Dark Clouds on the Horizon: Managing Cloud Security Risks

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:19] Welcome to CyberPHIx, the audio resource for information security, privacy and governance, specifically for the health care industry. I'm your host, Brian Selfridge. Each episode, we'll be bringing you pertinent information from thought leaders and health care, information, security and privacy. In this episode, we'll be speaking to Dan Bowden. Dan is the VP and CEO of Sentara Health Care. I will be speaking with Dan about managing cloud security and cloud risk management for large and complex health care ecosystems. We'll talk about shared security control models, managing cloud inventory and shadow I.T., third party risk management, risk reporting and tolerance so much more. Let's get into it.

[00:01:02] I'd like to welcome my guest, Dan Bowden, Dan is the VP and CEO of Sentara Health Care. Sentara is a diverse, not for profit family of 12 hospitals, an array of integrated services and a team of nearly thirty thousand strong on a mission to improve health every day. Prior to Sentara, Dan has held multiple leadership positions, including serving as the CISO of the University of Utah Health Care and the University of Utah, as well as the VP of Information Security at Zions Management Services. And he's also served in the United States Air Force. Thank you for your service, sir. Dan holds more accolades than we can list here, including being noted as one of the top 100 global CISOs in 2017. And he holds executive advisory board positions with Tenable CyberMDX, RedShield and Intruno. And his current areas of focus include next generation identity, governance, SecOps, mobile and enterprise cloud platforms and business solutions on Blockchain for health care. So I know that's not all he does, but we're going to talk at least about one of those areas today, and that's around cloud platform security and cloud risk management specifically and whatever else we dive into. So, Dan, that's a mouthful, but thank you so much for joining us on the CyberPHIx Day. Really appreciate your time.

Dan Bowden: [00:02:11] My pleasure. Thanks, Brian.

Brian Selfridge: [00:02:12] So let's talk about cloud security. With the migration of really critical patient care and financial systems to the cloud, it's no longer just these ancillary systems. It's the it's the big platforms into into cloud and third party hosted environments. Has the risk conversation for you or the team or the executive shifted at all with the business around cloud being more of a patient safety or an availability risk versus a traditional kind of HIPAA breach compliance focus as the conversation shifted at all.

Dan Bowden: [00:02:42] So I think I think you have to define what shifting means in terms of the the tools that we use for securing our cloud infrastructure versus on premise infrastructure. Those are different. And Sentara we were already investing a lot in go into public cloud infrastructure before 2020.

Dan Bowden: [00:03:05] And so I think, you know, we we'd already sort of bought into what we need to do. There are always things you're trying to do to improve. Right. As I think things continue to scale and you deploy more capabilities into the cloud in terms of conversation shift, I think of it more of just an evolution rather than a revolution. So, you know, the conversations changed, but it didn't feel like.

Dan Bowden: [00:03:31] It was a news flash, right, there wasn't it wasn't because it wasn't breaking news, it was, you know, things the way we manage this infrastructure is going to be different than how we manage on premise infrastructure. And so I think, you know, regarding our services, we did learn a lot in the month of March, like everyone else, that when millions of maybe not millions, but tens of thousands of new subscribers are rushing in to cloud to accommodate work from home, their digital and mobile apps getting hammered harder than they ever have before.

Dan Bowden: [00:04:07] We did learn there were some new things to do to get a hold of and understand in terms of managing availability and how we scale out and how we grow.

[00:04:17] And so it was overall a very good experience for us. We had the telework angle where like a whole bunch of organizations, we spent a significant chunk of our workforce home. And so we had to decide, you know, how were we going to facilitate their access to resources. And the good news is between the security team and the infrastructure team, we'd already invested a lot into building the models and we we knew what we were going to do. It was just a matter of finding enough laptops and building a little more VPN capacity, etc. And how to how many windows, virtual desktops can we crank out? And so there's a big scalability in terms of patients. We had to do telehealth better than we'd ever done it before. And I think that was a big success as well. We we exceeded our goals for mobile app downloads because that was one of the ways we deliver our telehealth solution. And we blew away all of our goals for telehealth encounters. Really, by the time we got to April, all those goals were or exceeded in a huge way. And so it was in terms of the shift, it's it's a it is a shift. But hopefully organizations are talking about it in a way that it feels like an evolution rather than a revolution.

