Perspectives

Improving the health of cloud security

How we helped a top US health care organization secure its digital capabilities

The challenge

Our client was operating in a complex technology environment with process inefficiencies and a lack of technology adoption resulting in tasks taking increased time and resources. 

At the operational level, individual teams were working within a decentralized structure. They had inadequate security controls and limited technical guidance on nascent topics such as cloud container security and encryption/tokenization in cloud. And at the service delivery level, the lack of alignment with business requirements, industry-leading practices, and regulatory requirements only compounded matters. 

When our client decided to take the crucial leap in migrating thousands of applications from its legacy environment, the transition led to misconfigurations and vulnerabilities being deployed at scale, increasing the risk of data breaches and service disruption. Immediate support to gain alignment with data protection and privacy requirements related to PXI (e.g., Payment Card Industry, Protected Health Information, Personally Identifiable Information) data became a growing concern. In addition to monitoring cloud identities and permissions, they also had to consider remediating vulnerabilities within the cloud. 

Since the client used a defederated approach to securing Software-as-a-Service (SaaS) applications like Salesforce, there was a need to define baselines for SaaS security and no visibility into the implementation of security controls like encryption. But, as our team dove into our client’s situation, we found that the biggest barrier was more of a cultural concern than anything else: they lacked confidence about their assets in the cloud.

Our approach

Our trusted relationships with the client stakeholders, a sound understanding of the organization’s technology and process environment, and high-quality work on our client’s cybersecurity transformation journey paved the way for Deloitte to be chosen as their strategic adviser yet again.

Redesigning the client’s operating model was important. Our team worked to augment the client’s existing cloud security processes, tools, and technology. To ramp up productivity, we used a delivery model consisting of an objective, cross-functional team with technical subject matter advisors serving as stand-by resources for a phased execution and flexibility to leverage their skillsets as needed.

Security architecture and design pattern acceleration
As cloud migrations across the organizations began to accelerate, the client had an immediate need for the development of repeatable security architecture and design patterns as well as a required a team to help review these solution architectures to provide relevant feedback and recommendations integrating security into each design. 

In addition, a team of experienced DevOps developers supported these designs and developed sample data to pressure test various capabilities to be hosted in the cloud. Infrastructure-as-code was developed to enable consistent repeatability of tests along with a runbook to allow their internal teams to run and modify testing procedures in the future.

Identity and access management
One of the initial migration efforts was related to migrating applications from home-grown authentication and authorization tool to Azure Active Directory. A strategy for capturing application prioritization and selection criteria for migration was defined and a factory was established, serving as a core component to migration achievements.

Pilot migrations were conducted to mature and refine application migration framework, process, tools, templates, and accelerators for migration.

Application security
As the business went through extended digital transformation, security groups needed to adapt to changes in responsibility model for SaaS applications. So we developed an assessment framework and identified security controls based on industry controls frameworks such as NIST SP 800-53 and Salesforce security leading practices.

Security operations
From a regulatory and cloud operations standpoint, our team focused on collaborating with client stakeholders to understand application architecture, identify PXI data used in applications, define encryption schemes, and define access policies prior to application onboarding. We helped integrate a tool used for securing containers in the cloud with the organization’s existing integration and deployment pipelines, which scanned for vulnerabilities and compliance violations.

We also helped our client securely manage their cloud identities by removing unnecessary privileges and fostering least-privilege based Role-based Access Control (RBAC) for their cloud environments. We leveraged our Python developers to script automated continuous testing and generate report results of security controls on DLP (data loss prevention) events.

Cloud security and compliance guardrails
In order to automate continuous remediation and enhance real-time visibility into their cloud compliance posture, we established automated cloud security guardrails for their Azure Platform. Fifty-one Azure services were selected for configuration compliance automation controls which were aligned with nine leading security practices and regulations.

To guide end-user training and awareness, we developed a remediation reporting dashboard, email-based alerts, and knowledgebase library.

The outcome

When our team started work on this cloud migration effort, the pace of business and technological innovation at the client had far outstripped its cybersecurity capabilities. However, a year and a few cyber initiatives later, the organization’s cyber program is more closely aligned to the business and technology environment. Although cybersecurity may have been viewed as a challenge in the past, it is now truly a business enabler.

The application migration framework—along with standardized templates, tools, and accelerators—has helped our client maintain a repeatable process for application onboarding and reduce their backlog of architecture review requests.

With the accomplishments of Azure guardrails implementation, we have further expanded scope to other cloud platforms such as Salesforce Heroku and Google Cloud. Our client has visibility into the security posture of their microservice-based environment and can closely monitor and rapidly resolve detected vulnerabilities and compliance violations.

With increased security came newfound confidence for our client. They are now poised for accelerated business transformation and competitive growth.

Have you integrated cybersecurity into your digital transformation journey? Let’s connect.


 

Jimmy Joseph
Managing Director
Deloitte & Touche LLP
jijoseph@deloitte.com

 


Justin Rowe
Senior Manager
Deloitte & Touche LLP
jurowe@deloitte.com

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?