Free Trial

Blog

Introduction of the Cavirin Connect Global Channel Partner Program

This week, we announced our new Cavirin Connect Program, empowering resellers, integrators, and MSSPs to offer the Cavirin CyberPosture Intelligence solution to customers worldwide, solving full spectrum hybrid cloud security challenges.

In the very competitive security market, the channel is looking for new ways to solve customer problems and differentiate themselves. The demand for a solution that provides controlled secure asset migration in complex hybrid cloud infrastructures represents just such a challenge and an opportunity.

Cavirin is ideal for this, as we have the perfect solution for organizations looking to maintain business continuity while moving critical assets in the cloud and in multi-faceted hybrid environments! Cavirin’s CyberPosture Intelligence solution, which includes a wizard-based, API-driven control plane, is simple to ingest by the channel. Cavirin Connect brings tremendous value to their customers while offering low cost of sale. Cavirin cloud security automation addresses that!

For MSSPs, the program aligns with evolving cloud service offerings and allows them to focus on hybrid cloud service delivery that has meaningful bottom-line impact most important to their consumers.

We help the channel better address C-level concerns of their customers too – security and visibility. Cavirin makes it simple for executives to understand their cloud security defensive posture, to understand potential risk, and to improve their stance against potential threats at low cost.

Unfortunately, organizations haven’t had access to a best-in-class solution like Cavirin that prevents data breaches by giving them unified control over all hybrid assets. It’s simply hard to control and protect what you can’t see! We deliver the visibility and control necessary to secure their entire hybrid cloud theater through our Cavirin Connect Channel Partners.

We’re in the business of making it easy to manage security in complex environments without having channel customers drive multiple silo viewing tools into their hybrid workloads. Cavirin’s atmospheric global control and visibility of the hybrid-cloud security plane allows our partners to deliver value highly sought after by today’s enterprise organizations.

Cavirin Connect equips our partners with the necessary technical and business acumen to enable them to deliver cutting-edge hybrid cloud security to their customers.

We also spent a great deal of time thinking about the onboarding and channel management process. In conjunction with the announcement, Cavirin’s partner management portal based on Allbound is now live, a one-stop shop for deal management, co-marketing, training, all with a goal of reducing the sales cycle and increasing the partner’s win rate. Key components of the program include tiered discounts and a 100% deal registration model to avoid channel conflict while increasing margins.

Inaugural members of the Cavirin Connect Partner Program include Astadia in the UK, Bodega Technologies, InterVision, Lite Distribution in Australia, Logicworks, Scalar in Canada, Titans Security in Israel, Veristor and others. Though less than 20% of our revenue today is via the channel, we intend for this to grow to 100% over time. Partner-driven lower-touch engagements will be the domain of our commercial team, while larger enterprises will follow a high-touch model, also driven through the channel.

Our promise is to deliver an unparalleled onboarding and ‘day-2’ experience that will generate value and cause partners to want to work with us…. a win-win for all involved.

Partnership, Protection, Profit with Technical and Business Superiority for our trusted Cavirin Connect Partners. This is Cavirin Connect.

Get information on Cavirin Connect.

 

 

  

0
0
0
s2sdefault

Healthcare IT Blog Series - 6 of 6

In the last blog of our Moving Healthcare to the Cloud series, we discussed how organizations can operationalize security in order to ensure digital assets remain protected. This blog wraps up the series and examines different ways to measure the success of your efforts to move to the cloud and keep your data secure.  

We hope you have benefitted from our ‘Moving Healthcare to the Cloud’ series. Over the course of the first five blogs, we showed how to identify what steps to take in the cloud journey. It starts with focusing on the why—making the business case for moving to the cloud. We then delved into understanding which of your systems are ready for the journey and which are not.

From there, the series addressed how to assess the appropriate levels of risk for all the assets you are moving to the cloud to ensure confidentiality, integrity and availability. In our most recent blog, we demonstrated how to operationalize security. This includes the policy controls to put in place beforehand, how to monitor security, and how to react to breaches.

Some of the key takeaways from our series are the benefits of moving to the cloud, which go well beyond the cost savings. These include improved system and app availability, enhanced ability to manage risk, and increased ability to employ compensating controls and governance.

We also demonstrated how cloud environments are now just as safe—and likely even more safe—than on-premises environments. The key is to assess each of your systems and data sets to determine which ones you are comfortable with moving to the cloud, and which ones you prefer to keep on-site.

