Difference between revisions of "User:Shawndouglas/sandbox/sublevel1"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
[[File:Cloud-Security.png|right|400px]]Just as turning to a CSP's [[infrastructure as a service]] (IaaS) offloads much of the responsibility for supporting IT infrastructure to someone else, you can also offload a significant portion of the responsibility for supporting cloud security to someone else. As such, the vendor of managed security services (MSS)—whether it's the CSP itself or a third-party cloud-friendly MSSP—manages cloud-based security aspects such as vulnerability testing, intrusion detection, firewall management, virtual private network (VPN) management, security reporting, and technical support for your cloud implementation. As such, most of your internal IT staff can be freed to focus on other aspects of the business' IT infrastructure and operational developments.
The previous chapter explored many aspects of informatics in the laboratory, emphasizing that while software and hardware systems bring many benefits to the laboratory, a thoughtful, organization-wide approach to managing the risks that that software and hardware introduces—particularly when related to cloud computing—is required. Given these complications, it's unsurprising to learn some laboratories have turned to MSSPs to help them meet regulatory requirements and maintain the security of their on-premises and cloud-based data solutions. Examples of industries with research and laboratory work served by MSSPs over the years include the gemstone testing and grading<ref name="IntradoVirtualArmour19">{{cite web |url=https://www.globenewswire.com/news-release/2019/04/08/1799042/0/en/VirtualArmour-Expands-Managed-Cybersecurity-Services-with-Global-Gemological-Organization.html |title=VirtualArmour Expands Managed Cybersecurity Services with Global Gemological Organization |author=VirtualArmour International |work=Intrado GlobeNewswire |date=08 April 2019 |accessdate=21 August 2021}}</ref>, energy research and supply<ref name="PreScouterManaged17">{{cite web |url=https://www.publicpower.org/system/files/documents/cybersecurity-service_providers_guide.pdf |format=PDF |title=Managed Cybersecurity Service Providers for Electric Utilities |author=PreScouter |publisher=American Public Power Association |date=October 2017 |accessdate=21 August 2021}}</ref>, clinical and forensic toxicology<ref name="FrontierCaseStudy20">{{cite web |url=https://ftiusa.com/case-studies/case-study-managed-detection-response-for-toxicology-laboratory/ |title=Case Study: Managed Detection Response for Toxicology Laboratory |publisher=Frontier Technologies, Inc |date=2020 |accessdate=21 August 2021}}</ref>, and healthcare industries.<ref name="CyleraHealthcare20">{{cite web |url=https://resources.cylera.com/healthcare-managed-security-services-forum |title=Healthcare Managed Security Services Forum |publisher=Cylera |date=November 2020 |accessdate=21 August 2021}}</ref><ref name="ANXPutting">{{cite web |url=http://anxebiz.anx.com/content/industries/healthcare |title=Putting Information Exchange to Work for Healthcare |publisher=ANXeBusiness Corp |accessdate=21 August 2021}}</ref> In all these examples, the implication is that proprietary trade secrets, critical infrastructure, or sensitive patient data must be protected. The laboratories operating in those industries could have attempted to keep security efforts in-house, but for one reason or another they chose to outsource a significant portion of that protection to a third-party MSSP.


