Medibank is allowing staff outside of the IT department to sign up to cloud services such as Amazon Web Services (AWS) to reduce website hosting costs, while at the same time including IT security in the process, according to Medibank enterprise security manager Mark Burns.
Speaking at the Gartner Security and Risk Management Summit in Sydney this week, Burns told delegates that IT security has received 20 separate requests over the past six months to use different cloud services such as online storage.
“One of the key challenges for my security team is dealing with the potential loss of visibility. Traditionally, we were able to force the business to engage with IT because they were relying on us to deploy the server, install the software or open up the firewall,” he said.
“With cloud services and a corporate credit card, it is possible for anyone in our business to sign up and start using a service which requires no input from IT.”
- IT security needs to market itself to the business: Woolworths
- Medibank upgrades IT for activity-based working
- Medibank aims to reduce delays for online, mobile customers with HP software
Rather than IT security saying ‘no’, Medibank has invested heavily in the adoption of cloud services to help it increase productivity and reduce costs.
For example, as part of a project to rebuild the Medibank corporate website, the company moved its website into the AWS environment to reduce the ongoing costs associated with website hosting.
“We are also using AWS’ auto scaling functions to deal with peak demands during end of financial year and tax return time,” said Burns.
“Aside from the opportunities that migrating to the cloud brings, it also challenges the traditional approach to security.”
However, Burns said that IT security professionals need to “embrace the cloud” otherwise they are going to be unable to prepare with cloud services requests from the business.
Within Medibank, IT security worked with the internal audit, procurement and legal teams to draw up a cloud services policy.
“We have developed and implemented a third party security assessment program where we take a risk based approach in assessing third party vendors,” he said.
“We always ask three questions about the cloud. What kind of data is being stored in the cloud? Where will the data be stored? And who will have access to the data?”
Medibank also works with trusted security partners such as Trend Micro.
Burns shared an example of how his team has helped protect Medibank from a potential Privacy Act breach.
The company engaged a software-as-a-service (SaaS) company who provides a transcribing service.
“In years by gone, a doctor would use his tape recorder to record his clinical notes. Now the doctor can call a number, record the notes like a voice message and then someone in the world will transcribe those recordings into a document,” said Burns.
However, the first time IT security heard about the service was when Medibank’s procurement team asked Burns to sign off the contract with the SaaS provider.
“As soon as we heard about it [the contract], we performed our security assessment and due to the fact that clinical notes are quite sensitive, we arranged for a penetration testing to be performed of the SaaS provider.”
However, the penetration test found that the voice recording application had not being developed properly. If a cyber-criminal guessed the unique URL of the voice recording, they would be able to access the recording.
Burns recommended that Medibank not proceed any further with the SaaS vendor.
However, he said that finding people who understood medical terminology and could transcribe notes proved difficult.
“We had no alternative but to work with the SaaS vendor to remediate the issues. IT security also worked with legal and procurement to put specific clauses in the contract. The vendor, and any third parties it dealt with, had to comply with the Privacy Act.”
The vendor also had to take steps to make sure the transcription software was securely coded and tested.
“Medibank retained the right to obtain an independent audit of the software and terminate the agreement if the security issue was not remediated within a defined time frame.”
“In response, the company did mitigate most of the issues before we began working with them. They implemented a secure coding standard and began recruiting for a senior information security manager,” said Burns.
Follow Hamish Barwick on Twitter: @HamishBarwick