It’s then onto integrating your cloud environments with your systems that remain on-premises, and creating a security framework to protect all of your data as it travels across all of your environments. It’s all about implementing the necessary policies and controls, and then leveraging technology tools to control and manage the access of all your end user groups—including clinical staff, administrators, support staff, patients and your Business Associates.

With a plan and program in place, it’s now time to measure how well the policies, processes, and controls are working.

Metrics to Measure Success 

When it comes to measuring the success of moving a portion of your IT infrastructure to the cloud, here are the key metrics to research and analyze:

  • Availability—what percentage of the time can your end users access the applications they need to interact with each other and to do their jobs? Consider the level of availability for all your end-user groups—internal and external.
  • Reliability—if a system or application shuts down, how quickly can it be restored? Is all of the data recoverable? Be sure to test regularly so you know what to expect when a real disaster strikes.
  • Performance—is the throughput sufficient so end users do not get frustrated waiting for responses? For application usage to increase and generate business benefits, the user experience is critical.
  • Capacity—does the cloud environment easily and quickly scale up and down according to the demands on each of your applications?
  • Service—when technical support issues arise, do IT and end users have immediate access to help desk support? Are issues resolved promptly? When necessary, are issues escalated?
  • Cost—keep a close eye on server utilization and “zombie” servers spun up for a specific business purpose but no longer in use. You don’t want to be paying for cloud resources you don’t use.

All of the metrics above should be backed with a clear ‘Code of Ethics.’ The most important aspect of all when it comes to the cloud for the healthcare industry is to ensure data security. Identity management, privacy and access control should be monitored closely. It’s also important to consider how well your cloud environments conform to regulations. If you fail in the ethics arena, the fallout could be cataclysmic.

For specific metrics to determine how well do you manage access and risk as well as how secure and compliant your business is, there are a wide range of numbers to look at:

  • Number of security policy violations
  • Percentage of systems with formal risk assessments
  • Percentage systems with tested security controls
  • Percentage of non-compliant, weak passwords
  • Number of identified risks and their severity
  • Percentage of systems with contingency plans
  • Number of successful and unsuccessful log-ins
  • How many viruses and spam attacks were blocked vs. how many got through
  • How many patches have been applied

For these numbers to be useful, you first need a baseline that examines where you stand today, perhaps recording the results over a three-month time period. You can then compare those baseline numbers to ensuing three-month time periods. The key is to move the needle in the right direction over time.

Increase Value Over Time

As you measure the success of your cloud migrations, strive to improve your metrics in each of the areas listed above so that the value of your cloud environment increases over time. As cloud technologies continue to evolve, you will also want to evaluate how your organization’s use of the cloud should change.

The things you can do today will likely pale in comparison to what you can do tomorrow!

Be sure to check out all of the blogs in our ‘Moving Healthcare to the Cloud’ series. And for more information on migrating your IT infrastructure to the cloud and how to secure your cloud environment.

Read about how Cavirin can protect your ePHI.

 

 

 

 

 

 

 

 

Read about how Cavirin can protect your ePHI.

 

 

 

 

 

 

 

0
0
0
s2sdefault

Healthcare IT Blog Series - 5 of 6

In the last blog of our ‘Moving Healthcare to the Cloud’ series, we presented how organizations can assess, manage and reduce the risk of security attacks. In this blog, we discuss how to operationalize security in order to ensure digital assets remain protected.  

After migrating IT systems to the cloud, integrating your cloud environment with on-premises systems, and assessing your security risks, the next step is to operationalize your on-going security program. By following the best practices presented in our previous blogs, you should already have the framework for a robust system in place.

The program should include a consistent security policy to help you determine everything you need related to protection, audits and remediation. A robust policy serves as a bedrock for establishing a strong security posture and helps you make sure you can answer all the key questions as you delve deeply into the details. Here’s just one example of the many scenarios you will need to consider:

  • How long can patient records be stored on-premises?
  • Does the length of time for storage change if you move records to the cloud?
  • Are there privacy and regulatory issues to be concerned about in one cloud platform versus another?

As this example illustrates, security and compliance become more complex when you move part of your IT infrastructure to the cloud and integrate it with on-premises systems and other cloud environments. But with a proper robust framework in place, you can make sure you ask all the right questions so that the answers identify any security policies and controls you need to change.

