NCHICA 15th AMC Security & Privacy Conference
A Journey to Cloud Security and Compliance
Presenters (Case Study #2)Rob Sarkis, CIOAmerican Hospital Association
Bryan McGowan, Security Practice DirectorBurwood Group
Presenters (Case Study #1)Bill Schultz, Security ArchitectVanderbilt University Medical Center
Dave Clevenger, Senior DirectorCoalfire
A Journey to Cloud Security and Compliance
June 4, 2019
Case Study #1
©2019 Coalfire – Restricted
Speaker Introductions
Bill Schultz, Security Architect
Vanderbilt University Medical Center
Bill is a Security Architect and has worked in the information
technology field for over 15 years, with a focus on enterprise
architecture, security architecture, risk management and Compliance.
He has built security and risk management programs, and developed
strategic and technical system architectures. Bill has led risk
management and security architecture initiatives to build secure
systems that comply with federal, healthcare, and PCI standards.
©2019 Coalfire – Restricted
Speaker Introductions
Dave Clevenger, Senior Director
Coalfire
Dave is a Senior Director at Coalfire with an active top-secret
clearance and over 13 years of experience in technical disciplines
such as information assurance, information systems design, network
design/implementation, security management operations, cloud
service (IAAS/PAAS/SAAS) and deployment models
(Public/Community/Hybrid/Private).
He has successfully managed and assessed government and
commercial systems with extensive experience in information system
security, FedRAMP, FISMA, security testing and evaluation, risk
assessments, and system/network design implementations.
©2019 Coalfire – Restricted
About Vanderbilt University Medical CenterManaging more than 2 million patient visits each year, Vanderbilt University Medical
Center (VUMC) is one of the largest academic medical centers in the Southeast, and is
the primary resource for specialty and primary care in hundreds of adult and pediatric
specialties for patients throughout Tennessee and the Mid-South.
VUMC is recognized each year by U.S. News & World Report’s Best Hospitals rankings as
national leaders, with 19 nationally ranked adult and pediatric specialties.
Through the Vanderbilt Health Affiliated Network, VUMC works with over 60 hospitals and
5,000 clinicians across Tennessee and five neighboring states to share best practices and
bring value-driven and cost-effective health care to the Mid-South.
©2019 Coalfire – Restricted
Coalfire at a GlanceWho is Coalfire?
• Thought-leader and go-to advisor in
the fast-growing cybersecurity market
• More than 1,800 clients across
a broad set of industry sectors
• 97% client retention
• More than 600 employees in 12
locations in North America and Europe
• Backed by The Carlyle Group
and The Chertoff Group
What we do?
• A sophisticated portfolio of cyber risk
advisory and engineering services
• Industry-leading technical
testing services
• Compliance services spanning all
the leading regulations and frameworks
• Cloud-based CoalfireOnesm enterprise
risk and compliance platform, used
by more than 800 clients
©2019 Coalfire – Restricted
Agenda
• Background/overview of use case
• Security Posture Overview
• Myths of using cloud services
• Reality/Lessons Learned
©2019 Coalfire – Restricted
Use Case Background
Cloud Implementation Project/Federal Research Program
• 100% cloud #Cloud First
• FISMA Moderate/FedRAMP
• Well Funded Security Budget
• Very High Security Scrutiny
8
©2019 Coalfire – Restricted
Roles
• Program Sponsor: National Institutes of Health
• System Owner – VUMC
• Development partners: ~5 partners (written in grant)
• Program partners: 2 (have similar grant/interconnect)
• Users: 45+ organizations (received supporting grant)
9
©2019 Coalfire – Restricted
Services/ Service ProvidersGoogle Services
• App Engine
• Datastore
• Cloud SQL
• BigQuery
• IAM
• Gsuite
• Domains
• Groups
Development
• Github
• Jira
• Confluence
• Circle CI
Email Support
• Mandrill
Security
• Codacy
• Incapsula WAF
• Application Vulnerability Scanning
• Threat Modeler
• SensioLabs Security Advisories
Checker
• Qualys SSL Labs SSL Test
• 3rd Party Pen testing
• 3rd Party Manual Security Testing
10
©2019 Coalfire – Restricted
Security Posture Overview
Program Level:
• FISMA Moderate Security Control Implementation
• Independent validation of implemented controls (Annual)
• Weekly report to sponsoring organization
System Level:
• Security integrated into system requirements
• Static code analysis and code peer reviews
• Circle CI implemented security checks
• 3rd Party dependency vulnerability scanner
• Credentialled application scans (weekly)
• Dedicated 3rd party Penetration testing (bi-weekly)
• Bug Bounty Program
©2019 Coalfire – Restricted
Reality or Myth?