But turning to MSS for your cloud implementation should be about more than just staffing relief. Outsourcing security services may also have other perceived benefits to an organization, such as gaining operational and financial efficiency, increasing service availability, and avoiding technological obsolescence.<ref name="FFIEC_Out04">{{cite web |url=https://ithandbook.ffiec.gov/media/274841/ffiec_itbooklet_outsourcingtechnologyservices.pdf |format=PDF |title=Outsourcing Technology Services |author=Federal Financial Institutions Examination Council |publisher=FFIEC |date=June 2004 |accessdate=21 August 2021}}</ref> To be sure, managing [[cybersecurity]] in the cloud is both vital to and difficult for the average organization, particularly small organizations like independent laboratories with constrained budgets. Managing the physical and cybersecurity complexities associated with the likes of the [[Health Insurance Portability and Accountability Act]] (HIPAA), the [[General Data Protection Regulation]] (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS) can be daunting, particularly given a lack of sufficient in-house expertise. Throw hybrid and multicloud deployments into the mix, and you suddenly require even more in-house expertise for development in public cloud environments like AWS and Microsoft Azure. When also considering that traditional on-premises IT security experience is not enough to manage cloud implementations, it's not difficult to imagine a scenario where an inexperienced IT staff could misconfigure a network security setting and compromise sensitive data within a cloud implementation.<ref name="TrianzHowMana21">{{cite web |url=https://www.trianz.com/insights/managed-cloud-security-services-how-and-why-it-works |title=How Managed Cloud Security Works, and Why You Might Want It |publisher=Trianz |date=29 March 2021 |accessdate=21 August 2021}}</ref>
But why even bother with this level of security? As previous chapters have noted, regulatory requirements are a significant driver to that end; if the lab won't meet its regulatory requirements, it risks major fines at a minimum, or at worst going out of business. In fact, some 60 percent of small businesses end up closing shop within six months of a cyberattack.<ref name="Galvin60_18">{{cite web |url=https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html |title=60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself |author=Galvin, J. |work=Inc.com |date=07 May 2018 |accessdate=21 August 2021}}</ref> This happens for multiple reasons, with costs related to compliance fines, breach notifications, post-breach customer protection, public relations, reputation loss, attorney's fees, litigation, and operational disruption often laying waste to the business.<ref name="SBDCC_BlogCost17">{{cite web |url=https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/ |archiveurl=https://web.archive.org/web/20201227041535/https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/ |title=BLOG: Cost of Cyber Crime to Small Businesses |work=Virginia SBDC Blog |publisher=Virginia SBDC |date=30 May 2017 |archivedate=27 December 2020 |accessdate=21 August 2021}}</ref> And it happens to businesses in almost every industry.


An optimally run set of managed security services by a knowledgeable and experienced organization able to offer and stick to clear, legally defensible service level agreements and information governance mechanisms<ref name="SmallwoodInform14">{{cite book |title=Information Governance: Concepts, Strategies, and Best Practices |chapter=Chapter 1: The Onslaught of Big Data and the Information Governance Imperative |author=Smallwood, R.F. |publisher=Wiley |pages=3–13 |year=2014 |isbn=9781118218303}}</ref><ref name="O'NeillInform15">{{cite web |url=https://www.daymarksi.com/information-technology-navigator-blog/information-governance-a-principled-framework |title=Information Governance: A Principled Framework |author=O'Neill, S. |work=Daymark Blog |date=22 October 2015 |accessdate=21 August 2021}}</ref> makes sense for organizations without the necessary technical expertise and with significant liability should something go wrong. The complexities of running secure operations in the cloud only increase the importance of such an MSSP. Such a provider is able to<ref name="DotsonPract19">{{cite book |title=Practical Cloud Security: A Guide for Secure Design and Deployment |chapter=Chapter 7: Detecting, Responding to, and Recovering from Security Incidents |author=Dotson, C. |publisher=O'Reilly Media |pages=139–71 |year=2019 |isbn=9781492037514}}</ref>:
Laboratories are not exempt from these cyberattacks and losses, whether using on-premises systems or turning to the cloud. In 2019, Canadian laboratory testing business LifeLabs suffered a cyberattack on its systems that saw the attackers steal information and request a ransom to have the data returned. While it's not clear exactly what went wrong, talk of "[f]urther strengthening our systems to deter future incidents"<ref name="SecurityCanadian19">{{cite web |url=https://www.securitymagazine.com/articles/91467-canadian-lab-test-firm-lifelabs-pays-ransom-after-data-breach |title=Canadian Lab Test Firm LifeLabs Pays Ransom After Data Breach |work=Security |publisher=BNP Media |date=26 December 2019 |accessdate=21 August 2021}}</ref> indicates something was off about LifeLabs' computer systems, something that likely could have been prevented with properly managed security services. In 2021, clinical at-home laboratory provider Apex Laboratory announced that it had been attacked by ransomware that hit its systems, which allowed hackers to take sensitive patient information and forcefully encrypt system and other data files until a ransom was paid.<ref name="ArghireApex21">{{cite web |url=https://www.securityweek.com/apex-laboratory-says-patient-data-stolen-ransomware-attack |title=Apex Laboratory Says Patient Data Stolen in Ransomware Attack |author=Arghire, I. |work=Security Week |date=04 January 2021 |accessdate=21 August 2021}}</ref> This kind of attack also could have been prevented—or the damage at least mitigated—with active MSS protections. And in May 2021, news broke that benevolent hacking group Sakura Samurai, as part of a "vulnerability disclosure program" through the U.S. Department of Energy's Fermilab, had tracked down multiple vulnerabilities in Fermilab's systems, which have since reportedly been corrected.<ref name="KirkUS21">{{cite web |url=https://www.bankinfosecurity.com/us-physics-laboratory-exposed-documents-credentials-a-16536 |title=US Physics Laboratory Exposed Documents, Credentials |author=Kirk, J. |work=Bank Info Security |date=07 May 2021 |accessdate=21 August 2021}}</ref><ref name="WillisFermilab21">{{cite web |url=https://robertwillishacking.com/fermilab-hack-april-may-2021/ |title=Fermilab Hack, April/May 2021 |author=Willis, R. |work=Robert Willis Hacking |date=06 May 2021 |accessdate=21 August 2021}}</ref> Would have a knowledgeable and experienced MSSP caught these issues before Sakura Samurai?