Security Lifecycle Management Maintains Security Posture

Operationalizing security involves establishing a lifecycle management program in order to maintain the security posture of your cloud and on-premises infrastructure—from conception to the retirement of various components through all the stages of deployment, integration and support. Tools, applications, operating software and even the hardware appliances will likely go through upgrades and then eventually be replaced by new technologies.

Other components, such as policies and controls, will also go through revisions as business, IT and data conditions change. Here’s a rundown of the key components to manage: 

  • Security Policies—document system constraints that determine the data that the internal staff, patients, Business Associates and other end users can access. The policy should answer the basic questions, “Which groups of end users can do what on each system, and which data sets can they access?” The can also be defined by time, physical position within the facility, and geo-location if the users are operating remotely.
  • Security Controls—apply documented processes and countermeasures, such as firewalls, to prevent as well as detect and mitigate security risks to your data and digital assets.The controls should safeguard sensitive information and prevent unauthorized system usage. The controls need to match your policies and must be monitored to ensure proper enforcement. Misconfigured or unattended controls could result in an increase in exposure, oftentimes increasing the risk with a false sense of security.
  • Application Development Security Framework—it’s just as important to protect your application development and staging environments as it is to protect your production environment. These environments are also subject to cyberattacks and thus need the same level of defense and monitoring.
  • Compliance Auditing—involves a comprehensive review of your adherence to regulatory guidelines, such as HIPAA. While internal audits should occur on a regular basis, regulatory bodies will require you to hire independent consultants to validate your compliance preparations and assessments.
  • Security Monitoring and Response Tools—there’s a wide range of tools to choose from for both security risk monitoring and response, and it’s important to rely on multiple, integrated tools so that you can put attacks into context. You need to make sure you focus on those presenting the highest risk and avoid working on any false positives.

As you formulate your policies, controls and tools, the data access given to various end users will need to vary before, during and after a security breach. As data sets grow bigger, as compliance laws evolve, and as end users become more educated and empowered, the need to adhere to mandates is just one of several reasons to keep ahead of any regulation.

Ongoing monitoring to uncover policy violations and to determine if there are corrective actions to be taken is critical. But monitoring under steady state conditions (where no active response is needed) is also vital. It allows you to establish an “All Clear” baseline against which deviations can be realized.

Also a Competitive Differentiator

In addition to protecting your digital assets, maintaining a strong security posture and staying ahead of compliance regulations (even before the deadline) can be used as competitive differentiators. If your patients see evidence that your organization is proactively addressing security issues, the more likely they will want be treated by your doctors and nurses. Likewise, your Business Associates will more likely want to do business with you.

The falsehood that advertising your security policies will result in a hacker attack is not a reason to avoid raising security awareness. In fact, promoting your security efforts will stimulate laggards to get moving, which will benefit the entire healthcare industry!

In our next ‘Moving Healthcare to the Cloud’ blog,we will wrap up the series by discussing how to measure the success of your efforts in establishing a strong security posture.

Read about how Cavirin can protect your ePHI.

 

 

 

 

 

 

 

0
0
0
s2sdefault

Healthcare IT Blog Series - 4 of 4 

In this post of our Moving Healthcare to the Cloud series, we discussed the key considerations for healthcare organizations that are defining a cloud migration project. In this blog, we examine the technologies to apply in order to assess, manage and reduce the risk of security attacks.

While the cloud is proving to be less risky, more secure and more innovative than traditional on-premises IT, it is still not foolproof nor without risk. Healthcare organizations need to take every precaution in the cloud to ensure confidentiality, integrity, and availability.

In many cases, data must be properly encrypted, with keys stored separately from where the data is stored in order to maintain confidentiality. The number of admins who have access to the keys to decrypt the data should also be limited and all access should be logged and verified. Data integrity can be ensured only if admins and users who have appropriate levels of authorization can modify, manipulate, or delete the data.

Another key defense measure is your backup and recovery program. If a ransomware attack succeeds, you want to at least be able to fall back to an infrastructure and dataset that are free from compromise and can be safely used to get the business back up-and-running.

To protect your organization from ransomware, be sure to run on-going, frequent backups and test these backups as part of your disaster recovery plan tabletop exercises. Along with backup and recovery, also ensure all of your security policies can be applied uniformly to all public and private clouds as well as your on-premises data center. This will help ensure a consistent end-user experience with limited disruption to the business.

