by Matt Ferrari
Co-founder and Former CTO
ClearDATA
When I’m on the road speaking with other CTOs or CIOs and I mention that ClearDATA hardens images according to the Center for Internet Security (CIS) Standards as part of our compliance solution for the healthcare cloud, ClearDATA Comply™, I am typically met with a huge sigh of relief. But not everyone understands what an important feature this is, and what a cost-saving and time-saving value it brings to our customers, so I’d like to unpack what we mean by ‘hardened images’ here for everybody.
As with all things cloud, we start with VMs – or virtual machines, which are created from a template called a virtual image machine or virtual server image. The CIS, which is the industry standard for secure configuration guidance and standards, defines these as ‘an operating system (OS) or application environment installed on software that imitates dedicated hardware. The virtual image can be accessed by multiple devices and acts like a physical computer. AWS, Google Cloud Platform, and Microsoft Azure all offer virtual machines or virtual images on their clouds, although they refer to them by slightly different names, such as AMI (Amazon Machine Images) or instances, as two similar examples.
Virtual images can be spun up on your choice of cloud to do your routine computing operations without you having to buy hardware or software, resulting in potentially significant cost savings and one of many reasons healthcare is moving to the cloud. They also result in time savings as they can be spun up or down in minutes, not months. Developers like the time saved, and so do CTO and CIOs who don’t have to purchase and set up hardware, much less install the Operating System or supporting software and drivers for each environment.
Now, on to where does ‘hardening’ come into this…
A hardened virtual server image, usually called a hardened image, is this virtual image devoid of everything unnecessary to the specific task at hand. A developer starts with the most recent version of an OS, and acting in accordance with CIS standards, builds the image with the appropriate current software, the lowest number of administrative permissions and privileges, only the services and ports that are necessary…the list goes on, but the idea is to only build in the minimum that is necessary.
This intentional ‘tightness’ with permissions and ports is a mindset that ensures you start secure. It’s a key approach to a Defense-in-Depth strategy that protects your organization and limits your security gaps and vulnerabilities.
However, it’s worth noting that all of this doesn’t mean hardening images is an easy thing to do. The CIS tells us that a single OS can have over 200 configuration settings, so you start to see how having ClearDATA expert staff configure and harden the image vs. doing it yourself in house can be a huge value. And that’s just hardening images. Understanding how to configure various cloud services so they’re compliant to HIPAA or GDPR, for example, requires an in-depth understanding of compliance and regulations as well as cloud technology. ClearDATA Comply provides over 180 technical controls for 70 of the most commonly used cloud services, letting your team focus on your business objective, not configuration settings.
Here are some of the actions we take with hardened images to protect your healthcare cloud environment:
If you were going to do this yourself, you would need to:
ClearDATA has an automated test suite, which runs assessments and makes sure the hardened images work properly and are properly scanned for known vulnerabilities.
End result: you save time and money on hardware, patching, testing, and monitoring and work with the peace of mind knowing we have created an environment for your healthcare cloud that is less prone to attack. ClearDATA Comply lets your team innovate safely in the cloud while protecting your environment.