In the wake of the most massive security breach in recent memory (and that is saying a lot) Anthem, the 2nd largest healthcare network in the U.S., has announced its plans to move to cloud infrastructure. The planned $500 million deal with IBM will result in a hybrid cloud environment. Anthem, like most large enterprises, has chosen, at least initially, to pursue a hybrid architecture, which will allow Anthem to continue making use of existing data centers, which Anthem will continue to manage.
The move was announced on January 21, 2015, which was, oddly enough, about the time the massive breach must have been occurring. Anthem’s stated reason for adopting cloud infrastructure was to garner operational improvements and the ability to scale rapidly to meet the demands of their business. Certainly for these reasons adding cloud infrastructure in a hybrid set up offers the benefits of cloud without requiring that a company abandon expensive legacy platforms that operate in their existing data centers and don’t easily port to cloud IaaS.
Clearly Anthem and most large enterprises have been asleep at the wheel when it comes to security. Most large companies still believe that they have the resources and focus necessary to protect their data while at the same time pursuing the needs of their business. Intuitively one might have believed that a large corporation would be up to the task of fending off a nerd in his mother’s basement. But the world has changed now as the specter of state-sponsored acts of cyber terrorism emerges. Indeed, there is suspicion that the Anthem breach was perpetrated by Chinese hackers while the Obama administration has accused North Korea outright of being involved in the Sony hack.
One hopes that Kurt Marko of Forbes is justified in the faith he places in global companies when he observes, “Companies will soon realize that building private information fortresses and staffing an independent cyber security army is a losing proposition.” It is becoming clear to most IT Security experts that only massive armies of elite security professionals focused on the task can provide secure infrastructure—the armies employed by cloud IaaS providers whose business is providing a secure computing platform. To make matters worse for the average company, the best talent always flows to the most exciting technology. And it is becoming more and more difficult for a company to attract the best and brightest to maintain the technology architecture of the last century. Cloud is the trend and the smartest professionals want to be there.
Does moving to the cloud guarantee total security of your data? Of course not. Security happens at every layer, including the physical, network, and application layers. This is why the shared responsibility model of cloud security is so important. The IaaS provider makes it their business to offer a secure physical infrastructure with robust tools to add additional security to your environment while it is up to the customer and their security professionals to ensure application, OS and network security best practices. Steven Sinofsky of Microsoft says it best:
If you use public cloud services on next-generation platforms you aren’t guaranteed security, but it is highly likely that the team has assembled more talent and has an existential focus on security that is very difficult for most enterprises to duplicate.
So after Anthem’s embarrassment, why would Anthem continue to manage data centers in a hybrid environment? Because like many large enterprises they have made commitments to platforms and technologies that don’t easily move to the cloud. This is perhaps the most concerning fact for people like me who have entrusted personal data to these large enterprises—their tendency to move to hybrid environments as an interim step until they abandon ancient platforms, thus postponing the security benefit of a full move to the cloud. “As Sony’s sad experiences make clear, data security and protection are best left to those with a deep bench of security pros.” – Kurt Marko, Forbes
Blue Sentry is an advanced-tier Amazon Web Services (AWS) consulting partner specializing in application and data migrations, expert managed services and virtual desktops. Blue Sentry serves clients globally, with operations in North Carolina and South Carolina.