Assessing Your Security Posture

A good way to assess your current security posture is to utilize the “CIA” triad model: Confidentiality, Integrity and Availability. The model can guide your information security policies with respect to your data.

Confidentiality applies rules that limit access to information. Integrity assures the data is trustworthy, accurate, and has not been tampered with. Availability guarantees reliable access to the data only by authorized people.

If your organization achieves all three model components, you’ve got a solid security posture and can more easily address the challenges of cloud security. This is especially true for hybrid environments where users and data move back-and-forth from on-premises and cloud infrastructures.

Deploying Access Control in Hybrid Environments 

One of the key challenges when it comes to securing hybrid environments is access control, which requires the enforcement of persistent policies. Adding to the risk is that access in hybrid environments is usually available to a large range of devices. This makes it difficult to create and secure persistency within access policies.

There are a range of access control models to choose from, and it’s imperative to determine which model is most appropriate for your organization—based on data sensitivity and operational requirements. When processing personally identifiable information or other sensitive information types, access control needs to be a core capability of your security architecture to ensure you comply with HIPAA regulations.

Multiple vendors provide privilege access and identity management solutions that can be integrated into your identity management platform, which is key because you may actually require multiple technologies to achieve the desired level of control. Multifactor authentication is another a component to further enhance security.

Given the complexity of access control and the dire consequences, if not handled properly, it’s best to consult with your IT partner!

Multiple Tools Required to Focus Efforts

Another key aspect to consider in enhancing your security posture is the set of tools you deploy for monitoring and responding to risks. This includes identifying risk, measuring risk, and mitigating risk.

It’s critical to rely on a combination of threat intelligence sources backed by analysis tools and security experts so you can put risks into context for the healthcare industry in general and your organization in particular. This makes it possible to know which threats represent the biggest risks so you can focus your efforts in the right place—and avoid wasting time on low-level threats and false positives that don’t represent any real threat at all.

In Closing

We are excited about how popular this Blog series has been, so by request, we will be posting two more postings regarding ‘Moving Healthcare to the Cloud’.  Next week's posting will discuss how to operationalize security--this includes managing the security lifecycle, applying security policies, and establishing control to ensure compliance.  Please check back in next week or subscribe to our Blog postings, by sending an email to This email address is being protected from spambots. You need JavaScript enabled to view it. so you will be alerted when they become available.  

 

0
0
0
s2sdefault

Healthcare IT Blog Series - 3 of 4 

In the last blog of our Moving Healthcare to the Cloud series, we discussed why it makes sense for healthcare organizations to move their IT infrastructures to the cloud. In this blog, we examine the process for defining cloud migration projects.

Although every step in the overall cloud migration process is critical, just how well you define the project at the start could very well set the stage to streamline success—or cause a lot of pain along the way.

At a high level, you first need to decide exactly what to move to the cloud:

  • Which business functions?This covers the entire spectrum of the healthcare organization—from patient medical services to billing, procurement, insurance claims, compliance, human resources, marketing, communications and physical security as well as the general operations of buildings and grounds. Business processes to which end users require anytime, anywhere access from multiple devices—as well as those processes through which end users collaborate frequently—will likely benefit the most from moving to a cloud environment.
  • Which systems? You may discover that while it makes sense to move a certain business function to the cloud, the function may be supported by a legacy system that makes sense to keep on-premises for the short term. Older technologies may simply not work well in a cloud environment fraught with new technologies. Perhaps it makes sense to wait until it’s time to upgrade the system before moving it to the cloud. 
  • What data? Data is now just as secure in the cloud as it is on-premises. But there may be some systems containing data that you feel more comfortable keeping under your direct control. Over time, senior management may become more comfortable with storing sensitive data in the cloud, but in the near term, it might be best to go with what makes the boss happy!

Most organizations that move to the cloud end up utilizing multiple environments. While health records, financial systems and human resource applications will generally be moved to a private cloud, you may want to isolate them in separate environments. Other systems, such as email and marketing, could be moved to a separate, yet shared, public cloud in order to reduce costs.

Determine the Necessary Resources  

Another key aspect to defining a cloud migration project is determining who will play a key role. You will likely rely heavily on your primary IT partner—or one that specializes in the cloud—for designing your cloud environments. Depending on the services your chosen partner offers, you may also need to turn to another provider (or providers) to host your cloud environments.

