At Green House Data we like to say there’s no “one size fits all” cloud deployment. That’s why we don’t have base package pricing on the website — every VM is right-sized and designed around our client’s applications and business goals. That philosophy applies to every cloud deployment, and the network considerations aren’t exempt.
Depending on your objectives, the intended use of the application in question, and the location of your users and service providers, your network will have different performance and cost implications.
Let’s take a look at how to prepare your network for varying application deployments in the cloud.
VMware vSphere 6.5 introduced policy-based encryption, which simplifies the security management of VMs across large scale infrastructure, as each object no longer requires individual key management.
vSphere VM encryption offers quite a few advantages compared to other encryption methods, but it might not be a great fit for every workload. When weighing whether to encrypt or not, you’ll want to consider a few limitations, caveats, and performance issues first.
You did it — you passed your PCI (or SOX, HIPAA, GLB, etc) audit! But the work isn’t over. A recent Verizon study found that most companies fall out of PCI compliance after just nine months. And it doesn’t stop with PCI, either. Many companies work hard around audit time to ensure they can report compliance for the audit period and advertise their security, only to falter once the audit is complete.
For PCI, that also means being able to continue doing business with credit card companies. For other standards like HIPAA and SOX, it means avoiding hefty fines and legal consequences.
Unfortunately, simply checking the compliance boxes doesn’t mean you’re safe for the foreseeable future. You need to maintain compliance at all times throughout the year, not just when the auditors are knocking on your door.
While many organizations combine Security and Compliance under a single banner, and there is nothing inherently wrong with having a Chief Security and Compliance Officer or managing risk mitigation under a single umbrella, the fact is that compliance and security measures are two overlapping but inherently different practices of information security.
Compliance standards often change quickly and require quite a bit of work to ensure enforcement across an entire organization. Audit trails, regulator inspections, minimum mandates…they have to be tracked and adhered to 24/7. But meeting compliance standards often puts blinders on a security administrator.
Simply meeting a compliance measure — or even four or five — does not mean that your infrastructure is up to snuff with security best practices. Nor does following industry standards of security guarantee that you’ll meet your next compliance audit.
After years of waiting, the Office for Civil Rights (OCR) has finally sent out its initial round of notice letters for HIPAA audits. This first batch consists of 167 covered entities, who will have to answer a list of audit questions and provide a complete list of their Business Associates (BAs). BAs are where hosting partners come into play: a HIPAA compliant data center must sign a Business Associates Agreement with each covered healthcare provider. The OCR will be using these lists of BAs to choose around 30 BAs to audit, starting in September.
Even if your organization did not receive an audit letter, know that up to 50 more covered entities and BAs will face on-site comprehensive audits by OCR in early 2017. Now that OCR audits are upon us, how can healthcare providers and their business associates prepare?
In the IT world, if it isn’t logged or documented, it might as well never have happened. Without properly keeping track of change management, even for routine processes, it can be impossible to discover why a system stopped working, or worse. Technicians might be stuck halfway through a switch upgrade, unable to retrace their steps when they realize the equipment install won’t work. Or an entire organization could be held accountable under the law because they failed in their compliance.
IT documentation, in other words, is an essential if occasionally painstaking piece of data center operations. At Green House Data, we document everything we possibly can. Outside of support or internal emergency responses, which are always tracked in a ticket, planned changes must undergo a five-step process in order to keep track and learn from the change.
The Patient Protection and Affordable Care Act of 2010 (ACA) requires each state to have a health insurance Exchange, a marketplace where consumers can easily shop around for health insurance and find the best option for them by comparing price, benefits, services, and quality. In order to obtain Health Insurance Exchange (HIX) compliance, Section 1561 requires that certain security standards and protocols be met by these Exchanges in order to make every effort to protect and ensure the confidentiality, integrity, and availability of the system and its users.
These Minimum Acceptable Risk Standards for Exchanges (MARS-E) are separated into three different classes: technical, operational, and management. These classes consist of nineteen various control families, handling everything from Personally Identifiable Information (PII) to Protected Health Information (PHI), and Federal Tax Information (FTI).
If you find yourself dreading the thought of another audit, viewing it as more of a hassle than anything else, you may be suffering from the widespread but little known “Compliance Fatigue”.
The Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. After years of testing and delays, the second round of HIPAA audits are finally materializing, and are expected to be more comprehensive while focusing on the real-world application of policies and procedures across the entire organization and their business associates (BAs).
This program puts to the test the processes, control, and policies of covered entities (CEs) and BAs in accordance with the HITECH Act audit mandate. The OCR has published its entire audit protocol on their website, which completely outlines the procedures auditors must follow when conducting a program audit, making it easier to prepare.
Is your health organization ready for the OCR auditor?
As faster network speeds, MPLS networks between data centers, and software-defined technologies proliferate, it becomes easier than ever to host some applications across the country—or even across the world—without any negative impact.
However, for other cloud computing uses, data center location can have major implications when it comes to performance, compliance, and disaster recovery. There are two camps on the issue of data center locations for cloud infrastructure: yes, it matters, and no, it doesn’t make much of a difference.