Brian Selfridge: [00:05:47] Have there been specific platforms that you've had to focus on recently with the telehealth coming up? Are you are you down to one platform in particular and really zeroed in on a couple of key high risk cloud environments? Or is it the traditional Office 365 or the things where you put in your energy mostly these days?

Dan Bowden: [00:06:04] It's interesting right there. SaaS platforms. Right. And then there's the platform as a service, infrastructure, as a service. We we do all of the above. And so, you know, depending on what we're we're trying to do, we are our public cloud things we're working on. We're we're we're moving our data center workloads into the cloud. We've been working today mainly with Microsoft Azure.

Dan Bowden: [00:06:34] It's it's been more of an opportunistic situation there, the relationship with Microsoft, but wouldn't surprise me if in the future we look at other cloud providers as well. But the SaaS solutions, we use the vendor we work with, we don't really dictate where they choose to host. You know, most people don't tell Workday which cloud provider they're going to use. Right. But so those those solutions are what they are. But today we've been for the things that we can choose all of our public public cloud, our workloads that we build and manage. We've been doing that.

Brian Selfridge: [00:07:12] Have you had to adjust your third party risk assessment strategies at all relative to which cloud provider the vendors are using? Are you sort of digging deep on on the specific platforms or how are you handling sort of the due diligence side of things?

Dan Bowden: [00:07:29] Well, it's it's an interesting question. I think, you know, it's been tough. The whole third party and vendor vendor management has been a challenge for years. Right. We've all been talking about what to do with it and how to do it better. And I'm we're starting to maybe back up a little bit, focus more on the the presence and use of critical controls. Most in 2020. Most of the calls I've sat in on with vendors or folks we partner with on security incidents, two factor authentication would have stopped the threat. And then that's usually a vector that gets in. And so what we're trying to say is, do we? Do we spend a lot of time learning to evaluate each and every cloud platform, or do we ask whoever we're partnering with or the service provider to demonstrate it, requiring two factor authentication for all remote access? Right. Boom. That's one critical control. Everyone without elevator privileges is managed through a privilege access management solution, right? Well, there's not a critical. And so on and so on. And so maybe depending on the value of the relationship, we focus on controls around confidentiality, integrity and availability and individual ability. Things may or may be more just assurances, questions about business continuity, disaster recovery, things like that. And so we're continually evolving our view on that. And I'm we're we're a lot better than we were three years ago.

Dan Bowden: [00:09:24] But we're going to have to get better again, evaluating how we how we communicate and evaluate third parties that we work with.

Brian Selfridge: [00:09:33] I want to talk about the shared responsibility aspect of cloud controls a little bit. There was the Cloud Security Alliance put out a report this month that was talking about it, cited a statistic that said by twenty twenty five, ninety nine percent of cloud security failures will be the customer's fault, which I sort of chuckled at. But there's some legitimacy to that. You tell us a little bit about the shared security controls and how you manage apart from third party due diligence.

Dan Bowden: [00:09:59] But once you sort of have this ecosystem in place, which which are some of the controls that you've really focused on owning and managing and overseeing from a shared responsibility side of things, I think that that statistic I think what it means is and for anyone who's looked at those shared accountability models, what it means is the way Amazon, the way Microsoft, Oracle, Google, IBM, etc, the way they manage that cloud infrastructure, they are not going it's not going to be them that gets beat. It's going to be the way you use the infrastructure as a customer. And so I believe the number I believe 99 percent. And then just big picture, there have only been in the past the past five years, only a couple of instances I can think of where the cloud provider actually was, the weak spot. And so it's still today. I mean, it's ninety nine percent today. So they say, in my opinion, they say by 2025 to 95 percent. In my opinion it's that already. But that's where you're going to get back to those what are the critical security controls. And I think the, the, the idea of passwords and our education needs to be uplifted. Privilege access needs to be uplifted, identity proofing needs to be uplifted, vulnerability management, etc. And so I believe in and the customer understanding that just because I'm paying Amazon or Azure or someone else for infrastructure doesn't mean that everything's everything's secure. And if you're not using a SaaS, then you have a whole bunch of work to do for security using SAS. You know, you got to do some some work with the app and authentication and identities and and things like that. But any other model where you're using someone else's data center, you better understand everything you have to do.

