Cloud Security and Management. How are we viewing security in the cloud today? We now have the ability to do things bigger and faster. What does that mean for Disaster Recovery? Doug McMillian, former CISO and CTO and current Director of Healthcare at Sirius Healthcare joins Bill Russell to discuss security platform approach, Next Gen Firewall URL, content filters and Zero Trust. Plus the key aspects of Cloud Management Framework including automation, standardization of tool sets, cloud native features, load repositories and cost management.
Sign up for our webinar: Owning Cloud in Your Organization - Understanding, Implementing and Designing Your Hybrid Cloud Strategy - February 24, 2022: 2:00pm ET / 11:00am PT
Thanks for joining us. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week in Health IT. 📍 A channel dedicated to keeping health it staff current and engaged.
welcome to our hybrid cloud briefing. I'm excited to get to our topic today, securing and managing cloud effectively. We're joined by Doug McMillan, former Cisco and current director of healthcare for series healthcare. The podcast series is going to culminate with an excellent panel discussion. We're going to have experts talking about who owns the cloud strategy at your organization as well as how to build out an effective cloud strategy.
Check out the description box below for the registration. And to learn more about the upcoming webinar. We want to thank our sponsors for today, Microsoft and Palo Alto for making this content possible. Now onto the show.
All right. Today we are joined by Doug McMillan Director for Sirius Healthcare around cloud and cyber security. And we are marching through some topics around moving healthcare to the cloud. Today we're going to focus in on cloud security and management. And security used to be the reason to not move to the cloud. Doug, I think we'll start with this. How are we viewing security in the cloud today?
Yeah, so, I think the core shift that I saw over the last three years while I was at Cone Health was really some of the initiatives that we had on our roadmap and looking at our data center.
As well as, pushing out to the edge, maybe at the cl We were going to have to really do a lot of work foundational to our network and things like that to really look at micro-segmentation zero trust. And, really the cloud gave us the ability to do these things much faster than we would have been able to do it inside of our data centers.
So we really started saying, okay, well maybe cloud is the answer to shifting some of these workloads and getting a better security policy over time. And then again as you look at your operations and thinking just the way that cloud offers up these unique ways to integrate things through APIs you could bring in new tools and technology to a security team, like a for a security orchestration and automation and response.
Those things could all help me do a consolidated view and response to my environment.
It's interesting. The, the further you are behind, the more you can leapfrog here. I mean, when, when I came in, one of the things I was addressing was I think we had 70 to 80% end of life equipment in our data center, just four years of not investing in it for whatever reason.
And I had sort of that same response. I looked at it and I thought, okay, we could spend the umpteen million dollars to upgrade all of this, but what's right around the corner. And for us back in 2012, 2013, it was cloud. And so we could have invested there, instead we invested over here, it was sort of a shift, but that shift gave us an awful lot of new capabilities that, that we wouldn't have had. You had a similar story around disaster recovery at Cone Health?
Yes, sir. So it was late 2018 we had a new CIO and we were really facing a very large refresh for all of our Epic environments. And as we started to look into it we really said, okay, look at the, cloud public cloud Azure, and then look at things like vendor hosted Co-los.
But the, the more and more we looked at it at least from an agility, scalability as well as costs from a D prespective. Azure just kept winning over time. And so we really, even though we were stepping out, I'll say into some waters that were not known at the time we met with all of our core partners and really came up with that strategy and they were all supportive.
So yeah, we jumped on board and said, it's time to do things differently. And that actually, I think when we stepped backwards now in 2021 and look at, 2018, we're like, wow, we knew how scary it was to be one of the first, but to see the flexibility that we have in the environment now is just, it's, I don't want to be overdramatic and say life-changing, but it really is. I mean, it does change the way that you handle your day to day.
We're talking about security and management and you started to throw out some of the basics. Some of the cloud security basics. You talked about soar. You talked about some of the other things. Touch on some of the other things that need to be in place for a good security framework for moving to the cloud.
Yeah. So we'd mentioned previously, looking at really a security platform approach is, and again, as it's just making sure that the management of your security controls are going to be manageable over time from the very small team. Again because I didn't have a very large team. So I'll start like endpoint agents, right?
So, in my past, we had come from what they had traditional AAV with maybe a whitelisting tool on top of that which just was, it was a great security strategy in that something unwanted couldn't get in the environment, but it was a nightmare to manage. And it was also very resource intensive.
But when you start to look at things like cloud, where you're trying to dynamically scale, well, that doesn't play too well. So you really need to look at things that are going to enable you to get the same amount of security, but still get the flexibility. And what we had done over time has just transitioned to things like CrowdStrike, which was just a night and day difference for us because we could roll out CrowdStrike to just thousands and thousands of end points without really having to be impacted next gen firewall.
So you know, the intent there is to be looking, not only are you providing your data center protection from a next gen firewall, Are you picking a partner that will enable you to use the exact same technology, but in a virtualized instance inside of Azure. So that again, your policies can really be dynamic and be on prem versus the cloud, things like that. URL, content filters, again, are you still protecting the traffic that's outbound from an on-prem perspective, the same way that you're doing it from cloud? A large one, we've talked about zero trust a couple of times, but you know, a core foundation of zero trust is that micro segmentation. So making sure that whatever you're picking as platforms enable you to move from on-prem to cloud is to have the same types of policies in place.
