Azure StorSimple Provides a Secure Storage Option for Healthcare Sector

Azure, Storage, and StorSimple

Azure is Microsoft’s public cloud offering. Microsoft provides data storage as one of the services in Azure. Azure storage provides an attractive option for organizations who wish to leverage cloud scalability, flexibility, security, and cost savings. A single Azure subscription provides up to 100 standard storage accounts, each has a capacity of 500 TB. Such vast capacity makes petabytes of data storage available on a moment’s notice.

Azure StorSimple is an on-premises iSCSI SAN provided by Microsoft to easily bridge the gap between on-premises and Azure storage. With a very small on-premises footprint (2-4 standard rack units), it provides 200-500 TB of storage available to on-premises users and applications. StorSimple features automated tiering between its SSD, SAS, and Azure tiers. It automatically tiers the oldest blocks from the SSD down to the SAS tier as it fills up. Similarly, it automatically tiers the oldest blocks from the SAS tier to the Azure tier as it fill up with data. All metadata resides on-premises for fast file browsing and access.

Healthcare adoption and common use cases

StorSimple is purpose built as a storage target for primary unstructured data sets, such as file shares and home directories. In healthcare we’ve seen several popular adoptions of Azure storage using StorSimple particularly with PACS and sleep study systems.  PACS (picture archiving and communication system) is a healthcare technology for the short and long term storage, retrieval, management, distribution and presentation of medical images. In an average hospital such applications often generate several terabytes of data every month. A typical PACS workload presents several storage challenges that can be hard to meet with traditional on-premises storage, in terms of capacity planning, and long term retention requirements. StorSimple makes the vast inexpensive Azure storage provides an attractive solution for these use cases.

Data encryption and security

In a typical StorSimple deployment, we configure the following security features:

• At rest volume data encryption: This secures the data along the StorSimple data path to Azure. Before data leaves the on-premises device on the way to the Azure Storage Account , it’s secured with AES-256 encryption.
• In transit volume data encryption: This secures the StorSimple data path to Azure as well. Volume data is SSL3 encrypted in transit between the StorSimple device and Azure Storage Account
• Encryption of management data: Data transmitted between the administrator browser at the Azure management portal is encrypted on the browser itself using Java script with the public certificate (public portion of the Channel Encryption Key – CEK). Management data transmitted from Azure to the device is decrypted by the private part of the (CEK) certificate that only the device maintains. Channel Encryption Key (CEK) is an asymmetric key pair generated randomly when the first physical device is registered with the StorSimple Manager Service.
• Storage Account access control: Access to the Azure Storage Account where data is encrypted at rest is protected by Storage Account access keys. One of two access keys is required for access. Each is 512 bit by default.
• Data obfuscation: Data is deduplicated at the block level in the device on-premises SAS tier. They’re saved into Azure Storage Account as block BLOBs. These addressable data objects can only be reassembled using metadata that’s stored only on the on-premises device and never stored in Azure. In other words, here is no storage-level context stored with the volume data blocks for accessing them based on volume, file system or file names. Furthermore, data objects in Azure Storage are distributed across many physical disks. For example, 16 million BLOBs are distributed across several disks for every 1 TB of data stored in Azure.
• Azure portal access control and multi-factor authentication: Access to the Azure portal for device management and monitoring is controlled by user authentication and multi-factor authentication. Furthermore, Conditional Access Rules can be configured to ‘Block access when not at work’, effectively limiting device administration to within the on-premises network only.

Azure HIPAA compliance

Microsoft’ Azure HIPAA/HITECH Act Implementation Guidance lists Storage and StorSimple in the scope of Azure services under the its HIPPA BAA (Business Associate Agreement). Microsoft includes execution of the HIPAA BAA as part of a customer’s volume licensing agreement. Microsoft Azure services are audited by independent external auditors under industry standards, including ISO 27001. Microsoft Azure ISO 27001 audit scope includes controls that address HIPAA security practices as recommended by the U.S. Department of Health and Human
Services. This link provides additional information on security, privacy, and compliance certifications.

For more information on taking advantage of inexpensive, secure, vast Azure Storage for healthcare systems, contact our Azure Consulting team.