Healthcare ISV strengthens its security posture on Azure and optimizes cost with better resource management

Leading healthcare technology company transforming revenue cycle management processes for modern payers & providers, offers an end-to-end platform & intelligent network built on blockchain technology that embraces patient, payer, & provider interactions to drive more efficient operations and make smarter data-driven decisions. While they have been transforming the complicated & resource intensive revenue cycle operations with their platform, CloudIQ helped them strengthen their platform’s security posture & have better control of their infrastructure.

Customer Challenges

Our customer, leading healthcare ISV had several apps deployed in Azure within a single resource group, making it a challenge to manage Azure resources and access to those resources and thereby heightening security concerns due to lack of access control. While the API requests went through the app gateway, the web app requests from the public internet reached the app services without any firewall protection. So, they wanted to improve their network topology, organize the resources for enhanced security and have better control of the infrastructure.

Our Solution

We implemented a hub-and-spoke network topology where Palo Alto Firewall is installed in the hub v-net and App gateway, APIM, apps and data resources are deployed in spoke v-nets. And this architecture was applied across non-prod, staging and prod environments. By enabling private endpoints on PaaS resources, integrating App Services into v-nets, routing all the traffic through PaloAlto firewall and allowing access to Azure resources only though GlobalProtect VPN we effectively hardened the security posture of applications in Azure.

Customer Benefits

The new architecture has enhanced the security posture, access control and resource organization, with the added benefit of significant cost savings that came from sharing resources like – AKS, App Service Plans, Application Gateway and API management service across apps, and right sizing of the infrastructure. By using private endpoints and v-net integration, communication between Azure PaaS services stays within the Azure backbone, restricting traffic flow to the internet.

• Improved Resource Organization – The new architecture has better access management allowing app specific teams create and access their own infrastructure, while ops team manage the provisioning of core and shared resources.
• Optimized cost by – sharing app gateway & APIM across all environments; using one firewall for dev/test environment & another for staging/prod; right sizing SKUs for App Service Plans & VMs for AKS cluster.
• Monitoring & Alerts – Proactive alerts were created from activities logged in log analytics workspace for all Azure resources and Palo alto logs pushed to Azure Sentinel for threat detection & faster incident response.

MS Products / Services used:

Azure, Azure App Service, Azure SQL, Azure Policies, Azure log analytics, Azure App Insights, Azure Sentinel, Azure App Gateway, Azure API Management