Financial services companies as popular targets of cybercriminals for the obvious reason — they’re where the money’s at. And health care companies have medical records, which are very valuable on the black market since the information there can be abused in so many ways, and doesn’t expire.
HealthExpense, which provides health care payment services to banks and their enterprise customers, straddles both worlds.
“When we started, every new client asked us about security,” said Marco Smit, CEO at Sunnyvale, Calif.-based Health Expense.
“It has to do with the data we’re collecting,” said company CSO Ken Lee. “We are definitely bound by HIPAA compliance, and we hold all the personal health information and financial information.”
Meanwhile, due to the seasonal nature of the business, scalability was very important.
“We have open enrollment periods with one of our partners,” said Smith. “It’s in the fourth quarter, but people don’t start logging in and setting up their accounts until January, so our payments went up two times, and then another 50 percent in February. A year ago, we had one client put 1.2 million data records in within 24 hours — normally we get a few thousand. We’re in a business where peaks and spikes happen. Seasonal ups and downs happen.”
Another complication is that the service needs to be accessible via the Web, so that the end users — corporate employees — can easily log in to use the system.
The company opted for a cloud-based infrastructure, hosting everything with Amazon.
Security is multi-layered. There are local backups of end point devices, which are also copied to the cloud, with multiple versions of the backups stored so that the company can go back to previously saved content in case of, say, a ransomware infection.
Company data is stored in multiple Amazon locations, so that the recent outage in Amazon’s Northern Virginia region didn’t affect service availability.
Data is encrypted both at rest and in transit.
When we started, every new client asked us about security.
Then, for visibility into network traffic in the cloud environment, HealthExpense uses Alert Logic, which not only provides the application that HealthExpense uses to monitor all traffic, but also analytics and a security operation center.
“That’s a reduction in-house of the cost of the people I need to do the work,” said Lee.
The company is in the process of adding another level of security, two-factor authentication.
“Today, most of the logins are through single sign-on,” said Lee. “With our biggest partner, users log in through their site and get ported over to us. They have security levels on their end, before they come to our site. It’s very consumer-friendly, but on top of that we have more security layers post-login.”
Since HealthExpense is now expanding its platform to allow users to log in directly, more authentication will be needed soon, so the company plans to add two-factor some time this year.
But there’s another risk that the company is worried about, which will be a bit harder to address.
“That is the elephant in the room these days,” said Lee. “More and more companies are starting to move their services to the cloud providers. I see attackers trying to compromise the cloud provider to get to the information.”
If attackers can get into the cloud systems, that’s a lot of data they could have access to. But attackers can also go after availability.
“The DDoS attacks are getting larger in scale, and with more IoT systems coming online and being very hackable, a lot of attackers can utilize that as a way to do additional attacks,” he said.
And, of course, there’s always the possibility of a cloud service outage for other reasons.
The 11-hour outage that Amazon suffered in late February was due to a typo, and affected Netflix, Reddit, Adobe and Imgur, among other sites.
“From a sustainability and availability standpoint, we definitely need to look at our strategy to not be vendor specific, including with Amazon,” said Lee. “That’s something that we’re aware of and are working towards.”
The problem is that Amazon offers some very appealing features.
“Amazon has been very good at providing a lot of services that reduce the investment that needs to be made to build the infrastructure,” he said. “Elastic load balances and other services make it easy to set up. However, it’s a double-edged sword, because these types of services will also make it harder to be vendor-agnostic. When other cloud platform don’t offer the same services, how do you wean yourself off of them?”
Take, for example, Amazon’s Relation Database Service.
“Normally, it would take a lot of resources to design and map out the reliability and availability that is already one of the features of RDS,” he said. “If you have to migrate off of that, you have to architect something. They are very good at making sure that companies continue using their product.”
That is the big question the company is facing now, he said. “Do we invest heavily in some Amazon-native feature? And which services do we not invest in, so that we can migrate, or run in a hybrid mode?”
That requires some serious thinking about architecture design, he said.
“We’re trying very strategically to use Amazon services so we’re not overly ingrained,” he said.
An ounce of prevention
When it comes to avoiding cloud platform lock-in, the earlier a company starts thinking about it, the better, experts say.
Larger enterprises in particular, who have security expertise and would rather use best-of-breed solutions instead of relying on the cloud provider to handle everything, should consider using at least two platforms right from the start, said C.J. Radford, global vice president of cloud at Thales e-Security.
That will help keep pricing in check, while still allowing the company to take advantage of the innovation each provider offers, he said.
“This essentially forces the enterprise from day one to not place all eggs in one basket, which is too risky of a strategy,” he said. “Additionally, enterprises should look at best of breed independent software vendor solutions that are portable from cloud to cloud provider to ease any transitions needed in the future.”
That includes security, data management, identity and access management, and applications like databases, developer tools, and analytics, he said.
That’s just what MobileIron did, except not with one cloud provider, but several.
The mobile security company offers applications that customers run on their own infrastructure. And those customers are enterprises, and they’re all moving to the cloud, said Ojas Rege, chief marketing and strategy officer at MobileIron.
“We have to be able to run on Amazon, and on Deutche Telecom, Equinex, Azure, and Google Cloud,” he said.
This is an architectural question, he said, and it comes up on day one.
To deal with this issue, MobileIron separates out the functions that are cloud-specific, such as getting IP addresses, and writing that code in a modular way.
For example, he said, data always locks you in.
“There’s no way to get around using the core data structure,” he said. “And you want to. Google’s entire pitch is that they have analytics services that other folks don’t. If you run something on Google, you definitely want to use those analytics services, even if they’re not available other places.”
The trick is to do it thoughtfully, and using abstraction layers, he said.
Rege also recommended building automated systems to handle migrations.
“If you have a heavily manual process, that’s going to cost a lot of money,” he said. “So think about portability in advance. If you have to bring up a different data center, how can you do that automatically?”
One way to make the migrations go smoother is to use containers to hold the applications.
“If you have a containerized approach, you can run in Amazon’s container services, or on Azure,” said Tim Beerman, CTO at Ensono, a managed services provider that runs its own cloud data center, manages on-premises environments for customers, and also helps clients run in the public cloud.
“That gives you more portability, you can pick something up and move it,” he said.
But that, too, requires advance planning.
“It starts with the application,” he said. “And you have to write it a certain way.”
But the biggest contributing factor to cloud lock-in is data, he said.
“They make it really easy to put the data in, and they’re not as friendly about taking that data out,” he said.
The lack of friendliness often shows up in the pricing details.
“Usually the price is lower for data transfers coming into a cloud service provider versus the price to move data out,” said Thales’ Radford.
Multi-year commitments are another trap, he said. And sometimes there’s an extra unpleasant twist — minimum usage requirements that go up in the later years, like balloon payments on a mortgage.