Paul Shawah, VP CRM Strategy and Ted Wallach, Senior Product Manager at Veeva Systems discuss cloud security and why moving into the cloud can benefit everyone.
When cloud computing was first introduced to the mainstream, skeptics looked for vulnerabilities in the security of cloud applications.
Like the promise of a child prodigy, the cloud – with its frequent upgrades, massive scalability, flexibility, and low cost of ownership – appeared to offer a truly game-changing technology model for the life sciences industry.
Security was the only dart that could possibly deflate the balloon. But when respected retailers like Amazon began adopting the new model and even the U.S. Department of Defense embraced the technology, it seemed as though the cloud had proven to be as secure as any other technology – maybe more so.
Today, with private clouds, public clouds and a proliferation of mobile devices (i.e., the iPad) in use by pharmacos, the cloud security debate has been resurrected. The later adopters to cloud computing have legitimate concerns regarding security. However, in most cases and after due diligence asking the tough questions, and conducting third-party security assessments, many have come to the same conclusion: cloud computing may be even more secure than on-premise computing and the private cloud. In fact, a new survey from North Bridge Venture Partners of 785 companies finds a meager 3% consider the cloud to be too risky — down from 11% last year. Only 12% say the cloud platform is too immature, and that’s down from 26% a year ago. Furthermore, 50% of the survey respondents now say they have “complete confidence” in the cloud — up from 13% a year ago.
So, it looks like the fog around cloud security is finally starting to lift but to ensure a truly sunny outlook for cloud technologies, it’s still important to take a look at how security is managed under various conditions such as with mobile devices and database management.
Is security in the cloud any different from security of data centers?
Yes and no. Many life sciences organisations today host their infrastructure and applications in third-party data centres and have the same concerns about data security that existed at the time they moved from on-premise to a hosted model. But the bottom line is that the security of these organisations’ data is only as reliable as the host.
With the cloud, most cloud computing companies make a far greater investment in security than any single company would or could invest in their own internal systems. Cloud providers leverage the resources of all of their customers to invest in world-class infrastructure. These providers have built advanced access-control frameworks into the core solution that enable secure authentication, provide advanced logging of user activity, and allow administrators to control which users have access to highly sensitive data. Multiple layers of firewalls and analysis of network traffic at the individual packet level also ensure high levels of protection against intrusion and security vulnerabilities.
It really comes down to dollars and cents. Leading enterprise cloud providers have built their entire business model on delivering effective cloud-based applications; therefore superlative security is not a ‘nice to have’ but a minimal requirement to compete in the market. Without it, cloud providers fail – simple as that.
Many cloud applications are considered even more secure than other technologies because of the access to shared world-class infrastructure not otherwise affordable by individual companies. In the last several years, the cloud has rapidly matured to the point where pharmaceutical industry security audits are finding that security for cloud applications is actually stronger than traditional on-premise client/server security.
The perception that the cloud offers looser security than an on-premise or hosted environment is really a misperception borne from the highly publicised nature of breaches at one or two cloud service providers. However, a recent study by Alert Logic compared the security of on-premise and cloud environments, and found that the cloud had lower occurrence rates for every class of incident measured.
Furthermore, some companies are so impressed by the security of the cloud that they are considering the cloud for digital storage of even their most sensitive data with providers such as Egnyte, SkyDrive, SugarSync, Box, and most recently, Google Drive – Google’s new cloud-based data storage service.
Private vs. Public Cloud – Is there a meaningful difference?
Still, companies are experimenting with private clouds (i.e., hosted systems), believing that they offer a greater degree of control and therefore security. With a private cloud, the company virtualises its data centre and client/server applications to leverage the economies of scale of the cloud but only at an individual company level. Moving to the private cloud can give companies an incremental cost benefit compared with on-premise solutions, but it does not offer the same level of shared efficiencies that a public cloud affords.
The real economies of scale and benefits are realised in the public cloud. Comprised of applications from multitenant vendors, the public cloud can be more secure than the private cloud for the investment reasons noted above, but also due to the advantages of multitenancy – a shared utility model. Most multitenant application providers can keep all of their customers up to date with the latest and greatest security measures on a more frequent and regular basis than any other technology provider can afford to do.
Conversely, within the private cloud, companies still need to manage complicated upgrades for private cloud applications on their own just as they would with any client/server application. Even despite the fact that public clouds can offer greater security than private clouds, a few pharmacos still hold on to the cultural stereotype that private is more secure than public because the public cloud requires a company to move to a shared utility concept. But that is precisely the benefit.
Plus, because the pharmaceutical industry changes so rapidly and companies are obligated to comply with changing industry regulations, the public cloud has proven to be the optimal choice. It enables pharmaceutical companies to keep up with frequent upgrades, enhancements, and regulatory changes that are only possible to deliver cost effectively on a true multitenant architecture. Plus, its single code base means that companies can leverage innovative new functions and features for free as they are introduced instead of months or even years later as is typical with traditional technologies.
“Anytime you move to a new technology platform, there are a lot of concerns about the consequences of that change,” said Jim Reavis, executive director of the Cloud Security Alliance (CSA). “From everything I’ve seen, the cloud tends to be a security upgrade for small and medium-sized enterprises because the providers are able to actually invest in security practices…That’s why small businesses are flocking to the cloud. They realise it’s actually an upgrade to their general IT.”