Also, consider the internal resources you will need to coordinate the migration and to interact with your partners who maintain the cloud environment. In addition to IT resources filling these roles, you will want to secure the buy-in of the senior management team in getting the organization as a whole to realize and accept the benefits of cloud computing. Moving to the cloud involves a bit of a culture change in the way people interact with applications, so make sure all your end users are on board.

Getting the Ball Rolling 

The best way to get the ball rolling in defining what systems to move to the cloud is to take a ‘Cloud First’ approach. This means that all heads of each business function must show conclusive evidence why certain apps and data are not cloud-ready. The burden of proof lies on these individuals to prove this; otherwise, the cloud is the final destination.

David Chou, CIO of The Children’s Mercy Hospital in Kansas City, spells this out in a three-phase approach to the Cloud First journey:

  1. Evaluate your current culture and outline what is required to transform into a cloud-first operation.
  2. Draft a vision that answers why you are moving to the cloud and what becoming a Cloud First organization will achieve—in a way executives and non-technical employees, including clinicians, can understand easily.
  3. Communicate the benefits that cloud technologies will deliver; this includes the upside to adopting cloud technologies instead of using on-premises systems that the staff is already comfortable using.

The ‘Cloud First’ mandate helps you identify which business functions are the first to move, what systems within each of these businesses to move, and why (as discussed above). This approach also facilitates the identification of critical versus non-critical data, data subject to compliance mandates, and applications that require strict availability versus more tolerant applications.

Next Up: Managing User Access

In our next ‘Moving Healthcare to the Cloud’ blog,we will discuss how to manage end-user access and reduce risk. This includes how to adequately define and enforce access control policies as well as how to monitor, identify, respond to, and mitigate risks. 

Cavirin joint seminar with Logicworks - Meet 5 Innovators Who Are Revolutionizing HealthTech - May 9, evening, NYC

Read about how Cavirin can protect your ePHI.

0
0
0
s2sdefault

 

Phew!

That’s all I can say after last week’s very successful (in the eye of the writer), very crowded (50,000 in a construction zone?), and sometimes overwhelming (parties?) RSA. Anyone in attendance would agree that the intensity, the depth of conversation, and even the innovation was a step up from previous years.  But so was the angst.  Read on!

At Cavirin, we introduced CyberPosture Intelligence to the world, along with an accompanying survey on hybrid cloud security that speaks to the necessity and timeliness of our approach.  As a reminder, CyberPosture Intelligence:

  • Provides actionable intelligence for the CISO and stakeholders to take control by delivering continuous risk, cybersecurity, and compliance management across hybrid environments.
  • Offers continuous compliance for the hybrid cloud and eliminates the gaps and risks inherent with current approaches.
  • Secures both the public cloud control plane as well as target hybrid cloud workloads (servers), on-premise, within the public cloud, and within containers.

This last point is especially important, given the need to protect critical workloads in the cloud. Having a solution that only looks at the servers, or the cloud account itself, leaves you half-blind, half-protected. You need real ‘situational awareness’ where you’re immediately made aware of any drift from your ‘golden posture’ and, from there, can take appropriate action. 

At the same time, you need a simple deployment based on a technology-agnostic solution that delivers as close to single click scoring as practical, contrasting with multiple stove-piped tools, manual processes, and point-in-time assessments.  An approach that cuts through the noise to offer real, actionable guidance to protect the hybrid cloud, 24x7.

Similarly, a well-developed GDPR plan should be put in place for implementation. On May 25, the GDPR regulation will officially take effect in the EU, inevitably impacting companies beyond those borders.  According to a recent survey released by Cloud Security Alliance at RSA “31 percent of companies have well-defined plans for meeting GDPR compliance, 85 percent have something in place, and 73 percent have begun executing that plan.”

Ultimately, we want the CISO to achieve business outcomes that reverse what is a disturbing trend, where additional security investments don’t necessarily make things better. Reversing a reality that had Cisco’s SVP of security, John Stewart, lamenting the fact that 3.5 million security jobs will go unfilled in the coming years.  He concluded with the statement ‘we are completely screwed.’   Well, let us help un-screw things!

Check here for some of the great coverage we’ve received on our CyberPosture strategy and how it fits into current security conversations across different verticals and geos.

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.