Accenture research shows that 60 percent of healthcare CIOs recognize the security benefits of the public cloud—and 66 percent are in the process of shifting to a cloud services model. Yet the research also reveals that more than two thirds still retain 80 percent or more of their estate on-premise. These organizations struggle to make traditional security practices work in the public cloud, especially as nearly all (96 percent) still have policies and controls in place that hinder material cloud adoption. To accelerate the transition, CIOs need a deeper understanding of why the public cloud is so secure—and a new, more collaborative and outcomes-based approach to data security.
A question of mindset
Forty percent of CIOs already recognize that public cloud is inherently more secure than either private cloud (35 percent) or on-premise data centers (25 percent). What worries them is how to leverage public cloud as a platform to improve security. They lack the skills and knowledge to develop mature public cloud security strategies and the tools and processes that enable them. In addition, they wonder how to translate existing on-premise security practices to public cloud and where to adapt in order to benefit from the new approaches and capabilities that such a shift would deliver. The upshot: long delays in design and implementation (see Figure 1)
For most healthcare organizations (96 percent), traditional policies and controls are slowing cloud adoption, often because they refer to specific technologies or products rather than focus on the desired security outcome. Policies often contain vendor names or capabilities that limit the application to public cloud or lack the flexibility to accommodate newer capabilities born in the cloud. Customer-specific and regulatory requirements that have been translated into on-premise security practices over the years compound the problem (see Figure 2).
Yet Accenture experience suggests that few existing security policies are in direct conflict with public cloud-based platforms as the primary landing zone for healthcare applications and data. The real challenge is to understand the new shared responsibility models of large platform providers and vendors and to develop a new set of security controls that application teams building capabilities in the cloud can easily handle.
The public cloud’s fine-grained, "deny by default" positioning greatly enhances security and when consistently applied minimizes the inherent risks of inadvertent malicious access.
Granular and robust
The necessary shift in mindset could be accelerated if CIOs had a better understanding of why the public cloud, when well architected, is so granular and robust. With public cloud, the default posture is to deny access to any user or service not explicitly granted permission. This is quite unlike on-premise environments, which are open by default and where policies are manually applied to limit access. The public cloud’s fine-grained, “deny by default” positioning greatly enhances security and when consistently applied minimizes the inherent risks of inadvertent malicious access.
Collective responsibility and a focus on outcomes
CIOs need to agree desired security outcomes with other enterprise stakeholders. Five considerations are key:
1. Take a public cloud-first mindset
Leverage new security practices and capabilities, born in the cloud.
2. Collaborate early across all stakeholders
The CISO is a critical partner in building scalable security capabilities—yet only 21 percent of CIOs have completely aligned their cloud strategies with their CISO.
3. Ensure that you go beyond IT
Draw legal, compliance, vendor management and others into a conversation about why security in the public cloud reduces risk for the organization over time.
4. Empower application owners and developers
Give responsibility for architecting secure public-cloud capabilities and provide pre-approved guardrails so they can integrate security into their development processes easily and at speed.
5. Leverage partners differently
You need public cloud providers with robust policy enforcement and compliance monitoring built for the specific needs and nuances of healthcare/HIPAA.