* monitor for, identify, assess, and react to vulnerabilities, intrusions, and other threats;
However, the use of an MSSP in the laboratory can't prevent all cases of inadvertently compromising sensitive information. Take for example the case of the Wyoming Department of Health, which accidentally exposed sensitive health information about COVID-19, influenza, and controlled substance analyses in late 2020. An April 2021 news report indicated that more than 164,000 Wyoming residents were affected by the accidental uploading of files containing their testing information as part of a batch file upload to a public-facing GitHub server. While GitHub itself did not cause the release, the upload of the files—which were not intended to be in the upload batch of otherwise normal software code files—to the public servers by the Department of Health did. The Wyoming Department of Health notes that "[b]usiness practices have been revised to include prohibiting the use of GitHub or other public repositories and employees have been retrained."<ref name="FlackWyoming21">{{cite web |url=https://www.sweetwaternow.com/wyoming-department-of-health-announces-data-breach-of-thousands-of-wyoming-residents/ |archiveurl=https://web.archive.org/web/20210427221317if_/https://www.sweetwaternow.com/wyoming-department-of-health-announces-data-breach-of-thousands-of-wyoming-residents/ |title=Wyoming Department of Health Announces Data Breach of Thousands of Wyoming Residents |author=Flack, B. |work=SweetwaterNow |date=27 April 2021 |archivedate=27 April 2021 |accessdate=21 August 2021}}</ref>
* audit, adjust, and patch native security settings;
 
* improve encryption, firewall, and anti-malware mechanisms;
This statement highlights that, ultimately, internal process and procedure that didn't address the use and corresponding potential risks of public-facing servers within day-to-day operations was to blame. Strictly speaking, any MSS in place could not have prevented the upload to GitHub, unless the MSSP had prior identified this type of risk and brought it to the attention of the laboratory. It's possible an MSSP could have encouraged the lab to turn to group policies or some other access control to limit internet access from laboratory computers<ref name="PaulHowTo19">{{cite web |url=https://thesysadminchannel.com/how-to-restrict-internet-access-using-group-policy-gpo/ |title=How To Restrict Internet Access Using Group Policy (GPO) |author=Paul |work=The Sysadmin Channel |date=03 June 2019 |accessdate=03 June 2019}}</ref>, though a careful balance of managing security risk with ensuring lab tech productivity would still need to be maintained. However, in the end, this is largely a story of internal laboratory policy, not something an MSS could prevent unless previously anticipated. This naturally brings up the discussion about a laboratory's quality assurance officer and their increasingly important role in addressing cybersecurity and choosing CSPs and MSSPs for the lab.
* manage and secure connected devices;
* manage and improve identity access management; and
* provide detailed reports about the state of organizational infrastructure.


