During our search for a security partner, CHESS Health initially considered evaluating five potential providers in the AWS Marketplace including Alert Logic, Fortinet and F5. Alert Logic made that shortlist, thanks to recommendations from a peer IT practitioner who benefitted from a positive experience using Alert Logic® Cloud Defender®.Ian Beatty, Director of Infrastructure
Product Overview: Cloud Defender
Webinar: Threat Hunting, The Difference Between Safe and Sorry.
Industry Report: 2017 Cloud Security Report
Solution Overview: Security as a Service for AWS
Want to learn about Alert Logic solutions?
Focusing on Health Technology Innovation
With Continuous Security on AWS Workloads
CHESS Health is a growing, B2B startup that develops evidence-based mobile apps for healthcare. Its main product, A-CHESS, is a mobile app that provides support and relapse prevention to patients in addiction recovery.
CHESS Health markets to insurance providers as well as healthcare providers including hospitals and clinics. Headquartered in Rochester, New York, the company employs a workforce with more than half devoted to software development.
When CHESS Health opened shop, the company made the strategic decision to run its infrastructure and applications in the cloud, rather than invest tens of thousands of dollars into an on-premises data center. The scalability and cost-effectiveness of Amazon Web Services (AWS) were a perfect fit for the lean startup.
As a vendor in the healthcare space, CHESS must comply with regulations such as HIPAA (Health Insurance Portability and Accountability Act of 1996). Many of the company’s clients also require HITRUST (Health Information Trust Alliance) certification. This has placed a high emphasis on cloud security for the CHESS development team as well as the entire company.
“We’ve changed the way we do development to incorporate security best practices, and we audit our code for security. We’re getting the entire organization involved in security,” explains CHESS Health Director of Infrastructure and Information Security Ian Beatty.
Even with AWS’s built-in cloud security tools, CHESS lacked the capabilities to meet all the requirements of the prospective clients it wanted to target. These included large national and international agencies and insurance companies with extensive security criteria. These companies had the responsibility to answer to security-audit vendors that required detailed answers to long lists of security compliance questions — a need CHESS Health was unable to show it could address.
“We had to adopt an enterprise-scale security model, yet we are a very small startup with limited resources,” Beatty says. “We had to prove that we were doing those things that we had the policies for.” Monitoring the AWS security logs was another challenge for Beatty, who wears multiple hats and, at the time, didn’t have a full-fledged security team to back him up. Beatty considered adopting an open-source solution but determined the startup didn’t have the time and resources to devote to implementation, which rendered the approach unfeasible. CHESS Health needed a partner with the capabilities to:
- Provide real-time, 24/7 network security monitoring and actionable threat analysis and intelligence
- Deliver a cost-effective, easy-to-implement solution that could scale with growth and as needs changed
- Provided access to resources and expertise as part of the security offering
- Ensure its products complied with rigorous healthcare industry regulations
We want to be secure, but we also want to focus on developing our product. Alert logic frees up company resources, so we don’t have to dedicate people to security.Ian Beatty, Director of Infrastructure and Information Security
Why Alert Logic?
“During our search for a security partner, CHESS Health initially considered evaluating five potential providers in the AWS Marketplace including Alert Logic, Fortinet and F5. Alert Logic made that shortlist, thanks to recommendations from a peer IT practitioner who benefitted from a positive experience using Alert Logic® Cloud Defender®,“ cited Beatty.
The company evaluated the offerings of the top three potential vendors for two months to see how they performed in the stack environment. Consideration was also given to ease-of-deployment and effectiveness of vulnerability scans. "Those evaluation steps really helped us pick out which product we liked best and Alert Logic proved itself as an integrated cloud security suite of managed infrastructure and workload security as well as compliance controls,” Beatty says.
In addition to being cost-effective and satisfying for CHESS Health’s customers’ requirements, Alert Logic Cloud Defender stood out above its competitors in two core areas:
- Unlike competitive solutions, Alert Logic Cloud Defender was the only cloud-native solution that gave Beatty the confidence it would integrate best with AWS and not break the CHESS application stack.
- Alert Logic was the only vendor that didn’t limit its offering to just the sale of a virtual appliance. The benefits of getting a complete solution that included 24/7 expertise from trained experts was a prime factor in choosing Alert Logic.
Prior to engaging Alert Logic, Beatty determined that even doubling the company’s investment in security talent wouldn’t have enabled CHESS to implement a robust cyber security solution that had the capabilities to meet the company’s requirements. Alert Logic Cloud Defender was a much more cost-effective alternative. Today, the Alert Logic offering allows the startup to concentrate on acquiring and serving clients and developing its SaaS products. CHESS can maintain its focus on its core business and innovation without worrying about the security of the AWS workloads.
“We want to be secure, but we also want to focus on developing our product,” Beatty says. “Alert Logic frees up company resources, so we don’t have to dedicate people to security.” Beatty says that every component of the Cloud Defender suite — log management, IDS software and the web application firewall — has been invaluable. “Having a tool that can sift through the logs and determine which of the traffic is malicious is a very important feature,” he says. CHESS Health immediately knew the solution worked when an internal change made to the server setup triggered a server outage alert, and CHESS received a call from Alert Logic at 10 p.m. “It wasn’t an issue — it was just caused by something we were doing — but it was nice to know that Alert Logic was watching,” Beatty says. “It was validation that the solution works.”
Beatty’s advice to other startups is to always plan with the future in mind when choosing a product or solution. “Knowing how you think the business will scale is important because you don’t want to choose solutions that are quick and easy now, but you’ll be redoing in nine months when you double your customers,” he says. “And make sure you evaluate it.”