Managed Cloud Blog

This is some blog description about this site

New report shows IT decisionmakers using the cloud to store sensitive data despite high perceived risk

A new report by Vormetric, summarized today in Forbes, says that while close to 60% of IT decisionmakers are placing sensitive data in the cloud, nearly 89% feel that they are at least somewhat vulnerable to an insider attack, and 46% believe cloud environments are the storage location of greatest risk for data breaches.

In addition, concern over data breaches is eclipsing concerns over achieving and maintaining compliance, and the greatest perceived threat for data breaches is insider threats, which 93% of organizations felt they were vulnerable to.

44% of North American organizations have suffered a serious data breach or failed a compliance audit in the last 12 months.

The study results show that behavior with respect to data security is not in line with perceived risk, and in addition, it is not in line with actual risk, which trailed perceived risk only slightly on the average.  While there are many potential reasons for this misalignment, in my experience the major causes among our prospective clients are:

  • Perceived low cost of cloud hosting does not include the actual costs of maintaining data security
  • Business pressures coupled with the ease of provisioning cloud resources take priority over security
  • Security costs are high (both from a labor and software/service licensing perspective) and not coming down significantly
  • There is confusion about what security measures are necessary to prevent actual threats

Matching the trends in the study, ENKI is seeing an increasing number of prospective clients who are prioritizing protection from data breaches and complying with insurance requirements for data breach protection above compliance, especially for organizations that keep sensitive data that is not covered by compliance requirements.

Our security offerings align closely with those the study identified as being most important to IT decisionmakers:

  • 55% asked for encryption of data with enterprise key control, which ENKI provides as our inexpensive SecurVault service.
  • 52% also want service level commitments and liability terms for a data breach, which ENKI provides as part of our BAA or contracts
  • 48% desire explicit security descriptions and compliance commitments, which ENKI provides as part of our PrimaCare Gold Compliance services

We have assembled a suite of compliance tools and services that can be tailored to meet your exact requirements, whether they are meeting compliance requirements or defending against particular threats that you are concerned about.  Coupled with our operations services, we can also reduce the number of people in your organization that are touching your cloud infrastructure who may have motives to improperly access privelege data. While we are an infrastructure cloud provider, we have realized that many of our clients need operations services (outsourced IT services) that are security-aware and can offload the challenges of meeting and maintaining security requirements from your team.  Overall, we feel confident that we can provide a secure cloud solution for your application hosting needs, and work with your team to achieve your overall security goals.

Please contact us if this approach sounds interesting to you!

Continue reading
6794 Hits

How ENKI can help with your compliance needs

We have recently been seeing a great deal of interest among our cloud hosting customers and prospects in security and compliance, in particular HIPAA and PCI requirements.   The recent revelation that 80 Million healthcare-related records were stolen from Anthem should only increase this interest!  The important thing to remember is that while security and compliance are not the same thing, they have a purpose in common: safeguarding your business and its customers from threats to data security and application uptime.

In addition to requiring best practices for securing your application and your clients’ data, compliance regulations are focused on reputation and responsibility, allowing you to build a reputation for security that allows clients and partners to trust you.  It also helps to assign responsibility in the event of a security breach, since the regulatory agency requiring your compliance certification is usually empowered to fine you or shut down your application/web site if it can be shown that the break-in resulted from being out of compliance with the associated requirements. 

ENKI can help to ensure the security of your cloud hosting while providing many of the necessary building blocks for meeting compliance requirements.  Unfortunately no hosting provider can guarantee that your business is fully compliant with HIPAA or PCI because the requirements extend beyond just the hosting to your application code and company internal processes.  However, ENKI's cloud infrastructure and consulting services eliminate much of the complexity and required knowledge in making sure that your hosted application is compliant.

