We live in a world in which cyber foes are constantly coming up with new ways to compromise us. And – to boost the hackers’ advantage – the increasingly unrestrained use of the cloud has created somewhat of a Wild, Wild West scenario. The healthcare industry proves no exception. So, just as in those old westerns we watched as children, there comes a moment when a new sheriff arrives in town to bring everything under control.
More than ever, healthcare organizations are turning to cloud access security brokers (CASBs) as the “new sheriff.”
To summarize definitions from Gartner and other authoritative organizations/publications, CASBs are on-premise or cloud-based software tools or services which act as a gatekeeper between an enterprise’s cloud users and cloud providers, ensuring that app usage in the cloud complies with internal security policies. They deploy enforcement methods such as authentication/authorization, encryption, device profiling, tokenization, malware detection/prevention and alerts. They identify high-risk apps, users and additional sources of concern, while giving IT a deep level of visibility into cloud app usage, data protection and governance for enterprise-sanctioned cloud apps.
By 2020, 60 percent of large enterprises will use CASBs, up from less than 10 percent today, according to a projection from Gartner. By the same year, the global CASB market will grow from $3.34 billion to $7.51 billion, according to a forecast from MarketsandMarkets.
At the risk of stating the obvious, continued cloud adoption is driving CASB demand for industries such as healthcare: About one-third of healthcare organizations have migrated at least one-quarter of their existing software infrastructure either to the cloud, or remote hosting, according to survey research from Datica. To underscore cautionary sentiments about the trend, nearly 53 percent of the survey’s participants said they are concerned about the state of security, compliance and privacy protection among cloud-hosted app vendors.
In addition, the increasing presence of Bring Your Own Device (BYOD) within the enterprise has elevated interest in CASBs: Seven of ten hospital executives said their organization allows some form of BYOD – and 63 percent of physicians and 41 percent of nurses are using personal devices for work even when BYOD is not allowed, according to survey research from Spok. At the same time, more than one-half of the executives cite data security as a top BYOD challenge.
The implementation of a CASB would clearly help reduce the stated concerns about cloud/device usage. In my observations, there are primarily three ways to move forward with this:
Reverse proxy. With reverse proxy, the CASB captures users’ activities anytime they log into a cloud service. It monitors for all that is allowed, and all that is not. This is particularly effective for BYOD, since the deployment of these devices typically requires log-ins. On the downside, however, there are cloud services that do not require a log-in process which would therefore not flow through the CASB. This approach also has the benefit of not sending all traffic (personal and corporate) through a CASB.
Forward proxy. In this case, every single thing that users do on managed devices goes through the CASB. Forward proxy is the most holistic approach for managed devices, and that can be considered both a good thing and a bad thing from the management/user perspective. Supervisors may favor it because no managed device activity “slips by” the CASB. But users – regardless of internal policies – are going to need to do “private stuff” in the cloud (like sending an email to their spouse to say they have to stay late at work). With a forward proxy, they may feel that they no longer have any privacy, and this could lead to morale/retention problems. Another issue with forward proxies: It only covers managed devices, so it can’t control BYOD ones.
Application programming interface (API) mode. Via API mode, the CASB is tightly integrated with the cloud vendor in a partnership that enables the organization’s security team to look deeply into an application to prevent any data loss. The granular level of approach here delivers the biggest benefit. But, in terms of a notable disadvantage, not all cloud vendors are able to establish this kind of integration with a CASB.
As for which method I’d recommend to healthcare organizations now? I feel a hybrid approach would work best, combining API mode and reverse proxy. We are under great pressure to safeguard protected health information (PHI). Through API mode – assuming we have relationships with cloud vendors which can support it – we’ll secure the data. Then, with reverse proxy enforcement, we add an extra layer of defense that effectively watches over BYOD activity.
Yes, the bad guys are eager to spin our cloud ecosystems into an unleashed, vulnerable state, and they have more than enough weapons at their disposal to do it. That’s why we need to continue to implement new enforcement tools (i.e., “sheriffs”) to regain control of the devices and data which connect to the cloud. Like other security options, CASBs aren’t likely to bring a “magic bullet” solution to the equation. But they can potentially keep healthcare organizations at least one step ahead of their adversaries. And that should restore “law and order in the West” for the foreseeable future.