NextGen Cloud Governance in Healthcare
Healthcare, life sciences, pharmaceuticals, and related industry sectors are rapidly embracing Cloud as a part of digital transformation. While Cloud provides transformative benefits, along with comes challenges related to Operations, Security, Cost and Compliance. What's needed to unleash the power of cloud is governance at scale.
CoreStack, an AI-powered multi-cloud governance solution, empowers enterprises to unleash the power of cloud on their terms by helping them rapidly achieve continuous and autonomous cloud governance at scale. CoreStack enables enterprises to realize outcomes across FinOps, SecOps and CloudOps such as 40% decrease in cloud costs and 50% increase in operational efficiencies by governing operations, security, cost, access, and resources. CoreStack also assures 100% compliance with standards such as ISO, FedRAMP, NIST, HIPAA, PCI-DSS, AWS CIS & Well Architected Framework. To learn how CoreStack can help organizations such as yours to run efficient, lean and optimized multi-cloud, securely and ensuring compliance to standards and regulations, please set-up a no-obligation demo at corestack.io/discover
—————Transcribed Text-—————
A quick look at industry trends. We all know that the cloud market is exploding. It's exploding in healthcare, specifically, even more so than some of the other verticals for all the right reasons. Healthcare companies want the resiliency, the extensibility. All the good things that you want in the cloud, you're basically getting and you're able to make great use of it. And the other data point around 8 terabytes of data, per health provider, per month going to cloud, that's an insane amount of information being stored down in the public clouds collectively. But then you look at the flip side of that conversation, are we meeting the standards? Are we meeting the HIPPA standards? Are we meeting the high-tech standards? Are meeting all the various GDPR standards, are we doing all this stuff and the data shows that we're not. We're not meeting standards; we’re not meeting the security capabilities that we're going to do as you see some of the data points here. And the reason for that is that the hyperscalers do a lot for you. The hyperscalers can give you a lot of capability in terms of providing you security.
One of the points I could have made on the last slide was that one of the reasons why we see so much cloud spend yet see so little cloud authentication authorization and so little compliance is that in my opinion, many of the companies initially are focused on the lift and shift into the cloud. How do I get these workloads running in the cloud? How do I get all the benefits of the cloud. But, things like compliance, security, these things they consider to be either second day topic meaning hey, we worry about it after we get this stuff up and running and we'll put that stuff in or number two, they're hoping that the cloud providers, the hyperscalers have to provide that security? Well, what you find is that the hyperscalers do a lot for you. Absolutely. But they're providing you a certain level of security of the cloud itself. They're not necessarily giving you security in the cloud. I think john's pitch also spoke to this. There's nothing that a hyperscaler can do to stop somebody in your company from rolling out some storage that's not encrypted. The hyperscalers are not going to know about that. They're not going to check for that. They're not going to do any work on that because they simply can't do so. It's critically important that you protect yourself when you're in the cloud, you are required to basically make sure that the workloads you're running are compliant with all the standards. And you know, as you mentioned, it might be state level standards, it might be a federal standard if you're a global provider, they're going to be standards around the world, Brazil has very different standards than Germany which are very different in India, which are of course very different in the US. So, all these things become critically important, and it becomes especially difficult once you have multi-cloud environment, I'll talk about in more detail, but you're providing this level of security this level compliance. It becomes really, difficult and that's what we do here. We’re autonomous continuous cloud governance platform. And if you look at the totality of our product, our product is made up of three separate modules. We provide you a finance module where we help you basically optimize all the costs that you encouraged by running in the cloud. How do you take all the all the stuff in provisions, look at it from an operational perspective, look at it from security and compliance perspective and then help you optimize that cost, give you remediation, recommendation all the goodies that you expect from a great FinOps tool. On the other side of the spectrum, we give you cloud operations capability. This modular technology focusing on how I operate the cloud with integration is on my backend legacy systems. How do I provide self-service portal? How do I deploy stuff? How do I make sure my CMDBs kept up to date as I deploy more hardware to cloud? What I am going to talk a lot today about is SecOps, which includes security and compliance. How do we do that? But I wanted to kind of show you the bigger picture in terms of what we of course that provide in terms of autonomous continuous cloud governance.
