Migrating to the Cloud: 4 Considerations for CISOs

March 28, 2019

 

Migrating to the Cloud: 4 Considerations for CISOs

Flexibility, speed, scalability, security, and decreased infrastructure and maintenance costs all contribute to the allure of migrating to the cloud. But while the cloud offers benefits, healthcare providers may be cautious when it comes to keeping data on somebody else’s servers.

From evolved insider threats and drug diversion to identity theft, ransomware attacks, and widescale data breaches, care providers face robust challenges to securing patient data and maintaining privacy and compliance. When it comes to migrating to the cloud, a CISO’s No. 1 concern is often losing control of their data. A multi-layered approach to security, then, is a baseline requirement for healthcare organizations migrating to the cloud.

Below are four key questions to consider on your journey to the cloud.

#1: Whose responsibility is data security?

There’s a common misconception that the cloud service provider is responsible for the security of your data. But keeping data secure in the cloud is a shared responsibility. While you should understand and ensure your cloud service provider’s security controls, SaaS vendors are typically only responsible for their software’s security. It’s important to give them as much information as possible about your security requirements so they can tailor their approach to your data. You can then monitor access to your cloud application to ensure that your data is being accessed appropriately.

#2: Where is my data located?

Make sure you’re partnering with a cloud service provider or vendor who understands the importance of your data’s geographic location. Knowing where your data is located is important to maintaining compliance with industry and federal regulations that address cross-border information flow. In addition, you should make sure your data is in a location that ensures fast delivery time. If it’s too far away, there may be a latency, which could end up affecting costs.

#3: What security certifications does the vendor or cloud service provider have?

All healthcare organizations must adhere to industry regulations and standards like HIPAA. Make sure, then, that your vendor’s security and technical controls can be verified through certifications such as ISO 27001, SSAE-18, SOC 2 Type 2, SOC 3 Type 2, and more. Vendors and providers with reputable certifications offer third-party evidence that they understand and take your data security seriously.

#4: Can you support a multi-cloud strategy?

The average enterprise may utilize as many as 91 different cloud applications, according to RightScale. The ability to add/drop services and scale and meet shifting cloud resources is imperative to your cloud strategy. When it comes to choosing these cloud vendors, choose one that can integrate with other applications to gain deep insights and gather the most value from your investment.

Maintaining security while moving data to the cloud may be different for each organization. No matter the size of your organization or your industry, cloud security is an ongoing challenge with a multitude of variables. We exist in an era with infinite cyber-security threats, from ransomware and DDoS attacks to insider threats. Ensuring data protection and cloud security is a baseline imperative to the survival and prosperity of your organization.