Brian Selfridge: [00:12:00] Let's talk about inventory a little bit, particularly of inventory of cloud providers and capabilities. It seems like inventory and health care inventory management is one of the toughest challenges in general. We've got medical devices, IoT stuff all over the place. We've got now this this sort of proliferation of cloud ecosystems vendors that we're relying on. Can you give me a sense of what are some of the ways that you're trying to grapple with that and understanding which cloud providers are being used by the business either authorized or shadow it? And how do you get a handle on that and prioritize which ones to pay attention to with your limited time energy?

Dan Bowden: [00:12:37] I mean, you just have to get the the tools in place, right. And manage all of your your connectivity to figure that out. So you need to get things like a CASB technology. You need to make sure that you're you're managing all of the the connectivity of the endpoints that you support so that you know and discover where everyone is, where you're going with services they're using. And anyone who hasn't done either use the CASB and see the inventory or see the cars being seen in inventory. I promise you'll be surprised at it unless you have one of those. Really?

Dan Bowden: [00:13:23] Default the night nobody goes anywhere except for the sites we allow through our proxy, which are very many places like that, and if you have a generally open proxy, even if you're you're trying to block malicious content and other categories you don't like, you'll end up being pretty surprised at where people go. So you just have to buy the tools to do it or go through implementing some sort of a default deny posture on how you manage access to the Internet.

Brian Selfridge: [00:13:58] So when you first turn it on, the CASB,  were there any surprises that you saw there? We won't we won't name any names specifically, but anywhere that you were like, wow, I had no idea that was that was going on.

Dan Bowden: [00:14:10] I think just the sheer number. Right. I think when you like your IT team and others will put a number on it. Right. And I bet we go to these seven hundred places and then the actual number ends up being closer to seven thousand. And a whole bunch of them are things you don't you don't you didn't know about but you don't care about. But there are a lot of them that, they're using a lot of people. The most most concerning often are the the things people are using to facilitate work and collaboration. And it's free. But they don't understand, you know, they don't read the end user license agreement that says, hey, if you you edit photos on our site, we keep the photo copy of the photo or PDF editors, things like that. So you have to find all those and then go figure out how are they being used, why were they being used, what God put out there? And those are the ones that probably generate the most overall work. The CASB will will read list things until you right away. These are these are obviously really bad. You better go check these out. It's those things. And so you can act on those pretty quickly. One one big policy implementation and some some forensic work and you can figure out what your situation is there. It's all those things in the middle that, you know, maybe it's not a known malicious site, but it's a service you wish your people weren't using for the purpose that they're using, apart from chasing them down one at a time and doing whack a mole with as they crop up.

Brian Selfridge: [00:15:53] Is there anything you're doing or I recommend you would recommend people do proactively, either in terms of education, training and awareness to try to let the workforce know, hey, you know, even in this post COVID remote environment, there's still some do's and don'ts. How do you handle it?

Dan Bowden: [00:16:08] I think things have improved a lot. Three, four or five years ago, a whole bunch of people didn't know that when they they edited a PDF on a website, they they still thought it was all on their computer. They didn't they didn't realize or they thought it was on their phone or something. So education has moved a lot where people now understand that. And we're in everyone's kind of tweaking DLP policies and other things to sift things out and report back to the person.

Dan Bowden: [00:16:41] Hey, this appears to be sensitive information or something like that to trigger it. So the general population is more educated about it, but you still have to continually make them aware of every website. You go to a whole bunch of organizations. Some are very, very hard, hard lines on the default, deny what people can go to. Other organizations are pretty open. And if you're pretty open, you need to do more training awareness and you need to do more watchable, more and more log checking, more reporting and more whack a mole. So it all depends on on the organization and what the risk tolerance is.