And then I can't say enough about identity. This one is one that I think gets overlooked by a lot of IT and security organizations. Identity to me is one of the core foundational items for security that if you don't get right, you can, you're setting yourself up for failure. So really pick a core provider that enables you to push your identity based policy across your data, whether it's on on-prem whether it's in public cloud or SAS, which is the one that you can't forget.
So when we're moving to the cloud, are there any new platforms that present themselves that we have to adopt
Yeah. So, CASBY, I think was one, we mentioned. It's been around while for a while, but again, some organizations might not have them and that's just a monitor and maintain that fast usage over time and make sure that you have things that are set up to say, yes, we allow this, or no, we don't allow this.
Or maybe you segment it with a group or something like that. But the other one is a cloud workload protection platform. So there's a lot of things in the market now that is set up to look across all of your public cloud instances and really see let's say E P2s, are you doing the right thing from an Azure compute, maybe storage, are you enabling encryption?
The reason I like these types of platforms is because it gives the security team a single pane of glass to look at all of your public cloud usage and make sure that your policies are being followed. And if you're working with your IT team, some of these platforms also have the auto heal. So it will self-correct itself if it finds something out of compliance.
Nice. All right. One of the things I liked about the last episode we did on cloud foundations is you gave me a framework and I love frameworks because, when I have frameworks, I'm able to just filter things through that framework. I want to move over to cloud management and you have a really good framework to help us make decisions on how we should be thinking about our implementation within the cloud. So talk about that cloud management framework a little bit.
Yeah. So we've talked of automation. To me, that's the core for all of this all to make everything that you're trying to do. And that's security as well as management. It only benefits you to use automation and spend your time on more again, strategic and useful things for the organization.
Standardization of tool sets. As I mentioned around that single pane of glass for the security team. Same thing from an infrastructure perspective. The more tool sets that you have, the less efficient you are because you have to look at so many different things. So again, try to standardize and use platforms to have the biggest bang for your buck that use cloud native features.
Again, I think that just reduces complexity inside of your cloud environment. However, again, it's, it's always a trade off feature set versus risk. And again, just make sure you're making those decisions as you go along. Load repositories. This one might be new for some organizations who aren't as far down the route of development shops.
You really do need to start taking that dev ops and dev sec ops approach. So that might mean some new skillsets with maybe Azure dev ops or Github or something like that. But you really do need to be treating your environment as infrastructure as code and then walking them through in a very standardized fashion.
As far as those coding, I would also say is, taking the approach of a crawl walk, run. So for example, you might just set up some scripts, for example, just to automate a single event once those are working well, maybe at that point you start to orchestrate and like sequence of events.
And then at that point, maybe, if it's working well, maybe taking into a CICB pipeline. You don't have to go from zero to five. You can really start to slowly walk yourself through them. And then cost management. As I mentioned, a couple of different times in our talks, really being intentional around subscriptions, reservations, the tagging understanding how to continuously improve and optimize that environment.
Because again, one of the things that was unique to a cloud environment that we didn't have on prem is let's say the business has one month where maybe there's some financial heartache and they're looking for, well, how can we save money just to try to get us back on track? Well, now that you have all these things set up in an environment where you can tag and see and show how much money has been spent on what service you can offer up new ideas that maybe had been a little cumbersome on prem, because you've already sent that money into a capital basic expensiture.
All right. Let's do this as our closing question, which is compare a cloud management environment for your IT organization versus an on-prem. Maybe a story that might illustrate this, a team that might illustrate how it's fundamentally different managing a cloud environment than an on-prem environment
Yeah. I'll use that Epic upgrade example. Cone Health went through about maybe three or four, large Epic refresh to the hardware. So a typical fashion would be you start to evaluate your options from a storage perspective, from a compute perspective.
So you're going to be working with partners and maybe doing a couple of POC and bake-offs to look to see, okay, is this something that I want to take advantage of or not? At that point, you'd come into having let's say a configuration that you think is the right one for the environment.
You take that out, you're getting your quotes. You're taking that through your capital process after it's purchased. You've got, three to six months of hardware being shipped, hardware being installed .Getting to just a base level set of being able to put servers inside of that environment.
And then after that six months process, now you're ready to really start the application level work and start to ask the application teams to build out the new environment and migrate. So, all in all six to nine months easily for anyone who was in an on-prem. So as we moved our epic disaster recovery environment to Azure, we spun up the entire epic environment from a server perspective.
I think it was about, 20, 30 times over and over and over just to go through and make sure the process was working. And we had it within minutes to hours as opposed to six to nine months. Now obviously the application level things still had to take place, but that really wasn't what the holdup was. It was more of the infrastructure was always the slow down. So again, you could do that, but instead of waiting six months, you could have it within minutes to hours.
Wow. That's really exciting. Doug, thanks again. Cloud security and management. This was the fourth in our series. If you haven't listened to the others, go back and take a look at those. Our final episode will be on adoption and migration.
What a great discussion we want to thank our sponsors for today. Microsoft Palo Alto and serious healthcare 📍 who are investing in our mission to develop the next generation of health leaders. Thanks for listening. That's all for now. 📍