Cloud and cybersecurity in pharma

Cloud und IT Sicherheit

The cloud has become omnipresent. Whether we are streaming media, communicating with friends and colleagues, or simply storing data. Almost everything is done via cloud providers. But it often sounds like a buzzword to make something more interesting than it actually is. What exactly is the cloud? What types are there? And is it secure? Here we show you the basics of cloud computing and how tracekey uses it.

Estimates suggest that by 2025, half of the world’s stored data will be in the cloud. By 2015, that figure was just 25%. But what does it mean to store data in the cloud? In simplified terms, the cloud is the Internet. Resources such as storage, network components, or computing power are outsourced from the company’s own computer or server to cloud providers. However, not all clouds are the same.

What types of cloud are there?

There are three types of cloud: public, private and a hybrid of both. Each type offers its own advantages and disadvantages and thus has different application possibilities. While public clouds are often used in small to medium-sized companies, large corporations usually have private clouds.

  1. Public cloud: In this type, the resources are available via the publicly used internet. To a certain extent, users can usually use these services for free. For larger quantities of resources, costs are charged. All components that enable this infrastructure, such as hardware and software, are owned by the cloud service provider.
  2. Private cloud: In contrast, the private cloud is used exclusively by a single company. Typically, it is located in the company’s data center. However, it is also possible to rent the infrastructure of an external cloud provider and thus outsource the data center. Private cloud systems are often used in companies where compliance rules must be observed or which work with confidential data.
  3. Hybrid cloud: As the name suggests, a hybrid cloud combines the two previous variants. Here, a private cloud is united with a public cloud to enable the desired requirements of a business. A number of programs or workloads are outsourced to the more suitable cloud depending on the application area. Ideally, this increases the flexibility and effectiveness of the desired objectives.

Insecure and expensive? Prejudices against cloud services

As with many technical developments, there has been and still is skepticism about cloud services. High costs and a lack of security are common fears regarding the cloud. But are these prejudices justified? Generalizing makes sense in very few cases, and not here either. However, there are a lot of advantages to using cloud services. So, let’s take a closer look at these prejudices.

  • Costs: When using a cloud provider, I outsource resources. Resources that your own company would otherwise have to cover. For an on-premise solution, i.e., in-house servers, it needs a server room, the servers themselves, maintenance, regular hardware and software upgrades and even more. All of this comes with high acquisition and ongoing costs. Cloud service providers offer all of this, already forfeiting the initial cost. Monthly subscription costs can be freely adjusted according to one’s own requirements. Thereby facilitating the scalability of the company.
  • Security: Many individuals believe that on-premise data storage solutions give them greater control over their data. It is usually stored on-site and not entrusted to an external provider. You don’t lose control over your own data when using the cloud. Companies with an on-premise solution are responsible for the security of their own data. However, this requires a lot of expertise, time, and money. Cloud providers have this expertise as part of their business model. They update and improve their systems regularly and at short intervals. Backups, failover and disaster recovery are other critical points around cybersecurity. These are often automated, simple, and integrated with cloud storage. Backups and redundant systems with local storage methods require independent implementation with corresponding complexity. However, there is no complete and guaranteed security with either type of data storage. Many data breaches are due to user mistakes and passwords that are too weak. Experts assume that 95% of the mishaps are due to people. Well-defined, automated processes within the cloud, which do not require human intervention, can help here too.

How do we deal with cybersecurity?

In addition to the three traditional types of cloud, there is also the community cloud. As a form of private cloud, several companies use shared resources in a common cloud environment. While at the same time, the clients (customer accounts) are strictly separated from each other. Due to a small circle of users, a community cloud has a similarly high level of security as a private cloud. Although different companies use the cloud, they naturally only have access to their own data. All users have their own secure area in which they can work. The use of modern encryption during transmission with TLS (Transport Layer Security) and of the stored data (encryption-at-rest) are just two examples of appropriate technical measures to ensure confidentiality and integrity. Of course, organizational measures such as internal policies and processes are likewise a part of a holistic, risk-based cybersecurity management. In addition to the best practice guidelines of the IT and pharmaceutical industries ITIL and GxP/GAMP, tracekey orients itself to internationally recognized and widespread standards regarding information security.

Software-as-a-Service providers such as tracekey offer the advantage that the software in question is run via the cloud. Updates are thus automatically installed for all users. Outdated software represents one of the most significant risks to cybersecurity. Regular and especially timely updates close existing security gaps and can prevent corresponding attacks.In December 2021, for example, our developers analyzed the risk for all customers, evaluating existing countermeasures and implementing additional proactive measures within a short time after the Log4Shell security vulnerability became known. Exploitation of such and future gaps can thus be effectively prevented.

Part of cybersecurity is not only protection against manipulation or data theft, but also protection against possible server failures, for example, due to disasters. For this purpose, tracekey backs up our customers’ data several times at different locations for at least six years after creation. Furthermore, redundant systems in Western and Northern Europe also ensure high availability in case individual components or entire data centers should fail. Thanks to server locations in the European Union, the data is too protected by European law.

It’s not always the technology’s fault

Just as important as cybersecurity on the part of the SaaS provider is the way it is handled and the culture within a company. Around 80% of cyber-attacks are due to stolen or too weak passwords. Phishing emails are a well-known way for hackers to gain initial access to systems and grab sensitive data. Regular training, awareness training, phishing simulations and technical measures such as two-factor authentication and secure password managers are suitable means to counteract this and minimize risks. Therefore tracekey has been offering support for the secure web login standard FIDO2 based on biometrics or physical security keys for its mytrackey web platform since 2019.

The use of cloud services and high cybersecurity is therefore by no means mutually exclusive. However, the use of technical measures alone is not sufficient. Only a holistic concept that considers the organizational context and people as an opportunity in cyber defense leads to comprehensive security. With excellent knowledge and appropriate precautions, users don’t need to worry about their data.

More Pharma News