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 23:40, 3 February 2022

The previous chapter explored many aspects of informatics in the laboratory, emphasizing that while software and hardware systems bring many benefits to the laboratory, a thoughtful, organization-wide approach to managing the risks that that software and hardware introduces—particularly when related to cloud computing—is required. Given these complications, it's unsurprising to learn some laboratories have turned to MSSPs to help them meet regulatory requirements and maintain the security of their on-premises and cloud-based data solutions. Examples of industries with research and laboratory work served by MSSPs over the years include the gemstone testing and grading[1], energy research and supply[2], clinical and forensic toxicology[3], and healthcare industries.[4][5] In all these examples, the implication is that proprietary trade secrets, critical infrastructure, or sensitive patient data must be protected. The laboratories operating in those industries could have attempted to keep security efforts in-house, but for one reason or another they chose to outsource a significant portion of that protection to a third-party MSSP.

But why even bother with this level of security? As previous chapters have noted, regulatory requirements are a significant driver to that end; if the lab won't meet its regulatory requirements, it risks major fines at a minimum, or at worst going out of business. In fact, some 60 percent of small businesses end up closing shop within six months of a cyberattack.[6] This happens for multiple reasons, with costs related to compliance fines, breach notifications, post-breach customer protection, public relations, reputation loss, attorney's fees, litigation, and operational disruption often laying waste to the business.[7] And it happens to businesses in almost every industry.

Laboratories are not exempt from these cyberattacks and losses, whether using on-premises systems or turning to the cloud. In 2019, Canadian laboratory testing business LifeLabs suffered a cyberattack on its systems that saw the attackers steal information and request a ransom to have the data returned. While it's not clear exactly what went wrong, talk of "[f]urther strengthening our systems to deter future incidents"[8] indicates something was off about LifeLabs' computer systems, something that likely could have been prevented with properly managed security services. In 2021, clinical at-home laboratory provider Apex Laboratory announced that it had been attacked by ransomware that hit its systems, which allowed hackers to take sensitive patient information and forcefully encrypt system and other data files until a ransom was paid.[9] This kind of attack also could have been prevented—or the damage at least mitigated—with active MSS protections. And in May 2021, news broke that benevolent hacking group Sakura Samurai, as part of a "vulnerability disclosure program" through the U.S. Department of Energy's Fermilab, had tracked down multiple vulnerabilities in Fermilab's systems, which have since reportedly been corrected.[10][11] Would have a knowledgeable and experienced MSSP caught these issues before Sakura Samurai?

However, the use of an MSSP in the laboratory can't prevent all cases of inadvertently compromising sensitive information. Take for example the case of the Wyoming Department of Health, which accidentally exposed sensitive health information about COVID-19, influenza, and controlled substance analyses in late 2020. An April 2021 news report indicated that more than 164,000 Wyoming residents were affected by the accidental uploading of files containing their testing information as part of a batch file upload to a public-facing GitHub server. While GitHub itself did not cause the release, the upload of the files—which were not intended to be in the upload batch of otherwise normal software code files—to the public servers by the Department of Health did. The Wyoming Department of Health notes that "[b]usiness practices have been revised to include prohibiting the use of GitHub or other public repositories and employees have been retrained."[12]

This statement highlights that, ultimately, internal process and procedure that didn't address the use and corresponding potential risks of public-facing servers within day-to-day operations was to blame. Strictly speaking, any MSS in place could not have prevented the upload to GitHub, unless the MSSP had prior identified this type of risk and brought it to the attention of the laboratory. It's possible an MSSP could have encouraged the lab to turn to group policies or some other access control to limit internet access from laboratory computers[13], though a careful balance of managing security risk with ensuring lab tech productivity would still need to be maintained. However, in the end, this is largely a story of internal laboratory policy, not something an MSS could prevent unless previously anticipated. This naturally brings up the discussion about a laboratory's quality assurance officer and their increasingly important role in addressing cybersecurity and choosing CSPs and MSSPs for the lab.

