Companies slow to adopt cloud computing risk falling behind in security. But they also face lagging behind rivals in terms of innovation, speed and collaboration.
Pharmaceuticals are living through a technical renaissance, with advanced techniques to measure and engineer biology unthinkable a decade ago. Advanced lab instruments, robotics and sensors are commonplace, with AI and ML deployed on massive genomics datasets for drug discovery. However, cloud adoption in pharma is still patchy.
This isn’t unique to pharma. The move to the cloud does not happen overnight, and pioneering both the tech behind cloud computing and the modern security necessary to make it a reality has been challenging.
The road was paved for accelerated innovation and success for businesses, governments and educational institutions. Back then, there were discussions around the fear, uncertainty and doubt that businesses had about cloud computing; today, those industries take cloud as a de facto standard.
A lack of data liquidity can easily hold an industry back though. It was not that many years ago in healthcare when a patient’s data was essentially bound to the physical location of a healthcare provider’s office. In order for a patient to have their data be available at another provider’s office, it had to be printed out on paper and faxed. This was time-consuming, cumbersome and prone to errors. As a technology executive, I found this baffling and the set of problems all too familiar, so I decided to lean into healthcare and healthtech.
Over the last two decades, cloud computing has matured, approaches to security have advanced considerably and data liquidity has become the expectation and the accelerant. But many commonly held beliefs about cloud computing have prevented pharma from adopting a strategy of digital transformation. So here we will bust four myths around cloud security that do not hold up to any scrutiny.
Myth 1: cloud computing isn’t as safe
This is probably the biggest cloud myth out there. It is perpetuated by technology vendors defending their market share and IT professionals who may be more comfortable with a server that they can see and touch. But this myth is the wrong question entirely. Cloud computing companies are heavily incentivised to make secure products because, unlike most traditional, on-premise vendors, they have to take responsibility for security.
There are three aspects of cloud computing that impact security. Firstly, vulnerability management. With automated vulnerability management, security patches come out daily, weekly and monthly in the cloud, whereas many on-premise technology vendors can take a number of months – or even years – to patch security vulnerabilities. Most on-premises technology vendors have also not invested in security engineering or secure software development to the same extent and in the same way that cloud computing vendors have.
Cloud computing vendors are hyper-focused on embedding security into the software development life cycle and being able to react quickly to any identified security vulnerabilities. Configuration monitoring is often much easier in the cloud due to the investments that cloud vendors have made in APIs, which support security and compliance monitoring.
Think automated auditing on a daily basis, which makes it possible to know the state of security with systems and data on a daily basis. This level of cross-platform, cross-system visibility is so much harder with traditional technologies due to the lack of API architectures.
Third, one of the biggest drivers behind why cloud computing’s approach to security is often better, is that cloud vendors want to make money. They understand that they must share the responsibility of security if they are to be trusted, and if they are to increase revenue. This incentivises them to make products more secure and maintain them. Out of this has arisen a modern approach to secure software development and cloud security operations. More times than not, cloud computing companies offer a product that is more secure and will be better maintained than their traditional, on-premise counterparts.
Myth 2: security is solely the responsibility of the vendor
The Shared Responsibility Model is one of the greatest strengths of cloud computing. Cloud vendors have a responsibility to securely develop cloud software and infrastructure so, to do this, they use automated vulnerability management, routine penetration testing, asset management, configuration management and more.
The end result is that many cloud software products undergo more security scrutiny, on a more frequent basis, than on-premise technologies do. Not all cloud products are the same when it comes to security, but it is becoming increasingly common for enterprise Software-as-a-Service (SaaS) companies to approach security in this way.
But that is not enough. It is the responsibility of each pharma, life sciences or biotech organisation to choose to configure the cloud service in a secure way. For example, making decisions around single factor authentication or multifactor authentication, choosing to enable IP range restrictions or choosing to enable role-based access controls.
The most secure cloud computing products can be configured in an insecure way, so it’s paramount that life sciences organisations work closely with cloud computing vendors to securely configure their products. The vendors will take care of the vulnerabilities, but each organisation needs to take care of the configurations.
If we take a data driven approach to this – looking at actual attacks – only 5% of recent breaches involve exploiting a vulnerability.4People talk a lot about ‘hackers’, but what the data shows us is that threat actors are more like ‘social experts’ who love to target people and single factor authentication. In fact, 82% of breaches involve the human element.
Threat actors know it is far easier to target the life sciences workforce than it is to exploit their cloud computing services and data platforms. When it comes to protecting life sciences organisations, the data suggests we should be focused much more on people and credentials than whether or not software is in the cloud. The data doesn’t show us that cloud computing is easier to hack or that on-premise technologies are safer; it shows us that humans are often the key to a threat actor’s success.
Myth 3: as more companies move to cloud, there will be more security incidents
It is true that as more companies adopt cloud computing, there will be more security incidents involving cloud computing – we clearly see this in investigative reports – however it doesn’t mean that the breaches are the result of cloud computing. Indeed, the vast majority of breaches involve credentials, social engineering, phishing and misconfiguration, which means organisations are likely not using the security features provided by their cloud vendors (for example, multifactor authentication, IP range restrictions, etc).
The vast majority of breaches do not involve a threat actor hacking into cloud computing companies via an application vulnerability. Again, a secure product can be used in an insecure way if we don’t pay close attention to customer-controlled configurations. The good news is that secure configurations are very easy to implement and most cloud providers will readily guide life sciences organisations through that process.
Myth 4: you can’t verify what’s happening with your data in the cloud
Compliance is also a reason that some organisations avoid cloud computing, but the idea that you can’t verify what’s happening with your data is untrue.
Ironically, because cloud computing is built on API architecture, most cloud vendors provide very transparent logging of who did what, when, how and from where. If an organisation wants to know who configured its cloud platform in a certain way, it’s possible to query the logs and find out.
The same is true for finding who has viewed data, uploaded data or edited data. It is often far easier to know what is happening with data, and when it is being stored or processed, with an enterprise SaaS platform, than it is when it is with disparate legacy software systems in physical data centres.
With cloud computing, and enterprise SaaS specifically, it’s possible to more easily attain a state of programmatic assurance, making compliance with various regulations far easier than having to direct our teams to perform manual reviews, manual verification and manual evidence collection for audits.
This post was originally published on the 3rd party site mentioned in the title of this this site