  • ENKI’s cloud is more secure and compliance-ready than your private datacenter.   Our 9 years of providing secure cloud hosting have given us the experience and know-how to manage our datacenters and your hosted environments for exceptional security.  Learn more on our security page.
  • We are experts on compliance and security, having hosted and managed highly secure and compliant applications for customers in a variety of industries including healthcare, finance, and government.   Our compliance-oriented support services are designed to deploy and manage security measures as well as advise you on how to cost-effectively achieve compliance.  Our standard BAA is one of the most comprehensive in the industry.
  • ENKI offers support packages with a variety of best of breed compliance-oriented technical security measures including Web Application Firewalls, 360 Degree Data Encryption, Site Security Scanning, Intrusion Detection, File Integrity Monitoring, Log File Analysis, and secure VPN access.

Security need not be expensive: data encryption can be deployed for as little $40 per server and will prevent the damage Anthem experienced recently, especially since our SecurVault encryption manages your keys so that they're not stored on your servers.

We have found that the bulk of our compliance clients can benefit from our security and compliance expertise; many have come to us with serious but easily-addressed security holes that we’ve been able to close with our services.  Over the next few weeks, I'll be posting some blog articles about the technical countermeasures that ENKI offers to protect your data and applications.

Please contact us for a free evaluation of your HIPAA or PCI hosting needs.

Continue reading
4004 Hits

Will an infrastructure provider's HIPAA certifications help my application be HIPAA compliant?

HIPAA is a strange beast, in that it has very few specific requirements but holds the Covered Entity and/or its associates responsible for using best practices to secure data.   If a breach occurs, an examiner will determine responsibility based on how complete the Covered Entity and its business associates followed best practices.  Unfortunately, best practices are a “cultural” as well as technical philosophy that evolves over time.  The current set of expected best practices for Technical Safeguards of hosted applications is generally accepted to be storage encryption, external security scanning for externally visible applications, encrypted communications (HTTPS/VPN), Web Application Firewalls for externally visible applications, secure backups, and potentially IDS (intrustion detection systems).   Additionally for Administrative Safeguards, automated file system change monitoring, log file monitoring, and automated change management with approvals are best practices to ensure that the application is administered securely.  Certainly, specific applications may not have a threat vulnerability surface that requires all of them, but HIPAA requires that decisions not to follow best practices be documented and explained as part of the security plan.

So will a certification, such as HYTRUST, help you achieve HIPAA compliance with your hosted application?

 

Unfortunately, if you look at what HIPAA “requires” – which is control over PHI (protected/private health information) at all stages of its management by the Covered Entity – there is no certification that will ensure that a Covered Entity is HIPAA compliant other than a full audit, because every process, program, server, application, job, person, and vendor that touches the data must be compliant.  Essentially, an entity’s HIPAA responsibility is tied to the amount of control the entity has, so your typical infrastructure service provider – such as Amazon for example, which gives the clients full control over their infrastructure – cannot take much responsibility at all, no matter what certificate may be proffered.

 

Because of this, any certification on Infrastructure-as-a-Service is almost meaningless since anything the infrastructure service provider does to ensure data safety can only be necessary but not sufficient to ensure compliance. There is a certification called HYTRUST that some infrastructure providers are starting to offer, however from a practical standpoint since the clients of such providers have control over the servers and the application, it offers no additional assurance of compliance.   Instead what ENKI has chosen to offer for clients who want assurance of compliance, is a full suite of automated security controls coupled with application management that complies with the HIPAA Security Rule’s best practices including full change management.  This service offering allows us to guarantee compliance – only of the hosting of course – backed with up to $2M of liability coverage.

Since what your clients ultimately want is data security – so that HIPAA issues never come up – one of the best options for assuring them that their data is secure is the report of an external security scanning service.  ENKI offers the well-respected AlertLogic scanning which also includes intrusion detection – satisfying both the clients’ desire to know their data is secure and systems compliant, plus should a breach occur, the HIPAA security rule’s notification requirements are handled by the IDS.

For an overview of ENKI's HIPAA compliant hosting, please go to our HIPAA intro page.