And, while it’s true that there has been a steady rise in SMB organizations outside’ Pharma’s Top 50’ turning to the cloud for enterprise solutions, there’s equal growth among the largest global pharmaceutical companies. Nearly every Top 20 pharmaceutical company has adopted at least one mission-critical cloud-based application – quantitative evidence that confidence in the security of cloud-based solutions is growing.
Pharmacos all across the globe are realising the benefits of multitenant cloud computing and, at the same time, learning how secure the cloud is today. As examples, there are many R&D and sales and marketing processes already being enabled in the cloud and have been safely and successfully using public cloud processing for years.
Mobility in the Cloud
Recently the CSA created the Mobile Working Group to address security concerns surrounding the use of mobile devices in the cloud – particularly data governance issues and how they impact where information is stored.
“People will be using apps on these devices, and whether they are corporate or bring your own, app security is also a concern,” added CSA’s Reavis. “We can’t ignore mobile from a cloud perspective because it’s going to be the primary way users will access, leverage and interface with the cloud.”
Indeed. Usage of cloud services on mobile devices provides distinct advantages as well as new challenges around securing company data at rest and in transit, especially when business-focused applications are intertwined with consumer apps on employee-owned devices.
The good news is that many mobile operating systems have native security controls in place to protect application data, such as hardware encryption, sandboxing, support for secure network protocols and remote wipe. And while most of these security measures are easily disabled on unmanaged devices, thus putting data at risk, there are cloud-based solutions that life sciences companies are using effectively.
Enter modern Mobile Device Management (MDM). Often cloud-based, MDM software packages allow companies to set security profiles and policies on employees’ devices, whether they are owned by the company or not. MDM solutions tap into the native security controls and configuration of the mobile operating system to satisfy even the most complex security requirements. Paired with intuitive management consoles, the best MDM solutions allow IT organisations to monitor device usage and react quickly and decisively to security risks. MobileIron and AirWatch are two providers offering cloud-based MDM solutions, each with customers in the life sciences industry.
“The cloud model offers compelling advantages for pharmaceutical enterprises in securing their mobile devices such as quick deployments, the ability to rapidly scale to their technology and business requirements, elimination of costly upfront capital expenditures, and a reduction in maintenance activities,” said Kevin Rockoff, director of pharmaceutical solutions, AirWatch. “Notably, the cloud helps boost the productivity of a pharmaco’s IT department by providing them with the flexibility to focus on other key projects without having to maintain additional systems and infrastructure.”
Rockoff continued, “We’re seeing strong momentum by our pharmaceutical customers toward the cloud computing model because of significant ROI benefits. MDM in a cloud model offers a secure environment that also directly addresses the compliance requirements of a pharmaceutical enterprise through monitoring and enforcing real-time data security.”
MDM solutions can also enhance virus protection on mobile devices by restricting which applications can be installed and run. Even though the vast majority of malicious code still targets the Windows operating system, the increasing popularity of Mac OS and the proliferation of smartphones means that there is an emergence of malicious code being written specifically for these other platforms, too. The greatest threat right now is malicious code that is spread through unauthorised apps where users ‘jail break’ their devices to install these dangerous apps. But, MDM solutions allow companies to restrict which apps can be installed on their managed devices – something that is much easier to control in cloud computing environments than in traditional client/server environments.
While it helps that the number of threats for mobile platforms is relatively small for now, it is still important to evaluate solutions that will protect devices from malicious code while also safeguarding the organisation by stringently controlling what users can and cannot install on their devices.
Securing devices is only half of the story, though.
While MDM systems can protect devices from running unauthorised applications and deter intrusion by requiring passcodes and enabling remote wipe, application vendors also have a responsibility to ensure their applications are effectively securing sensitive user and company data both at rest and in transit. The most basic of these controls is the storage of usernames and passwords. Sadly, some well-known application vendors store and transmit these proverbial ‘keys to the castle’ in plain text. And since many people still use one password for everything, it only takes one insecure application, whether it’s a social networking application or a game, to put company information at risk. Well-designed applications that are built with security in mind can offer the high level of protection that is expected by IT organisations.
The mobile cloud also has advantages over traditional client/server applications. One notable advantage is that the cloud naturally isolates end users from the corporate network. In a traditional client/server model, a pharmaceutical sales rep on the road using a laptop would connect to their CRM system through VPN to access the resources behind the corporate firewall, which puts the applications, servers and data on the corporate network at risk of attack. Using cloud services on mobile devices no longer requires a connection to the company’s VPN, thus removing the corporate network from the equation.
Mobile security continues to evolve as companies recognise the inescapable link between mobility and the cloud. Device manufacturers and application developers alike are seeking new and innovative ways to fend off an ever increasingly sophisticated enemy. Technologies such as advanced biometric identity management and new Security-as-a-Service models, such as those provided by Okta, are leading the way into the future as an ever increasing number of pharmaceutical enterprises adopt cloud-based applications for the highly touted benefits over traditional client/server applications. So while security used to be a cultural barrier to the cloud for the pharmaceutical industry, it’s not anymore. Finally, pharmacos can start to rest easy knowing that the cloud provides a truly higher level of security and a more agile way to support an organisation that is adopting new technologies.
30% of pharma executives expect business as usual, as they admit to expecting blockbuster-type...
Lucy Brake speaks to Mike Rea, CEO of IDEA Pharma, about how he believes real world evidence...
Dr Jean-Michel Cosséry, the new UK managing director and vice president for its Northern Europe hub...