• Cloud Providers will address all of the tough security challenges.
• We can push code quickly and not get bogged down in the security
documentation!
• Our provider is compliant, so we are too!
• They have best in class security in house!
• IAM and Service accounts can replace Network level access controls.
©2019 Coalfire – Restricted
Reality
• We still have to follow the same risk management process.
• Dev Ops is still inheriting controls like they were previously, but from someone else.
• Dev Ops is now responsible for critical security services.
• In many cases, the app is the new perimeter (when an approved Infrastructure and
platform provided are utilized).
• New Security Operations Services are needed to support this with new skill sets.
©2019 Coalfire – Restricted
Lessons Learned
• CSPs and environments should continue to update
your documentation no later than annually. This
should be specific to the CSP requirements and point
towards the inheritance based on the cloud model.
• Scanning should occur monthly or quarterly
dependent on your requirements.
• Some key issues that are common in many cloud
environments.
– Not scanning with admin credentials
– Not reviewing all audit logs
– Not correcting issues within the stated time frame
©2019 Coalfire – Restricted
A Journey to Cloud Security & Compliance2019 AMC Conference | June 4, 2019
Case Study #2
©2019 Coalfire – Restricted
About Us
Bryan McGowan, Security Practice Director
Burwood Group
Rob Sarkis, CIO
American Hospital Association
©2019 Coalfire – Restricted
The AHA vision is of a society of healthy communities, where all individuals reach their highest potential for health.
To advance the health of individuals and communities, the AHA leads, represents and serves hospitals, health systems and other related organizations that are accountable to the community and committed to health improvement.
©2019 Coalfire – Restricted
Journey to the Cloud: Key Drivers & Risks
Drivers Flexibility Security Resources
Challenges External Partners Multiple Solutions Culture Change Management
©2019 Coalfire – Restricted
Cloud Platform Selection: What’s Important
AWS
• Administration & Available Resources
• Lower cost for non Microsoft services
• Platform Agnostic
Azure
• Microsoft-focused Offerings
• Pay-as-you-go Microsoft Services
• Rich offerings (O365, OneDrive, ADFS)
©2019 Coalfire – Restricted
Journey to the Cloud: Spotlight on Solution
Cloud Transformation: AMS Platform Migration Initial opportunity was attractive due to
available cloud storage in existing subscription
Provided tighter integration with Active Directory for Identity Management and Single-Sign-On
Reduced user administration workload with AD integration
©2019 Coalfire – Restricted
Living with the Cloud: Learning and Growing Pains
It was easy to sign up!
Misconception of client’s security responsibility
Challenging to control Security, Operations, and Cost
Designing Governance and Operational Processes
• Access Management
• Data Governance
• Logging and Alerting
Simplifying Cloud Deployment
Reducing investment for unused capacity
©2019 Coalfire – Restricted
Growing with Cloud: Enhancing Cloud Security
12 major initiatives and all involve cloud:
• Change Management• Data Access Governance• Identity Management• Risk Management Updates• Security Policy Updates• Software Development Practices• Vulnerability Management• AWS Remediation• Security Standards Development• Application Security Remediation• Application Data Flow Mapping• Infrastructure Remediation
©2019 Coalfire – Restricted
Growing with the Cloud: Sustainability
Setting/Maintaining a secure foundation for the cloud is crucial
Change Control maintains consistency
Software Development and Infrastructure standards ensure compliance over time
Understanding, documenting, and maintaining data flows validates protection of data at rest and in transit
Effective management of third-party partners and vendors is required
Remaining current – Infrastructure and Application
©2019 Coalfire – Restricted
Journey to the Cloud: Key Takeaways
It’s easy, if you make it easy
You don’t have to over complicate, but don’t underestimate either
Select your partners wisely, balance your reliance on their service
Don’t build your own internal army
©2019 Coalfire – Restricted
New tools emerge
New workloads are needed
New technologies are available
The journey is never
complete
So are the bad guys!
Constant attention to threats and needs
Security is always
evolving
Don’t go backward
Don’t undo your previous good work
Good enough for today is not good enough for tomorrow
Keep doing your job
right (sustainability)
Always be assessing
Continue to push boundaries
Continuously
reassess posture
Looking Ahead: Future Cloud Vision
©2019 Coalfire – Restricted
Questions
Bill Schultz
Dave Clevenger
Rob Sarkis
Bryan McGowan