Looking specifically at the use cases in health care. Obviously, there's lots of lots of people and companies and organizations that play in the healthcare space and we have a lot of customers in this case, but I want to point out three of our interesting customers. If you look at our client, which of course is the massive device maker deploys their technology, MRI machines all these kind of things global right into healthcare providers everywhere. Another sort of a company Representative health care will be a retail pharmacy running in the media, this is a different set of challenges they bring to bear. And then finally, one of our customers, who works very closely with the claims process for all the players in healthcare. So again, a very different problem there as well. And our customer works in some of the biggest providers in the world to build out cloud-based infrastructures for these people. Now, some of the things that that we find in common across all these companies is that number one, obviously they're all leveraging the cloud the big way and then continuing to live in the cloud. Even a bigger way moving forward., So they're in the cloud and growing number two, these guys are very distributed. So, they went into regulation and policy and security considerations which are very regional and very localized. They have a requirement. Again, if you look at a couple of healthcare, not only do they want to implement the standards? Not only do they want implement, HIPAA, NISS standards, ISO standards, they have specific standards. So, they want to take industry standards and extend them to make them specific and then basically implement them across all their clouds. Same with the third customer. But of course, the policies may be very different. The requirements around compliance to be very different. So then again, we want to work with them and give them a platform from which they can centrally managed to create and manage all of the security and compliance policies, but that becomes a critical thing here, centrally managed all these security compliance policies. So, if you start looking at health care and governance right. You know, we talk about these customers, and we talked about what's going on here. What are some of the key compliance metrics that we're looking for? These folks are all looking at HIPPA obviously it's a big one, HITECH is a big one, GDPR and of course the list goes on and on. CoreStack ships over 1500 of these policies built into the product. And what we want to be able to do is, we want to be able to again create policies in this platform. We want to be able to deploy these policies from our platform into any cloud, any of the three public clouds. And right now, we're looking to add oracle cloud into the mix as well. So shortly we'll have oracle cloud support. So, we were able to deploy these policies into any four of the of the public clouds that people may be deploying their technology into. And then more importantly, we can create custom policies and extend existing policy. So, whether the security policies or compliance policies craft them, extend them, deploy them into multiply into multiple clouds and then basically enforce them. And this is all basically checkbox compliance. So, if you look at our technology, you would see that, you know, we will give you up to 1500 policies that come out of the box in our technology. You can take any one of these policies, check a box and say, you know what I want. This policy now applied across all my all my cloud real estate access control, security encryption, first resources, you know, patch management, just about everything you think of to be handled via check box. Now the simple things that once a policy is enforced and according to place, well then give you a dashboard from, you can get real time capability, you can get a real time posture assessment. So, if a particular policy is not being enforced, if a particular standard is being violated, if a particular compliance policy is currently not being adhered to, we can bring that information back to the continuous, real time fashion via dashboard so you know exactly what the issue is. So, we'll report on the issue, we'll give you a recommendation on how to fix the issue. And then finally we'll give you remediation so you can check the box and go ahead and fix that. Make sure that storage device out there is in fact encrypted. So that capability to basically report, recommend and remediating around all this stuff becomes the thing that really drives the effectiveness and the efficiency of your staff by all this becomes super important and becomes super capable. So, let's take a little closer look at the at the first customer situation. They are a global organization running MRI machine, x-ray machines, all the kind of good stuff all around the world and they're collecting this data everywhere and every time, you know, there's a violation, they don't even know about it right. Before they implemented our technology, they didn't have a real time visibility to understanding, where is the violation, where is there a lack of adherence to a standard with geography? So, all these things become important. So what we did first was we worked with them to say, we want to allow you to take the 1500 policy that we shipped with and extend those policies make them customer-specific in the case where they want to extend them so they want to do something specific because they're running in a particular region of the world, a particular state in the USA, we allow them to basically extend those policies so that these policies not become customized for their particular business. With the checkbox, we’re able to deploy that across the entire globe. Basically, Azure in India, AWS in Europe to GCP in the US but basically all of the public clouds, we're able to now deploy our security and compliance posture. What's interesting here now is that because they have this, they're not able to officially provide for any audit requirements that creep up. Because prior to deploying CoreStack, when customer was hit with an audit, it took several months to collect all the data to report on audit. To provide the information that the regulators were looking for auditing perspective. So now because we've got our technology deployed there, they're able to collect and respond to these audit requirements within days, not months, days because we collect all the information before that showing, kind of showcasing what they need to basically make all this stuff happened. So again, you know, it not about reporting but it's about recommending, remediating and fixing any of the knowledge that we see out there and helping with the audit compliance.
Moving on to a slightly different topic around DevSecOps and Zero Trust infrastructure. So obviously these companies run in the cloud, they're using terraform templates. You're basically getting all this infrastructure from the cloud providers. You're getting a lot of software and hardware for a lot of places. So, Zero Trust becomes super important. You'd like to trust all this stuff but you have to validate and verify every single thing that you do. So, we find a lot of our customers like to inject the capability that CoreStack provides early in their development cycle. So we integrate into all the CI/CD pipelines, whether it's gitlab, Jenkins, some of the other people with Harness and were able to basically introduce our security and compliance policies directly into these terraform templates and validate, while you're developing code that, you know, the software that we're building, the configuration that we're testing against, are completely valid. Number one. Number two. We're basically cataloguing all this information when auditing perspective. Should there be an audit at some point, you have the full life cycle of how this piece is talked about how the pieces off was built, which policies in which compliance standards is disappointing since the first day that it was being built. So, this whole notion of SecOps, putting in the security and compliance policies early on in the CI/CD pipeline becomes super important and what that really drives is that it drives an extremely powerful shift left component because now your developers are not waiting for all the validation and all the auditing to move forward in their CI/CD development process. The developer productivity goes up dramatically. We have some customers where we've seen upwards of 15% improvement. Developer productivity when you're building healthcare applications because some of these sorts of more laborious things around auditing and policy and security compliance have all been taken away right now. This is all being reported and implemented as policy throughout the CI/CD pipeline going right into production. So, this would turn out to be cool capability that we're bringing to bear for a lot of our partners. So, these are some of the key things I want to cover today. Some of the key things are, out of the box policy deployment of 1500 policies, the capability to basically upgrade, enhance and extend those policies, the public policies into any public cloud. And they get real time feedback in terms of how well they're being adhered to and how well they're being enforced and providing you the engine from where you can not only see this stuff, but also remediated immediately from there as well.