Posted by: FlorianB
In this final part of my thoughts on cloud and virtualization, I would like to cover the security aspects presented by Feisal Nanji in session 119 at HiMSS 2011. Interested readers should have a look at Part 1 and Part 2 of this series and also download the slides from the HiMSS website.
On slide 8, Mr. Nanji explores some virtualization concerns. Among them, he explains that virtualization increases complexity in the sense that it touches multiple silos in the IT organizations (apps, servers, storage, network, backup, and security). I agree with his point and would like to predict that any IT organization that positions itself as private cloud provider will have an organizational chart that is different from today’s. Organizations adapt with technology and it’s a good idea to think about this before building a private cloud solution.
On the same slide, Mr. Nanji says that virtualization can cause large-scale failure. Let’s put this one into perspective. Mr. Nanji is correct when he says that the failure of a single physical server can bring multiple virtual servers down. However, thanks to virtualization, the recovery is MUCH faster. Virtual servers can simply (sometimes automatically, depending on the design) fail over to another physical host and the user would not even notice that anything went wrong. The key here is to plan and design for failure modes and invest in High Availability (HA) and failover where critical services are virtualized.
On the next slide, Mr. Nanji points out some of the benefits of cloud computing. However, these benefits are not automatically realized when servers are virtualized as his slide title may imply. As I point out in the previous articles in this series, virtualization is just the first step – automation & metering are essential to converting a virtual environment into a private cloud.
Mr. Nanji is to be commended for his wonderful slides 10 through 16. He does a really nice job classifying clouds and they are a good read – I recommend that you have a look.
I’ll pick the topic back up on slides 16 and 17 where he talks about today’s enterprise security processes and asks questions to what happens to them “in the cloud”. I assume that Mr. Nanji is thinking about a public cloud in this context. Therefore it is important to review the security and audit practices of IaaS or SaaS vendors very carefully. It could very well be that the bulk providers are not adequately prepared to provide the required service levels for the healthcare industry and it is entirely possible that specialty vendors (think HIPAA certified!) will emerge to serve this market.
Finally, Mr. Nanji is asking the audience if it is “cloud ready” – and thinks about standardized operating procedures, automated deployment management, and self service. All those attributes would be important before building out a private cloud environment, but would not be necessary for the consumption of IaaS or PaaS type of services.
So, after having almost completed three articles on the topic this week, what are my conclusions?
1. Public Cloud (IaaS) is not ready for healthcare any time soon. As I point out in Part 2 of this series, moving the workload that a single physical server can handle to an IaaS vendor who charges $1 per hour per VM would cost roughly $170k per year. So, EMR apps that run 24/7 can probably be provided at a lower cost internally and the security and privacy concerns (along with audit compliance) are very real. Specialty vendors for healthcare may emerge in this space.
2. Public Cloud (IaaS) is awesome for environments that are short lived (training, demo environments) where the higher cost over a year is easily offset by the ability to provision environments automatically.
3. Platform as a Service for Healthcare? The answer is: It depends… on the type of app you’re looking to develop and on the security policies and SLAs that the PaaS vendor has in place. I didn’t do much research on the topic, but I’d be surprised if there were any PaaS vendors out there who can meet the complex audit and security requirements required by healthcare.
4. Software as a Service? Absolutely! In the sense that there are multiple EMR vendors offering fully web-based EMRs that meet the mandated standards, SaaS is the way to go. I would suspect that many of those vendors would not share infrastructure in the backend or allow for your organization to consume this type of software by the hour, but that hardly matters for production EMR applications that run 24/7.
5. Finally – the Private Cloud for healthcare? Absolutely! Again – if you’re ready to make the investment into system automation and metering, you can act as a cloud provider to your businesses and functional unit. It may enable you to move operational expenses back on the business and out of IT and you would control the security and compliance policies. Implementing a private cloud environment is not something you’d be able to do overnight and it would probably have some impact on your organizational chart, but it may be worth the effort.
6. One more… Hybrid Clouds? The answer is again “it depends”. Connecting your IT infrastructure seamlessly to a cloud to provide burst capacity or additional functionality is not exactly easy to do and has a lot of moving parts. More and more vendors and system integrators have solutions in place though to cover the case. The same security and privacy concerns that I mention on Public Cloud apply here though.
Thoughts or questions? I would love to hear your comments!
Citrix Consulting Architects share real world experience: Ask the Architect