Digital: The Digital Lab

Cloud Security: Busting Four Myths Around Secure Cloud Computing in Life Sciences

Using cloud computing in drug discovery and manufacturing has become increasingly popular over the past few years, however myths around the system still linger. What are these myths, and how can companies overcome them to feel more confident about going digital?

By Zach Powers at Benchling

“By now, the cloud is so essential, it’s hard to think of transformation without it.” 

Companies that are slow to adopt cloud computing will not only fall behind in terms of security, they will also fall behind their competition, as digital transformation and the innovation, speed and collaboration it fosters is not possible today without cloud computing. Pharma companies are living through a technical renaissance, with advanced techniques to measure and engineer biology that were unthinkable a decade ago. Advanced lab instruments, robotics and sensors are commonplace. Artificial intelligence (AI) and machine learning (ML) are deployed on massive genomics datasets for drug discovery. However, cloud adoption in pharma – and in Europe in particular – is still patchy.
This challenging transition is not unique to pharma. The move from on-premises to cloud does not happen overnight, and pioneering both the technologies behind cloud computing today and the types of modern security necessary to make it a reality was a challenge. However, it was done because it was believed that data liquidity was the key to unlocking the potential that various industries have. The road was paved for accelerated innovation and success for businesses, governments and educational institutions. Back then, there were discussions around the fear, uncertainty and doubt that businesses had about cloud computing; today, those industries take cloud as a de facto standard.
A lack of data liquidity can easily hold an industry back though. It was not that many years ago in healthcare when a patient’s data was essentially bound to the physical location of a healthcare provider’s office. In order for a patient to have their data be available at another provider’s office, it had to be printed out on paper and faxed. This was time-consuming, cumbersome and prone to errors. As a technology executive, I found this baffling and the set of problems all too familiar, so I decided to lean into healthcare and healthtech.
Over the last two decades, cloud computing has matured, approaches to security have advanced considerably and data liquidity has become the expectation and the accelerant. But many commonly held beliefs about cloud computing have prevented pharma from adopting a strategy of digital transformation. Many of these beliefs are myths that don’t hold up to scrutiny.

Myth 1: Cloud Computing Isn’t as Safe

This is probably the biggest cloud myth out there. It is perpetuated by technology vendors defending their market share and IT professionals who may be more comfortable with a server that they can see and touch. But this myth is the wrong question entirely. Cloud computing companies are heavily incentivised to make secure products because, unlike most traditional, on-premise vendors, they have to take responsibility for security.
There are three aspects of cloud computing that impact security. Firstly, vulnerability management. With automated vulnerability management, security patches come out daily, weekly and monthly in the cloud, whereas many on-premise technology vendors can take a number of months – or even years – to patch security vulnerabilities. Most on-premises technology vendors have also not invested in security engineering or secure software development to the same extent and in the same way that cloud computing vendors have. Cloud computing vendors are hyper-focused on embedding security into the software development life cycle and being able to react quickly to any identified security vulnerabilities. Configuration monitoring is often much easier in the cloud due to the investments that cloud vendors have made in APIs, which support security and compliance monitoring. Think automated auditing on a daily basis, which makes it possible to know the state of security with systems and data on a daily basis. This level of cross-platform, cross-system visibility is so much harder with traditional technologies due to the lack of API architectures.
Third, one of the biggest drivers behind why cloud computing’s approach to security is often better, is that cloud vendors want to make money. They understand that they must share the responsibility of security if they are to be trusted, and if they are to increase revenue. This incentivises them to make products more secure and maintain them. Out of this has arisen a modern approach to secure software development and cloud security operations. More times than not, cloud computing companies offer a product that is more secure and will be better maintained than their traditional, on-premise counterparts.

