Using Open Raven’s automated mapping, data classification and data policy monitoring, HealthSnap has both scaled and improved the effectiveness of their security resources, allowing them more time hardening defenses and less time investigating where defenses need to be hardened.
"I can’t think of anything that can replace what Open Raven does. Almost everyone in our security organization benefits from Open Raven, it’s become a cornerstone to our whole operation."
Challenges in cloud data security
Cloud Asset Inventories & Infrastructure Mapping
We follow HITRUST and need a constant pulse on our infrastructure and the data therein, including both asset inventories and infrastructure diagrams. This means regular, manual work that must be done to prove to our regulators, partners and patients that we know what data we have, where it is, and that it’s protected. Each update can take days of copying and pasting from AWS, exporting results from various scripts and consolidating into an Excel sheet.
If we had Open Raven during our first round of HITRUST certification, it would've saved at least 2 to 3 months. It’s very fast and easy to use. Open Raven provides an up-to-date 3D map of all of your assets (native and non-native) in the cloud, which is very cool and unique for a security product. You see all the different regions where you have assets and can easily explore for more detail; how they're connected through security groups, VPC peering, encryption status, backup status, MFA, etc. You can look at your security posture and immediately see which controls are in place and most importantly, which are missing. You never see things like that. Now, rather than spending a few days every month doing this work, I can just go into Open Raven, click a button, download, and move on.
Enforcing Data Policy Rules (HITRUST)
The first part of HITRUST is knowing what you have and where. Then you must put proper security controls in place and be able to show how you are enforcing them. There are required controls from HITRUST and there are AWS security standards: encryption at rest, public accessibility, security group access, backups, MFA, etc. So we take both and translate those requirements into rules and policies so we can then train the teams and build our infrastructure to ensure such controls are in place at all times. To satisfy these requirements is tedious, manual work. You just know that mistakes will be made. In addition, you may not know everything that’s happening until the next round of updates. It’s these gaps in visibility and the time it takes to investigate and enforce policies that concerns us most.
Almost right away, you get something out of Open Raven. Within the first couple hours, we had visibility across our cloud and were alerted about resources not encrypted at rest. This was surprising since at-rest encryption is a “golden rule” that everyone should be following for all resources. But, you just love it when your own system tells you about something like this versus finding out the hard way. We've only had to customize a couple of rules for the HITRUST standards. For the most part, all the data policies and rules we need are ready for use, out-of-the-box. You just enable them and then you get alerted via Slack or email. That’s a big time saver for us, especially in addressing new infrastructure. Having a single system that tells you when your data is exposed, or infrastructure security controls are lacking or that resources aren’t backed up is a huge time saver and gives us great confidence in our security posture.
Scaling Security Resources
As the leader of a lean team, I’m constantly looking for ways to quickly and effectively control our costs and scale our throughput with automation or by limiting variables as best I can. Because we decided to only use Amazon Web Services (AWS), we were able to attain our first HITRUST certification within 12 months rather than the typical 18 to 24 months for organizations managing hybrid or multi-cloud environments. Even then, we have a lot of manual work to maintain our current certification status, more work to attain the next round of certification, and doing that while staying on top of our day-to-day responsibilities. If you can’t automate work, you have to make additional hires, which can be expensive and time consuming. The alternative is that work just doesn’t get done and you’re nervously waiting for something bad to happen.
Open Raven adds value in satisfying over 30 different HITRUST controls, that’s very good. It didn’t feel like “adding Open Raven” was an initiative because there was no deployment. We just created our read-only AWS account, connected it to Open Raven, and within a couple hours, I could see across our whole infrastructure. This discovery and mapping alone saved us a ton of time and benefitted the entire team. If we’re asked about our sensitive data, we can provide exact answers, easily. If we want to quickly review our security posture, it’s right there on the map.
The built-in policies meant we had to spend very little time creating or modifying our own. When we receive alerts, the information we get makes the work of assessing and prioritizing each alert for action very fast: data instance counts, specific objects involved, file names, redacted previews of findings and direct links into the AWS Console. It just makes everything from discovery, to planning, to ongoing hardening, incident response and reporting faster and more effective. On a per task basis, such time savings may seem small, but when you add up the time saved over the course of the year, it’s like you’ve made new hires. This current round of certification and the ongoing process of maintaining it is going to be much quicker now that we have Open Raven.
"Taking a look at Open Raven is a must. To us, it is very useful. It brings a lot to the table, and helps streamline a lot of processes, especially for certifications like HITRUST."
We’re very excited about all that Open Raven is doing. We began with a clear need for asset discovery, infrastructure mapping and classification, and it worked great. We began using rules and monitoring to enforce our controls for HITRUST and it’s saved us a tremendous amount of time. Open Raven has become foundational to our entire approach to security.