Enforcing Cloud Security at Merit Medical
18 November 2010 (updated 15 May 2020)
Yesterday, I presented a case study on cloud computing security at the Cloud Security Alliance Congress 2010 in Orlando, Florida. Below are the notes I put together in preparation for my presentation.
The conference was technically oriented, so I didn’t comment on futurism or philosophy. However, it’s worth noting here that cloud computing is a significant manifestation of accelerating technological change. Our computers are not only becoming individually faster and less expensive, but together (metaphorically as a cloud) they are also becoming increasingly redundant and distributed – increasingly like biological brains. So, to make the technical read more philosophically interesting, you might consider whether this case study is a rudimentary example of how to ensure mental health in the future.
This is a case study on enforcing authentication, authorization, administration and auditing (the four ‘A’s) on cloud computing resources at Merit Medical. Merit is a manufacturer and direct seller of single-use medical devices, such as catheters and syringes, used in cardiology and radiology procedures. The worldwide direct sales team at Merit needed improved reliability in remote access to product information and training. Merit’s solution is a strong example of leveraging and securing cloud resources to solve a business problem.
The key points of the case study are:
- Review existing infrastructure
- Identify cloud apps to secure
- Plan integrated solution
- Implement integrated solution
- Assess results for improvement
Review Existing Infrastructure
Historically, Merit has been a Microsoft shop. The company uses the Windows operating system on desktops and laptops, and secures its network with Active Directory. It uses Exchange for email, and for intranet collaboration it was using SharePoint. For training purposes, Merit had also installed an instance of Moodle, an open-source learning management system.
Merit’s IT infrastructure served about 2000 employees. Of them, nearly 130 were sales representatives distributed throughout the United States and Europe. To perform their jobs effectively, these employees depended on email for product information and remote access through VPN to SharePoint and Moodle for product training.
This presented some problems. For example, copies of out-dated and incorrect product information proliferated through the email system. Large files like PowerPoint presentations and videos bogged down email servers. User experiences with SharePoint and Moodle were poor due to limited bandwidth, aging hardware and poorly maintained software. Additionally, users occasionally needed access to product information and training on computers that didn’t have VPN access to the corporate intranet. Executives wanted these problems fixed quickly, without spending a lot of money.
Identify Cloud Apps to Secure
Merit looked to the cloud for solutions that would be quick to implement, without large capital investments. For public product information, the company began planning a new corporate web site on the Amazon Web Services platform, integrated with various social networks. On the private side, Merit began using Nefsis video conferencing for live product training, and a combination of Google Docs and the eLeaP learning management system for on-demand training.
Most of these cloud apps would prove to be easy to manage and secure on an ongoing basis without additional tools, but there was an area of concern. A few applications required management of many employee accounts with access to private product information.
In all, over 200 users needed secure access to product information and training in Google Apps and eLeaP. Some of these users, including marketing and customer service, were employees on the corporate network. Most were sales representatives in the field. Others included non-employee distributors that needed access to a subset of the information to help them sell products in geographies that Merit didn’t service directly.
Although the new cloud apps helped Merit improve remote access to product information and training, they presented the company with some new challenges as well. For example, sales executives expressed concern about authentication. Sales reps would have to remember more usernames and passwords. Already, the reps sometimes had difficulty remembering a single set of corporate credentials, let alone additional sets of credentials for each cloud app added to the mix.
Additionally, IT management expressed concern with authorization. Systems administrators would have to go to multiple locations to permit or deny user access to the various systems; and more problematic, even if a user’s primary active directory account were disabled, she would still be able to access cloud apps until systems administrators deactivated her account for each of those apps.
A related problem was that each cloud app had its own user store, separate from Merit’s Active Directory. Both provisioning and deprovisioning of users required new processes for each application, increasing the complexity and security risk of the overall system.
On the auditing front, although Google Apps and eLeaP training provide aggregate usage statistics, they only report the most recent login for specific users. Merit wanted a better auditing trail, providing a full history of user logins.
Finally, with the new cloud apps, Merit found itself with systems in several separated siloes. Product information on the intranet had to be copied or moved to Google Docs or eLeaP. Training information in Google Docs couldn’t be embedded in eLeaP unless it was first made public, which was not acceptable for private information. So employees responsible for producing and maintaining the information had to try to keep the systems synchronized manually, which was time consuming and error prone.
Plan Integrated Solution
With the new challenges of the cloud apps in mind, Merit searched for a security solution. Sales executives wanted single sign-on, and IT management wanted authorization integration with active directory. Although less important, better provisioning, auditing and usability would be nice too. The traditional security solution providers would be able to provide at least some of these features, of course, but costs would be high and implementation time long. Searching for an alternative, Merit came across a company named Symplified.