Continue reading
8764 Hits

Spending too much on the cloud? Tackle your cloud sprawl

I consistently hear from ENKI's enterprise cloud prospects that they have bad bad experiences with some of our competitors because they feel they're spending too much on cloud services compared to their expectations.   It turns out that the root cause of the excess expenditure is "cloud sprawl": the unplanned use of cloud resources that are not providing an economic benefit to the cloud client.  As a result, managers and executives at cloud customers feel they have lost control over their cloud expenditures, and often blame the cloud, the cloud provider, or even the technology (including virtualization.)

The most common causes of cloud sprawl we've come across are:

  • Use of cloud in lab or test environments where there is no defined completion date/time for the use of the resources, so they simply remain on
  • Control of cloud resources by organizations, particularly development organizations, where corporate cloud resource usage is controlled by individuals who use them for personal projects that are not directly associated with production services
  • Lack of centralized control over cloud spend because there is nobody on the client side tasked with controlling cloud costs, often coupled to lack of adequate reporting on usage from the cloud vendor.
  • Separation of expense control and cloud provisioning roles
  • Lack of automated process on the part of the cloud vendor for implementing resource control policies
  • Lack of client cloud use policies

It's been pretty clear from our discussions with prospects that both the cloud provider and consumer must collaborate to control cloud sprawl, especially since the root cause of the sprawl in many cases is client employees ordering cloud resources without any supervision.

ENKI has taken steps to enable our clients to control cloud sprawl, including:

  • Enhanced billing for improved clarity and detail
  • Online portal showing current usage rates and statuses for resources (Customers: check the link at the bottom of our home page)
  • Online portal allowing role-based control over resources outside of the provisioning process
  • Custom automation for select customers to enable us to support their resource control policies
  • Automated discounting for increased usage levels

 

Continue reading
4631 Hits

Getting the basics right: stopping RDP attacks

ZDNet has a great article out today about how security still relies on taking some simple, easy steps - or fails because they weren't taken despite deploying sophisticated defenses.  In this case, it's Microsoft RDP (remote desktop protocol) which our WIndows customers usually use to get administrative access to their virtual machines, so security is critical.  RDP is secure - as long as you use it securely! 

For securing RDP, the article makes some simple recommendations:

  • Use complex passwords, especially for accounts with administrator access
  • Consider disabling the Administrator account and using a different account name for that access
  • Set the system to lock a user out for a period of time after some number of failed login attempts. Numerous group policies for these rules have been in Windows for a long time
  • Require two-factor authentication, especially for administrator access

If you are an ENKI customer and need help with these steps, or consultation on the security of your cloud deployment, please contact our support services.  ENKI specializes in providing secure cloud installations for compliant applications that must meet HIPAA, PCI, or other regulations.

Continue reading
7748 Hits

How ENKI's on-demand instance sizing can save you up to 25% off Amazon or Rackspace clouds

While we like to compare the total cost of operating your application in our cloud versus the big guys - Amazon and Rackspace - our prospective clients often focus on the per-hour infrastructure costs.   We're currently running a 20% off special on the equivalent resource pricing compared to Amazon - a particularly good deal since they just lowered their prices.  But from a resource cost perspective, ENKI is a better choice yet, because you simply need less resources - and therefore less money - to run your application in our cloud.

How is this possible?   The answer is that ENKI's VMWare-based cloud allows your to allocate the computing resources you need to your applications on an instance (VM) by instance basis.  If your instance needs 10GB of RAM, for example, you won't have to buy a 15-GB instance to run it.   On the average, our customers will allocate 25% less resources than if they were forced into Amazon's fixed-size instances, saving themselves that percentage of cost.   This savings comes before other additional savings like not having to allocate standby instances if you need rapid failover, because our VMware cloud instances are not ephemeral (disappearing if the unlerlying hardware fails).

How did I come up with the 25%?  First of all I assumed that cloud customers "walk in the door" of a cloud provider with a certain instance size in mind that they need to run their application, which I call the "demanded" instance size.  If they go to Amazon, they'll have to pick one of AWS' instances, which has to be larger than the