When oncologists at Carolinas HealthCare System go before a tumor board review to discuss patient cases, they are looking for feedback on treatment plans and clinical trials. During their presentations, the doctors show their peers genetic data, pathology reports, lab results and physicians’ notes—all of which is at their fingertips because it is stored in a Hadoop cloud on Microsoft Azure.
This is the nonprofit hospital network’s first big foray into the cloud, and it has prompted careful consideration about how CHS both protects and manages its data off-premises.
The two big areas that CHS needed to tackle were networking and governance issues, says Chris Danzi, assistant vice president of information and analytics services (IAS) at CHS. The hospital system has more than 62,000 employees and operates 39 hospitals and 900 other care locations in the Southeast.
One obvious difference between managing data internally and off-premises is that in the cloud, the data could be housed hundreds of miles away. “You’re talking about moving data across the distance,” says Danzi, “so you have to have a circuit and secure network to connect you to that.” Moving gigabytes of data to a cloud provider every night required the healthcare network to contract with a telecom carrier and buy a secure dedicated line.
Carolinas HealthCare System
The two big areas that Carolinas HealthCare System needed to tackle were networking and governance issues, says Chris Danzi, CHS’ assistant vice president of information and analytics services.
In the year since it migrated data to the cloud, CHS has been using a VPN, which it is about to replace with a private connection to Azure. This will allow the healthcare network to also use the line for its Office 365 system.
“The other thing you have to consider is not only did I buy this nice circuit to have better speed, but you have to segment it for the interactive users who will want real-time access vs. the big bulk file transfers you’ll be doing,” Danzi explains.
Managing data in the cloud is different from managing it on-premises, he says, in terms of employee skills, how you set up your data governance program and how you enable some of your technology infrastructure.
“Those are areas that all have to be entirely rethought from the perspective of someone who may be seeking to steal your data,” Danzi says. “We’ve mastered that pretty well on-premises and now we’re transferring data and storing it in different places so we have to rethink it again. And constantly. You have to rethink it constantly because you hear every day about new, clever ways to breach data. But it’s worth it.”
More companies opting for off-premises data storage
There’s little doubt the cloud is becoming an integral part of many organizations’ IT and data environments. A recent IDC survey revealed that an increasing number of organizations are integrating data in hybrid and cloud-only environments rather than keeping data strictly on-premises, says Stewart Bond, IDC’s research director of data integration software.
Data in the cloud could be in a software-as-a-service (SaaS) application, a platform-as-a-service (PaaS) system or contained within databases and file servers implemented in infrastructure-as-a-service (IaaS) offerings, Bond says. Accessing data in SaaS applications often requires the use of an API. And using web services to access data is very different from using a SQL script against a relational application database, he explains.
IDC“In PaaS environments, the implementation will dictate if a web services API is required, or if SQL or NoSQL methods can be used to access the data,” Bond says. Data sitting in IaaS environments likely can be accessed using programming constructs that would also work against on-premises data sources, but that access would need to occur over a secure communications channel. In any event, master data management technology is helpful to reconcile between multiple disparate silos of data.
Echoing Danzi, Erez Yarkoni, incoming president of the Technology Business Management (TBM) Council, says when considering the steps involved with how cloud data will be managed, first and foremost, organizations need to plan very carefully for network capacity.
“The obvious things we took for granted when data was all right in our data center [are changing] and basically, you’re extending your network footprint and you have to be extremely careful about how you design it,” says Yarkoni, who previously served as CIO of both Telstra and T-Mobile. That adds another element “that could be very costly if you don’t plan carefully on egress and regress to and from your environment, and to and from the clouds themselves and how people interact with your information you put into the cloud,” he says.
When he was a CIO and involved in designing his data environments, Yarkoni says, he avoided moving massive amounts of data to the cloud whenever possible, and if it became necessary, to do it at certain times of the day. “If you’re moving information from your data center to the cloud and you want some quality-of-service guarantees, you have to guarantee the links between those locations.”
Products like Microsoft’s ExpressRoute for Azure and Amazon’s Direct Connect offer dedicated network links between an on-premises environment and their respective clouds, he says.
Once data is in the cloud, IT shops no longer need database administration tools to manage it, since the time-consuming process of managing database performance, tuning and setup are all handled by the cloud provider, says Donna Burbank, managing director of information management consultancy Global Data Strategy, Ltd.
“Understanding your data and knowing where it is and protecting it is important, but a lot of the day-to-day management of it goes away,” she says. The cloud provider now oversees tasks such as performance and tuning, and checking to see whether servers are running and backup is being done. (That said, it is good practice to oversee the vendor to some degree; see the above sidebar for more information about how to do that.)
Securing cloud data
Managing data in the cloud is different from managing it on-premises, particularly when it comes to handling sensitive data, such as information about customers, notes Burbank. When another entity is controlling personal information, she advises using the PCI Data Security Standard and tokenization keys. When companies take advantage of the efficiencies that cloud offers, “there’s a lot of assumed trust, but you’re still not entirely controlling it,” she says.
Heidi Shey, a senior analyst at Forrester, agrees with Burbank that security tokens are one way to protect data, but she says organizations should stipulate who holds them. “Some [security] solutions will have encryption as one of these controls, and who holds the key is the question. Some companies want to have the control themselves and others will trust the provider,’’ she says.
Controlling your own key is the best option. “This adds another layer of complexity at times because you’re the one managing that, but it is an added control,” Shey says.
In addition to ensuring data housed in the cloud is secure, it’s also important to make sure that data is secure while it is in transit, says Bond. This may require VPN connections, HTTPS, SFTP/FTPS and other secure methods of communication, he says.
The IDC survey also showed “that as data becomes more distributed in the cloud, it becomes more difficult to trust,” he says. “Master data—the data about people, places and things that organizations care about—is the most distributed because some form of it will need to exist in every application.”
Yet, only 31 percent of respondents to a January 2017 Forrester survey of 150 data security professionals in the U.S. and Canada say they classify corporate data in the cloud based on how sensitive it is. Further, the survey found that only about one-third (34 percent) of data security professionals know where their cloud-based corporate data is located.