Blog
Mike Sheward
As we near the close of 2017, we can look back on a year of tremendous innovation for Accolade, a personalized health and benefits solution. As a leading platform in healthcare, our product and technology teams worked tirelessly to adjust our posture, migrate a wide variety of applications and support services into Amazon Web Services (AWS). We all know that AWS affords its customers tremendous flexibility. The ability to scale on-demand, deploy more rapidly, and embrace the latest technologies are traits that have become intrinsic with the platform, and key to its success. However, the need to approach security in new, and evolving ways can make security teams nervous. We know the feeling, and we know how to work through it.
My role in all this, as the technical security guy, is to enable the business through this transition, and ensure that while we innovate we don't lose the ability to protect our members personal and health data and information. In our case, we handle highly sensitive, and highly regulated, protected healthcare information (PHI), and it is paramount that we stay HIPAA (Health Insurance Portability and Accountability Act) compliant.
You Can Outsource Infrastructure, But You Can't Outsource Risk
We read nearly every day that data gets stolen and real people are harmed. Those people don't really care if it was stolen from the cloud, from a co-located data center, or even from the back seat of a midsize SUV. Nor should they. We all have a sworn responsibility to protect the data that we're entrusted with, and when that data is PHI, our responsibility is amplified. The customer shouldn't have to worry about more risk or less visibility because of architectural decisions we make.
And because you outsource critical business functions doesn't mean you outsource the risk. I might not be able to get at the copper and fiber cables anymore, but I still have a responsibility to protect customer data that flows through them.
ExtraHop has played a role in our security program at Accolade for a number of years, and now with our new AWS-centric posture, it has an even more critical role to fulfill. ExtraHop bridges the gap between the benefits associated with running in AWS, and the organic loss of visibility that occurs when you outsource the physical building blocks of your environment. You cannot walk into an AWS datacenter and install a network tap, for example (the whole point of AWS, of course, is that you're paying them to take care of that stuff).
How We Maintain Visibility and Stay In Control
Our solution here was to leverage ExtraHop in AWS, and include the ExtraHop agent in every single build for every single instance that we operate in AWS. These builds are all automated, leveraging AWS containerization features, so there is no additional configuration work for the system owners. The agents feed the EDA, and allow us to get into the raw packets just as if we we're tapping a network connection. We get the flexibility of the cloud, with the visibility of on-premises deployments. Enabling the business, yet protecting our members. All the good things that information security people aspire to.
Our AWS-based ExtraHop feeds our SIEM tool, just as ExtraHop always has. This means that we still only need to check one place for total visibility and alerting. Alerts pertaining to EC2 instances fall into line alongside alerts generated from endpoint devices After all, we're working to secure our entire company. The security experience across all platforms has to be consistent to be effective, and this is something that we've found particularly pleasing about deploying trusted ExtraHop technology in a new way.
You Can (Securely) Have It All
I often hear people in security talk about the risks of moving to the cloud. Honestly, it hasn't helped that this year people have gotten into the habit of exposing large chunks of data by messing up S3 permissions (stop doing this, please). My answer to those people is this: Yes, working in the cloud has changed the way we do security, but it hasn't made it impossible – and it absolutely should not bring security compromises. Far from it. It wouldn't be information security if we didn't have to adapt and overcome. With their AWS-based offerings, ExtraHop enables security teams to do just this, and Accolade is extremely grateful to have them on the team as we begin our first year as a full-fledged resident of AWS.
*Mike Sheward CISSP, CISM, CCFP-US, CISA, HCISPP, CEH, OSCP, CHFI is an information security professional specializing in Incident Response and Digital Forensics investigations, currently leading security at Accolade. You can read more about Mike's work in the field in his book, Digital Forensic Diaries.