On investigation, it looked like Symplified’s service would be a good solution to the cloud app security challenges. It would be able to secure both Google Apps, using the industry-standard SAML protocol, and eLeaP, using a custom connector. All of Merit’s users would be able to sign in to these applications with a single set of credentials, from anywhere in the world and from any standard Internet-enabled device, including the smart phones popular among sales reps.
On top of integrating cloud apps between themselves, the Symplified service would be able to extend the integration to Merit’s existing IT infrastructure. Security credentials would be authenticated against Active Directory, authorization for access to a cloud app would be determined based on directory queries, and all of this could happen behind the company firewall on a managed router.
Additionally, the Symplified service would use integrated Windows authentication, when possible, such that users on the corporate network could access cloud apps without any manual logins after the Windows login when starting their computers. With these promises in mind, Merit put the financial and legal folks to work, and struck a deal with Symplified.
Implement Integrated Solution
The first implementation step was to install and configure a Symplified Identity Router in the corporate data center, to act as a proxy between Active Directory and the Symplified service. This required coordination between Symplified and Merit’s network operations team, particularly during troubleshooting of the router’s communication through the firewall.
Once the router was in place, Symplified trained Merit on use of the SinglePoint admin console to configure aspects of communication between the Symplified service and the Identity Router, as well as to identify cloud applications to secure.
On the Google Apps side, Merit used the standard option in the admin console to offload authentication responsibility to the Symplified service. Initially, testers did this during non-working hours to minimize disruption to users, who were not yet trained on the Symplified service.
eLeaP configuration required some assistance from its vendor, Telania. With instructions provided from Symplified, Telania manually reconfigured Merit’s instance of eLeaP to do a couple things. First, eLeaP would redirect authentication requests to the Symplified service. And second, eLeaP would block all non-authentication requests that did not originate from the Symplified service. Subsequently, a user trying to access eLeaP would be challenged with the Symplified login screen, proceed to login with Active Directory credentials, and then input eLeaP credentials for the Symplified service to remember going forward.
While preparing to extend use of Google Apps to non-employees, Merit encountered a new security concern. Users of Google Apps are often presented with the option to share documents, sites and videos with everyone in the organization. This is a convenient feature that employees were using. However, Merit was concerned that use of this feature would increase the likelihood of accidentally sharing sensitive information with any non-employees added to the system.
So the company decided to create a separate instance of Google Apps for non-employees and secure it using the Symplified service, just like the original Google Apps instance. The end result was that Merit employees could continue using the convenient global sharing feature without having to worry about non-employee access to the information, while still gaining the option of explicitly sharing info with non-employees in an integrated and secure system.
Next, Merit set up a free tool provided by Google to enable automatic provisioning of user accounts from Active Directory to both instances of Google Apps. The synchronization was scheduled to run on a regular basis, ensuring both that new employees immediately receive Google Apps accounts and that accounts of departing employees are immediately marked inactive for easy review before deleting the account and recycling the license.
Finally, and most importantly, Merit tested. To ensure flexibility, the company verified that the secured cloud apps would work across desktops, laptops and mobile devices, whether running the Windows or Mac operating systems, using any of the major web browsers. All major problems identified were resolved by working with the service vendors, and the secured solution was ready to use after investing less than 100 hours of Merit employee time spread out over six months.
Assess Results for Improvement
As a result, Merit users now have one set of credentials to access both intranet and cloud resources. If they are not on the corporate network then they are challenged by a Symplified login prompt. If they’re on the corporate network, they can navigate from their Windows desktop directly to cloud apps without any login prompts at all.
Systems administrators now have authorization control over cloud resources just like intranet resources. They can permit or deny access by configuring Active Directory, and they can immediately block access to everything simply by deactivating a user account in one location.
Administration of users is not entirely resolved. Although provisioning of users in Google Apps is automated, Merit still manually provisions users in eLeaP, which regularly results in ghost user accounts that incur unnecessary licensing costs. Merit has discussed this problem with Telania, who began working on a provisioning API that will enable automated user provisioning for eLeaP in the future.
For auditing, Merit now receives a full history of user logins to cloud apps via log files from Symplified. When needed, the log files are imported into reporting tools for visualization.
Merit also now has a fully integrated user experience between cloud apps and its intranet. For example, employees can embed secure Google documents directly into eLeaP as training modules. This ensures that any changes made in Google Docs are reflected immediately in the corresponding training, reducing the likelihood that trainers will forget to update their courses with the latest information, and saving them the time it previously took to copy content from one system to the other.
There are still improvements to make. For example, Google uses different authentication systems for Google Apps and the Google Apps API, which means Merit users need to know a second password if they want to use any application that communicates with Google Apps through the API. This becomes difficult to manage when dozens of remote employees want to do things like synchronize Google Docs to offline storage on a mobile device.
However, on the whole, the project was a success. Merit’s remote team members now have more reliable remote access to product information and training. Unmanged and erroneous information has been reduced, user experience has improved, and all of this was done quickly, inexpensively, and securely – actually delivering on the promise of the cloud.