by Matt Ferrari
Co-founder and Former CTO
ClearDATA
When I’m on the road speaking with other CTOs or CIOs and I mention that ClearDATA hardens images according to the Center for Internet Security (CIS) Standards as part of our compliance solution for the healthcare cloud, ClearDATA Comply™, I am typically met with a huge sigh of relief. But not everyone understands what an important feature this is, and what a cost-saving and time-saving value it brings to our customers, so I’d like to unpack what we mean by ‘hardened images’ here for everybody.
As with all things cloud, we start with VMs – or virtual machines, which are created from a template called a virtual image machine or virtual server image. The CIS, which is the industry standard for secure configuration guidance and standards, defines these as ‘an operating system (OS) or application environment installed on software that imitates dedicated hardware. The virtual image can be accessed by multiple devices and acts like a physical computer. AWS, Google Cloud Platform, and Microsoft Azure all offer virtual machines or virtual images on their clouds, although they refer to them by slightly different names, such as AMI (Amazon Machine Images) or instances, as two similar examples.
Virtual images can be spun up on your choice of cloud to do your routine computing operations without you having to buy hardware or software, resulting in potentially significant cost savings and one of many reasons healthcare is moving to the cloud. They also result in time savings as they can be spun up or down in minutes, not months. Developers like the time saved, and so do CTO and CIOs who don’t have to purchase and set up hardware, much less install the Operating System or supporting software and drivers for each environment.
Now, on to where does ‘hardening’ come into this…
A hardened virtual server image, usually called a hardened image, is this virtual image devoid of everything unnecessary to the specific task at hand. A developer starts with the most recent version of an OS, and acting in accordance with CIS standards, builds the image with the appropriate current software, the lowest number of administrative permissions and privileges, only the services and ports that are necessary…the list goes on, but the idea is to only build in the minimum that is necessary.
This intentional ‘tightness’ with permissions and ports is a mindset that ensures you start secure. It’s a key approach to a Defense-in-Depth strategy that protects your organization and limits your security gaps and vulnerabilities.
However, it’s worth noting that all of this doesn’t mean hardening images is an easy thing to do. The CIS tells us that a single OS can have over 200 configuration settings, so you start to see how having ClearDATA expert staff configure and harden the image vs. doing it yourself in house can be a huge value. And that’s just hardening images. Understanding how to configure various cloud services so they’re compliant to HIPAA or GDPR, for example, requires an in-depth understanding of compliance and regulations as well as cloud technology. ClearDATA Comply provides over 180 technical controls for 70 of the most commonly used cloud services, letting your team focus on your business objective, not configuration settings.
Here are some of the actions we take with hardened images to protect your healthcare cloud environment:
- Our hardened images are built to CIS Standards
- Images are released monthly, and patched nightly
- We fully automate the system, meaning we can address any critical vulnerabilities if they come up rapidly – within the same day
- These are available across many different operating systems and available from us for all three major clouds: AWS, GCP and Azure
- Many of our customers may have been months behind in patching prior to us hardening their images and now they have built in rolling updates, so their infrastructure is always up to date and defended
- As new operating system images – or instance types – are released, they get automatically hardened within the ClearDATA tooling. This is especially important when an organization is tearing down environments with each application deployment cycle if they are utilizing blue/green or similar types of deployments.
If you were going to do this yourself, you would need to:
- Buy hardened images through a cloud marketplace or harden them yourself
- Figure out how to ensure they’re always up to date – which may mean patching daily
- Make sure nothing breaks as you are updating
ClearDATA has an automated test suite, which runs assessments and makes sure the hardened images work properly and are properly scanned for known vulnerabilities.
End result: you save time and money on hardware, patching, testing, and monitoring and work with the peace of mind knowing we have created an environment for your healthcare cloud that is less prone to attack. ClearDATA Comply lets your team innovate safely in the cloud while protecting your environment.