Myth 2: Security is Solely the Responsibility of the Vendor

The Shared Responsibility Model is one of the greatest strengths of cloud computing.1 Cloud vendors have a responsibility to securely develop cloud software and infrastructure so, to do this, they use automated vulnerability management, routine penetration testing, asset management, configuration management and more.2 The end result is that many cloud software products undergo more security scrutiny, on a more frequent basis, than on-premise technologies do. Not all cloud products are the same when it comes to security, but it is becoming increasingly common for enterprise Software-as-a-Service (SaaS) companies to approach security in this way.
But that is not enough. It is the responsibility of each pharma, life sciences or biotech organisation to choose to configure the cloud service in a secure way. For example, making decisions around single factor authentication or multifactor authentication, choosing to enable IP range restrictions or choosing to enable role-based access controls.
The most secure cloud computing products can be configured in an insecure way, so it’s paramount that life sciences organisations work closely with cloud computing vendors to securely configure their products. The vendors will take care of the vulnerabilities, but each organisation needs to take care of the configurations.
If we take a data driven approach to this – looking at actual attacks – only 5% of recent breaches involve exploiting a vulnerability.4People talk a lot about ‘hackers’, but what the data shows us is that threat actors are more like ‘social experts’ who love to target people and single factor authentication. In fact, 82% of breaches involve the human element.3 Threat actors know it is far easier to target the life sciences workforce than it is to exploit their cloud computing services and data platforms. When it comes to protecting life sciences organisations, the data suggests we should be focused much more on people and credentials than whether or not software is in the cloud. The data doesn’t show us that cloud computing is easier to hack or that on-premise technologies are safer; it shows us that humans are often the key to a threat actor’s success.
'Companies that are slow to adopt cloud computing will not only fall behind in terms of security, they will also fall behind their competition'
Myth 3: As More Companies Adopt the Cloud, There Will Be More Security Incidents

It is true that as more companies adopt cloud computing, there will be more security incidents involving cloud computing – we clearly see this in investigative reports – however it doesn’t mean that the breaches are the result of cloud computing. Indeed, the vast majority of breaches involve credentials, social engineering, phishing and misconfiguration, which means organisations are likely not using the security features provided by their cloud vendors (for example, multifactor authentication, IP range restrictions, etc). The vast majority of breaches do not involve a threat actor hacking into cloud computing companies via an application vulnerability.
Again, a secure product can be used in an insecure way if we don’t pay close attention to customer-controlled configurations. The good news is that secure configurations are very easy to implement and most cloud providers will readily guide life sciences organisations through that process.

Myth 4: You Can’t Verify What’s Happening with Your Data in the Cloud

Compliance is also a reason that some organisations avoid cloud computing, but the idea that you can’t verify what’s happening with your data is untrue.
Ironically, because cloud computing is built on API architecture, most cloud vendors provide very transparent logging of who did what, when, how and from where. If an organisation wants to know who configured its cloud platform in a certain way, it’s possible to query the logs and find out. The same is true for finding who has viewed data, uploaded data or edited data. It is often far easier to know what is happening with data, and when it is being stored or processed, with an enterprise SaaS platform, than it is when it is with disparate legacy software systems in physical data centres. With cloud computing, and enterprise SaaS specifically, it’s possible to more easily attain a state of programmatic assurance, making compliance with various regulations far easier than having to direct our teams to perform manual reviews, manual verification and manual evidence collection for audits.

Closing Thoughts

Cloud computing companies are investing far more in security engineering and security operations than most companies can fathom, let alone afford to themselves. Emerging and mid-market companies often lack the revenue to even hire the types of security engineering talent required today, and enterprises are facing stiff competition to improve their margins. Both can benefit greatly from the economies of scale that cloud computing offers when it comes to security, scalability and resiliency.
Life sciences organisations can reap many benefits from embracing cloud computing: better data analytics, a single source of truth for data in R&D, the ability to standardise research and get findings to market faster.

Zach Powers is chief information security officer at Benchling. With over 20 years’ experience working in tech and security, Zach is passionate about putting security innovation and experience toward the benefit of humanity.