Dan Bowden: [00:17:20] And it's is is one better than the other? You know, I said I going to ask the the end user and sometimes you've got to ask the security team. Right. Which is better. But there are trade-offs either way. But if you're not if you're not in the default, deny where everything is perfectly managed, everything you want to whack a mole and you're going to have to do so from a security strategy perspective.

Brian Selfridge: [00:17:47] I want to sort of zoom out a little bit from the tactical. You've got your overarching information security and risk management strategy, got the critical controls that you're focused on internally with vendors. OK, do you have a cloud specific strategy or some sub-component that says here is how we're going to deal with cloud environments from now or going forward? Or is it just we just apply the overall strategy and and and it's permutation and cloud will just play out like how how specific are you getting at that level?

Dan Bowden: [00:18:15] I guess it's an interesting question and I'll choose how I decide to answer it. Right.  Our tools and platforms that we use for securing our cloud infrastructure aren't the same as what we use on prem. There's very few of the tools that overlap and are used on both sides. And so we we we just build the new that's our new model. We work with our infrastructure team and and define how does our that was our data platform accessed and secured in public cloud. How are all of our our applications, if they're consumer facing or if their business applications? How do we put those together? And so we we do build and manage a new architecture and a process for you know, if you think of that concept of infrastructure as code, we we look at that a lot and we're not definitely not perfect at it yet. And and it's still have some evolution to do. But we try to adopt a lot of those concepts of really good configuration management, automation of builds so that we keep things consistent and then we check that they're consistent and that's standardization. And automation of configurations is a great place for the security team to start from. You know, if they if they know they can run a compliance scan every morning. And what's what did anything change? Was anything added? If it was, why that's that puts you in a great spot. And we've been able to move in that in that direction with our our cloud and public cloud. And so I think it's you should look at it as an opportunity. Right. To do to do the things you wish you were doing before or undo the things that you regret doing before with that validation, a configuration of the platforms either internally hosted or vendor hosted.

Brian Selfridge: [00:20:29] Apart from the scanning, are you are you doing tests yourself of those environments as well? Or are you requiring the vendors to give you evidence that they've they've tried to break down the walls and test those configurations?

Dan Bowden: [00:20:44] We test or pay for testing ourselves and have multiple firms that we work with. So any any of our public thoughts stuff, any of our our applications that we build with the providers. Right. The providers, others, it's a different, tougher conversation. I haven't had a lot of success and haven't necessarily pressed to say I want to do a pen test of your work day. I'm pretty sure I read the contract. I know that they'll tell me and it's not OK when it's they a lot of them want to produce evidence like it's OK to type to or some other some other validation of controls and and provide that. We accept that.

Dan Bowden: [00:21:44] And so that's the internal risk tolerance discussion you have is, hey, you know, such and such organization. And then there was one recently, a well known organization that suffered a security incident, ransomware hit. And they've got stock to talk to, validation. They still got beat. Right. And so, you know what? We've got to ask yourself, what's what when is enough, enough and so on. These providers for SaaS and other things. I think that's where, you know, it's difficult to know because a pen test is a one as a snapshot.

Dan Bowden: [00:22:25] It's that day and something that wasn't vulnerable today can be vulnerable tomorrow. And I'm not saying don't don't do it if you can. I'm just saying it's what it's what happened today. It's today's news. It's not tomorrow's outcome. And and so that's the question.That's why I think we're we're starting to go back and say, OK, do we do we require some attestation of significant critical controls being completely deployed? I like to offer something else. We're we're trying to decide.

Dan Bowden: [00:23:03] I think a while back, you know, we all thought we're not asking enough questions to banters and third parties. Now, there's a big argument that we're asking too many questions. So let's just trust them with their high trust or trust them with their soft to type two. And then occasionally they still get. And so are we asking the wrong questions and so that's that's going to be a challenge.

