New Readers

 Home News and World Report Buyers Guide Global Excellence Technology Case Studies Editorial Awards About Info Security
What companies can do to ensure success from a security and privacy perspective with cloud-based initiatives

McKesson Corporation, currently ranked 15th on the FORTUNE 500, is a healthcare services and information technology company dedicated to making the business of healthcare run better. We partner with payers, hospitals, physician offices, pharmacies, pharmaceutical companies and others across the spectrum of care to build healthier organizations that deliver better care to patients in every setting. McKesson helps its customers improve their financial, operational, and clinical performance with solutions that include pharmaceutical and medical-surgical supply management, healthcare information technology, and business and clinical services. For more information, visit

In the following interview, Ben Halpert, Director, IT Risk Management & Compliance of McKesson Corporation, discusses 1:1 with Info Security PG, Editor-in-Chief of Info Security Products Guide, what companies can do to ensure success from a security and privacy perspective with cloud-based initiatives.

Info Security PG, Editor-in-Chief: How is cloud-based enterprise security different from the classic solutions offered by many existing vendors?

Ben Halpert: PR firms and marketing departments at enterprise-focused security firms are heavily touting the Cloud enablement of their technologies. On one end of the spectrum we see some security solutions that are nothing more than repackaged technology with “Cloud” in the product descriptions. At the other end of the spectrum, a select set of enterprise-focused security firms have developed, or are developing, solutions based on the unique security and privacy challenges Cloud computing poses. The majority of solutions, however, fall somewhere in the middle. The crowded middle of the solution spectrum is where challenges arise when evaluating security solutions to address the risk management of Cloud environments.

Ensuring your staff is up to speed on the latest security technology advancements in the Cloud computing space will help your organization evaluate the most appropriate options. A recent study by the Ponemon Institute found that of the 682 IT and IT security professionals surveyed in organizations that leverage Cloud computing services, respondents rate their organizations' overall management of cloud server security as fair (27%) and poor (25%); 21% responded "no comment". How would your security staff rate their knowledge on securely managing Cloud-based resources under their purview?

Info Security PG: What can companies do to ensure success from a security and privacy perspective with cloud-based initiatives?

Ben Halpert: Cloud-based initiatives are more complex from a security and privacy perspective than legacy IT implementations for a myriad of reasons. In public Cloud models, most organizations are at the mercy of the cloud service provider they employ with regard to specific controls that are used in the public Cloud provider’s environment. Your staff needs to be able to understand the specifics of public Cloud implementations to ensure your organizational security and privacy requirements can be met. One public example, (pun intended) was the decision of the Los Angeles Police Department and the Los Angeles Attorney’s Office not to migrate with the rest of the City of Los Angeles departments to the Google hosted email based on security concerns with the Google service.

I published Auditing Cloud Computing: A Security and Privacy Guide so that IT,security, privacy, audit, and compliance professionals, from novice to expert, could be better equipped to guide their organizations on the journey into the Cloud.

Info Security PG: What role do compliance and audit organizations play with regard to Cloud adoption?

Ben Halpert: When evaluating Cloud service models including public, private, hybrid and community Clouds, it is necessary to engage the audit and compliance functions within your organization. From an IT operations perspective, you may be leaning towards a public Cloud model based on efficiencies gained which favorably impact your organizations bottom line. However, once you understand the required risk mitigation controls needed to comply with industry standards and legislation (PCI, HIPAA, GLBA) state and national legislation (breach notification, SOX), organizational sensitive information and customer requirements (SSAE 16 SOC 1, ISO 27001), it may turn out that a hybrid or private Cloud model is most prudent based on your organizations risk appetite. Once you have selected the most appropriate Cloud service model, having your internal audit and compliance functions as integral team members for evaluating on-going compliance will help your organization deliver on customer commitments, no matter the industry.

Company: McKesson Corporation
One Post Street,
San Francisco, CA 94104 U.S.A.

Founded in: 1833
CEO: John Hammergren
Public or Private: Public
Products: McKesson is made up of many businesses, all serving the health care industry. Our businesses fall into one of two primary categories: Distribution solutions and Technology solutions.
Company's Goals: McKesson is dedicated to delivering the vital medicines, medical supplies and information technologies that enable the health care industry to provide patients better, safer care.

Bookmark and Share