo, Rich Boyer, CISO and Chief Architect for Security at NTT i3, will discuss new ways of thinking and the approaches needed to address the emerging challenges of securit...
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...
There are 66 million network cameras capturing terabytes of data. How did factories in Japan improve physical security at the facilities and improve employee productivity? Edge Computing reduces possible kilobytes of data collected per second to only a few kilobytes of data transmitted to the public cloud every day. Data is aggregated and analyzed close to sensors so only intelligent results need to be transmitted to the cloud. Non-essential data is recycled to optimize storage.
In his General Session at 16th Cloud Expo, David Shacochis, host of The Hybrid IT Files podcast and Vice President at CenturyLink, investigated three key trends of the “gigabit economy" though the story of a Fortune 500 communications company in transformation. Narrating how multi-modal hybrid IT, service automation, and agile delivery all intersect, he will cover the role of storytelling and empathy in achieving strategic alignment between the enterprise and its information technology.
"I think that everyone recognizes that for IoT to really realize its full potential and value that it is about creating ecosystems and marketplaces and that no single vendor is able to support what is required," explained Esmeralda Swartz, VP, Marketing Enterprise and Cloud at Ericsson, in this SYS-CON.tv interview at @ThingsExpo, held June 7-9, 2016, at the Javits Center in New York City, NY.
As businesses adopt functionalities in cloud computing, it’s imperative that IT operations consistently ensure cloud systems work correctly – all of the time, and to their best capabilities. In his session at @BigDataExpo, Bernd Harzog, CEO and founder of OpsDataStore, will present an industry answer to the common question, “Are you running IT operations as efficiently and as cost effectively as you need to?” He will expound on the industry issues he frequently came up against as an analyst, and...
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem" ...
SYS-CON Events announced today that HTBase will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. HTBase (Gartner 2016 Cool Vendor) delivers a Composable IT infrastructure solution architected for agility and increased efficiency. It turns compute, storage, and fabric into fluid pools of resources that are easily composed and re-composed to meet each application’s needs. With HTBase, companies can quickly prov...
Keeping pace with advancements in software delivery processes and tooling is taxing even for the most proficient organizations. Point tools, platforms, open source and the increasing adoption of private and public cloud services requires strong engineering rigor - all in the face of developer demands to use the tools of choice. As Agile has settled in as a mainstream practice, now DevOps has emerged as the next wave to improve software delivery speed and output. To make DevOps work, organization...
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
China Unicom exhibit at the 19th International Cloud Expo, which took place at the Santa Clara Convention Center in Santa Clara, CA, in November 2016. China United Network Communications Group Co. Ltd ("China Unicom") was officially established in 2009 on the basis of the merger of former China Netcom and former China Unicom. China Unicom mainly operates a full range of telecommunications services including mobile broadband (GSM, WCDMA, LTE FDD, TD-LTE), fixed-line broadband, ICT, data communica...
SYS-CON Events announced today that MobiDev, a client-oriented software development company, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex softw...
SYS-CON Events announced today that Cloud Academy will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloud Academy is the industry’s most innovative, vendor-neutral cloud technology training platform. Cloud Academy provides continuous learning solutions for individuals and enterprise teams for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and the most popular cloud computing technologies. Ge...