Brian Selfridge: [00:23:29] But what about SLAs and contracts? I mean, do you pick on those one or two or three areas that are important and say, let's get that in the contract? Are we at that level of maturity yet as an industry or is that Workday's aside, maybe some of the vendors that will actually negotiate contracts with you?

Dan Bowden: [00:23:46] You have to, right. You have to go ask. And so we we have what we call our security exhibit. And so our general counsel attaches that security exhibit to all of the contracts about who it is. Right. Even the great big ones, like a workday or someone else. And and we know how it is.

Dan Bowden: [00:24:05] There's always when you get lawyers looking at things always and back and forth and some some discussion and red lining about what ends up surviving the contract process.But I think you have to you need as an internally, you need to communicate what your risk tolerance is. And that's what we do with the security exhibit, is where we're trying to communicate that risk tolerance. And I've been asking now, OK, we have so many vendors. I think that's a challenge we're having now is so many vendors. How do we catch up with all of them? How do we know that they are there some acknowledgement or how do we validate? That's always the hard thing with vendors. And so still a lot of work to do.

Dan Bowden: [00:24:49] But, yeah, you've got to you're trying to figure out how to put either an SLA or some kind of set some kind of a bar. I think it's I think it's dumb not to it's just a contract. And that's the problem with paper contracts. Right. Is enforcement. And and so that's the that's the challenge is how do we continue on and do that? But you've got to at least somehow communicate the bar, even if it's only on paper.

Brian Selfridge: [00:25:14] So risk tolerance is always a fascinating conversation for me because it varies from organization to organization and situation to situation. So how do you report the reality on the ground of the risk that you're seeing relative to cloud providers, that there's seven thousand of them? Maybe we'll pick that number from earlier and report that up in a meaningful way to the business to say what's what is acceptable for you? And and how do you articulate maybe your own expert opinion on where that should that should lay me. It seems like an art form. How do you how do you handle that?

Dan Bowden: [00:25:47] You know what it is? I think you've got to distill the message in such a way that it can be compared to risk tolerance. Right. So that's what we're trying to do, is there are a couple of tools we use where we present a a posture, sort of a scoreboard, and then we're going to start mapping that against what's the value of the relationship? What does it mean to us if there are some sort of an issue with confidentiality, integrity or availability of the data or the service? And sometimes it's data related and sometimes it's service related. If you're if your organization outsources revenue cycle billing and coding, if that service goes off off the air for hours or days, is that a problem? Right. And so you need to that's an availability issue that you need to account for. So that's what we're trying to figure out is the right way to distill that. And it's an ongoing discussion. We thought we were pretty close to had a third party with another issue that we didn't expect. They they kind of dealt with one of these things we set. All this captures the people who do this are all good. Well, we learned they're not OK. So so leadership came back and said, OK, then let's let's look at this again. So you're always moving, trying to kind of find where the focus should be. And I think so. That's the thing. It's not going to be the same for every organization either. And that's that's the that's the challenge of figuring out how to do that and how to do it for all the vendors that are in school.

Brian Selfridge: [00:27:35] Always a fascinating conversation. Dan, I appreciate you joining us. This has been an awesome discussion and thanks for everything you're doing to share your insights with our our audience here and figure out how to navigate 2020 and who knows what 2021 is going to look like.

Dan Bowden: [00:27:49] Brian, thank you for the time today and wish you and everyone very, very happy and safe days to come. Thank you.

Brian Selfridge: [00:28:07] Again, I would like to thank my guests, Dan Bowden, for sharing his insights on cloud security and risk management approaches. It's clear that we have a long road ahead of us, but putting the right tools and processes in place today can set us up well for the continued evolution of cloud and third party hosted platforms. As always, we'd like to have your feedback and hear from you. Our listeners feel free to drop us a note about what topic you'd like to hear about or thought you'd like to hear from. Our email address is CyberPHIx@meditologyservices.com. Thanks again for joining us for this episode of CyberPHIx. And we look forward to having you join us for a next session coming up soon.