Today is an exciting time to be a chief information officer (CIO) when considering all of the technologies and solutions available to organizations. The CIO’s office should be viewed as a key enabler of strategic business goals.

 

Many, if not most, emerging software solutions today are delivered via a Software as a Service (SaaS) model. CIOs need to understand the specifics of the SaaS vendor’s hosting environment to ensure that their data privacy and security concerns are addressed.

The term “cloud computing” has become mainstream over the past decade; however, it is not a new concept. Dating back to the 1950s, the concept was born with large-scale mainframe computing systems that were accessed via thin client/terminal computers, often called “dumb terminals.”

Today, cloud computing provides a cost-effective computing model for software vendors that relies on sharing of resources to achieve coherence and economies of scale. The thought of cloud computing can raise security and privacy concerns for many industries, especially health care.

There are several types of deployment models for cloud computing:

■ Private. Dedicated infrastructure to a single organization;

■ Public. A service provider makes shared resources available via the Internet to any or all clients in a true multi-tenant environment;

■ Hybrid. An organization provides and manages some resources in-house and has others provided externally; and

■ Community. Multi-tenant infrastructure shared among organizations from a specific industry with common concerns.

Each deployment model has advantages and challenges, but all have one common requirement: security.

Private clouds are cloud-based infrastructures with dedicated hardware to one organization, offering services on demand without compromising security. Private clouds provide an elasticity—to accommodate increases and decreases in demand for computing resources—that was previously unavailable in a traditional computing model. Private clouds also offer rapid provisioning with cost allocations for specific business units if a chargeback model is used.

Unlike other types of clouds, private clouds are capital expenditure-intensive but offer greater control and security.

Private clouds can be hosted by an organization within its own brick-and-mortar walls or outsourced to a third-party service provider. Private clouds are especially useful for industries that are highly regulated or have strict compliance requirements.

Private cloud models will decrease some of the optimization opportunities and benefits and will partially limit scalability, compared with public clouds, but still offer business operations opportunities to enhance both effective use of business assets and improve process efficiencies.

Three key benefits realized by all organizations are cost savings, business agility, and centralized security controls.

Compliance and regulatory requirements can be more easily addressed within a private cloud as it removes any concerns relating to a lack of transparency on the third-party service provider side.

Additionally, a private cloud will deliver greater controls over the underlying hardware, thereby addressing many of the common security concerns posed by business or legal team members. Functional needs and requirements can be met via the opportunity to customize the security solutions, once a security framework is embraced.

Private cloud security architecture is driven by environmental risks and vulnerabilities. The attack vectors will remain consistent, therefore, so should the general safeguard controls. Four general categories of safeguard controls are:

■ Deterrent controls are intended to reduce attacks on a cloud environment. These controls are much like a warning sign, informing potential attackers of the consequences if they proceed.

■ Preventative controls strengthen systems against incidents, generally by eliminating vulnerabilities. Strong authentication techniques will ensure users are positively identified before access is granted.

■ Detective controls will detect and react appropriately to an incident. Intrusion prevention is a good example of a way to defend against attack on a cloud environment.

■ Corrective controls will aid in reducing the consequences of an incident by reducing the damage. Restoring system backups to rebuild a compromised system is a good example of a corrective control.

Private cloud models offer software vendors a way to optimize their infrastructure by sharing resources while enjoying the privacy and security controls needed for their industry. They offer businesses a more cost-effective way of providing access, both remote and in-house, in a highly secure environment.

As public clouds mature over the next several years relating to privacy and security, organizations may decide to migrate away from a more costly private cloud model to realize the full benefits of true cloud computing. Until then, private clouds offer a better solution for long term/post-acute care providers.