C-Suite Q&A: Sndr's Shaun Murphy on the Evolving Threats to the Cloud

"We’re in the future now, we don’t have flying cars yet, but ultimately people are buying and maintaining less and less servers."

For the Q&A this week, Healthcare Analytics News spoke to sndr’s CEO Shaun Murphy. A veteran of the cybersecurity industry, Murphy has worked for the Department of Defense and has been in the field since intercepted payphone calls represented a cybersecurity risk. A few years ago he started his company, which provides end-to-end cryptography for high volume cloud communications.

Murphy spoke at length about the evolution of the cloud’s roll in business and the unique process of securing the information that travels through it.

Just how rapidly is the cloud taking over business?

It’s no secret. Since about 2013 and beyond it’s become the future of computing. We’re in the future now, we don’t have flying cars yet but ultimately people are buying and maintaining less and less servers and going to cloud-based approaches.

On one hand, it’s for convenience, but on the other you pretty much have to these days. To try to run your own email server 10 or 12 years ago was a very common thing, most medical groups and small businesses even did that. You could competently run your own email server. Nowadays, you really can’t, no matter how much time and money you invest in it, because other email servers won’t necessarily trust yours, so most people just end up finding it easier to buy it through Google or Microsoft.

That, to me, is kind of the weird thing with cloud computing. Not only is it really an interesting technology on its own, but it’s almost becoming mandatory that you have to adopt it, not only because it’s a much better choice for a business not only from a cost saving and scaling perspective, but also that it’s almost untrusted to be running your own servers now.

Looking at this past year, the trend has continued: massive adoption of cloud services. Probably the scariest trend that we’re seeing is the concept that employees are driving their own cloud adoption. Maybe a company is a bit hesitant to jump into the fray, but their employees want to get their work done and they’ve heard about something that’s really cool and slick and amazing and they started adopting things like DropBox and Slack…that’s how they get into businesses. The employees brought them in: we call that the “shadow IT.” You might have an IT group and their job is to make sure they vet all of these things and test them, and they end up coming to a conclusion that something’s not safe, but the employees brought it in anyway.

Cloud computing is beginning to rapidly invade business at the rate we expected, and trying to secure things is what we really have to look at.

How are threats to cloud-based information changing over time?

The sort of attacks that we’ve seen, we can research them all day long and discuss them all day long: the ever-pervasive threat of someone hacking into someone else’s server. If you own your own server and someone hacks into it, you can reasonably figure out what the damage was, assuming you have a competent workforce.

Once you start dealing with someone else’s infrastructure, their servers, you can be so many layers deep that you can’t perform that analysis. You don’t necessarily know. We always talk about hackers, which is an unwieldly term because it gets so abused, but basically a bad actor getting into your system and stealing your data. Over the last few years we have seen that evolve. Whether it’s the faceless hacking group from overseas somewhere, or unscrupulous employees inside the cloud computing company. Moving to the cloud has opened up a lot of vulnerabilities that really didn’t exist before. That’s really the interesting evolution of attacks, now we have to worry about the security risks being under somebody else’s control, and how competent they are, and what the character of their employees is, and what level of access does the vendor itself have to the data?

What should enterprises be looking for in trying to find cloud vendors?

From a technology analysis phase, the first thing I always want to look at is: how sound is their technology? Is it something where their protection is only a procedure, or is there technology that backs it up? Of course, too, there’s how much time they spend on security. Do they really have a lot of time invested in their security apparatus, or is it more of a scenario where they’re going to rent you space in a server and it’ll be up to you to take care of.

Beyond the inherent risk of dealing with PHI, what is different about working with healthcare organizations on this sort of thing, as opposed to any other business?

I think the healthcare industry is interesting to me because there’s a lot of devices, and a lot of different data that has to be moved back and forth. A lot of times they have very different requirements, some imaging device, some patient record, some doctors’ notes. You have this disparate group of different devices and users, how do you really pull all of these things together? From a security standpoint, the more systems you have the more attack service you have.

It’s not just patient records, or communications between patients and doctors or doctor-to-doctor, it’s all these other devices that may potentially be connected to a network. How vulnerable are they? Do they have their own cloud element? Do they have their own method of storing data? They all have different concerns.

That’s kind of leading into the Internet of Things, and within that the Internet of Medical Things, so it leads me to ask: was the cloud infrastructure we have in place built with the knowledge that so many things would be connected in that way?

Ultimately the cloud just refers to an ephemeral group of data stores, you really don’t know what it is. The thing that you do know is that you’re getting this convenience, this wonderful app or web page you can access all to yourself. The cloud has always been built to do that, to scale and make things convenient and easy.

What it was never built for, and the thing I’m actively trying to change, is the security side of things. How do you keep things convenient and easy and accessible, but at the same time allow certain things-some sensor, something that a patient will take home with them-and transmit the data securely. That’s where we’re at now, we’ve built up this amazing, wonderful technology, but we never stopped to think about if we should secure it first.

Sure, we can do all of these things, but we’ve got to make sure we’ve got a solid front on the security side of things.

What do you think is the biggest thing that you’ll have to be concerned about in the next year?

Continuing on, the unauthorized access or leaking of customer information always has to be front and center in any discussion. Things like technology malfunctioning, or unable to figure out what’s happening in the cloud, those are major concerns as well. But, every week we hear about some major breach that happens, and there’s always a dance in trying to figure out who’s to blame and that type of stuff.

That’s going to be the continual and common threat, just given how sensitive this data is, not only from the “evil hackers” in the outside world, but also internal threats as well. Employees inside the companies, engineers who may’ve put a back door in…all these things are going to be the major risk no matter what cloud technology we’re talking about.

Beyond that, what in this industry keeps you up at night?

Ultimately the reason I started this was the sheer amount of money going towards invading personal privacy. It’s not just necessarily social media and that type of stuff, it’s also these exact use cases: health information, legal information, financial information. Our personal lives are being opened up to analytics companies and vendors that only care about scraping our data and selling it to the highest bidder.

I saw that trend starting in 2009, 2010, and it’s just exploded. Social media is obviously one of the biggest ones: you give consumers something for free and they start using their product, and then you start selling all their data. That, to me, is terrifying, I have kids I’m raising in this world, and they’re seeing everyone posting information about themselves and not having any privacy, so why should they even try? Really my main objective has been to try to bring back authenticity, so when you read something online, you know it came from that entity that’s trying to communicate with you, instead of generated information or an ad directed to you. So that’s really going to be my life’s work moving forward.