References

  1. VirtualArmour International (8 April 2019). "VirtualArmour Expands Managed Cybersecurity Services with Global Gemological Organization". Intrado GlobeNewswire. https://www.globenewswire.com/news-release/2019/04/08/1799042/0/en/VirtualArmour-Expands-Managed-Cybersecurity-Services-with-Global-Gemological-Organization.html. Retrieved 21 August 2021. 
  2. PreScouter (October 2017). "Managed Cybersecurity Service Providers for Electric Utilities" (PDF). American Public Power Association. https://www.publicpower.org/system/files/documents/cybersecurity-service_providers_guide.pdf. Retrieved 21 August 2021. 
  3. "Case Study: Managed Detection Response for Toxicology Laboratory". Frontier Technologies, Inc. 2020. https://ftiusa.com/case-studies/case-study-managed-detection-response-for-toxicology-laboratory/. Retrieved 21 August 2021. 
  4. "Healthcare Managed Security Services Forum". Cylera. November 2020. https://resources.cylera.com/healthcare-managed-security-services-forum. Retrieved 21 August 2021. 
  5. "Putting Information Exchange to Work for Healthcare". ANXeBusiness Corp. http://anxebiz.anx.com/content/industries/healthcare. Retrieved 21 August 2021. 
  6. Galvin, J. (7 May 2018). "60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself". Inc.com. https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html. Retrieved 21 August 2021. 
  7. "BLOG: Cost of Cyber Crime to Small Businesses". Virginia SBDC Blog. Virginia SBDC. 30 May 2017. Archived from the original on 27 December 2020. https://web.archive.org/web/20201227041535/https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/. Retrieved 21 August 2021. 
  8. "Canadian Lab Test Firm LifeLabs Pays Ransom After Data Breach". Security. BNP Media. 26 December 2019. https://www.securitymagazine.com/articles/91467-canadian-lab-test-firm-lifelabs-pays-ransom-after-data-breach. Retrieved 21 August 2021. 
  9. Arghire, I. (4 January 2021). "Apex Laboratory Says Patient Data Stolen in Ransomware Attack". Security Week. https://www.securityweek.com/apex-laboratory-says-patient-data-stolen-ransomware-attack. Retrieved 21 August 2021. 
  10. Kirk, J. (7 May 2021). "US Physics Laboratory Exposed Documents, Credentials". Bank Info Security. https://www.bankinfosecurity.com/us-physics-laboratory-exposed-documents-credentials-a-16536. Retrieved 21 August 2021. 
  11. Willis, R. (6 May 2021). "Fermilab Hack, April/May 2021". Robert Willis Hacking. https://robertwillishacking.com/fermilab-hack-april-may-2021/. Retrieved 21 August 2021. 
  12. Flack, B. (27 April 2021). "Wyoming Department of Health Announces Data Breach of Thousands of Wyoming Residents". SweetwaterNow. Archived from the original on 27 April 2021. https://web.archive.org/web/20210427221317if_/https://www.sweetwaternow.com/wyoming-department-of-health-announces-data-breach-of-thousands-of-wyoming-residents/. Retrieved 21 August 2021. 
  13. Paul (3 June 2019). "How To Restrict Internet Access Using Group Policy (GPO)". The Sysadmin Channel. https://thesysadminchannel.com/how-to-restrict-internet-access-using-group-policy-gpo/. Retrieved 03 June 2019.