Trace Id is missing
March 28, 2022

VECOZO adopts and implements the highly secure Azure platform for accelerated development

VECOZO was looking for a way to transition not only away from its traditional datacenters, but to a more holistic IT landscape. That was when conversations about moving full scale into Microsoft Azure began. New Azure services are released regularly, and existing Azure services are expanded with security features that contribute to safer and better services for organizations like VECOZO. This inherent dynamism adds to the security of the Azure platform as security services routinely change and their configurations are regularly updated.

VECOZO

VECOZO is an IT service provider for the Dutch healthcare industry, and its name literally translates to “safe communication in healthcare.” A not-for-profit organization, VECOZO was founded in 2002 to help decrease the administrative burdens of the healthcare sector in the Netherlands. The company also aims to steadily reduce the costs of administrative processes, leaving more budget for patient care. When it was founded, VECOZO was one of the few providers of authentication services between the online portals of the country’s 10 health insurance companies and 55,000 healthcare providers. In centralizing this service, VECOZO reduced costs for all parties involved by eliminating redundant processes and IT systems.

“There’s always security work to be done, but with Azure, we’ve gained improved visibility, removed some of the most tedious work from our administrators’ agendas, and adopted a number of solutions that aid our Zero Trust security approach.”

Igor van Haren, Lead Architect, VECOZO (Info Support)

In a few short years, VECOZO became the sole provider of authentication services in administrative healthcare processes in the Netherlands. After that achievement had been reached, the organization began expanding its services. Today, VECOZO offers 35 services in the healthcare sector, enabling healthcare providers to offer streamlined services to consumers. “VECOZO is the Dutch central hub for secure digital communication in healthcare,” says Igor Van Haren, Lead Architect at VECOZO and ICT Architect at Info Support as VECOZO’s longtime strategic partner. “If our services were to go down, or if we were to suffer a data breach, then the connectivity between 10 insurers, 400 municipalities, and more than 55,000 health providers would suffer or even cease temporarily. That’s why we take security seriously.

On average, VECOZO manages from 3 to 8 million transactions a day. As it continues to make new services available, that demand will continue to increase. In this kind of environment, the benefits of traditional datacenters quickly diminish. “We saw ourselves cobbling together services from multiple vendors, hoping to balance our load and better define our datacenter policies,” explains Van Haren. “That led us to an inefficient way of working that was also highly dependent on a handful of experts who specialized in a single aspect of our datacenter deployment.”

VECOZO was looking for a way to transition not only away from its traditional datacenters, but to a more holistic IT landscape. That was when conversations about moving full scale into Microsoft Azure began. The Microsoft account team first took the time to understand VECOZO’s ambitions and long-term goals. Based on this knowledge, the account team aligned closely with executive-level stakeholders and connected with key technology players. Additionally, buy-in from the larger community of cloud solution architects also played a vital role in establishing trust at VECOZO around adopting Azure and the account team’s focus on Azure DevOps.

A profound infrastructural shift

VECOZO initially researched the benefits of a hybrid solution and liaised with its existing service providers regarding the concept, but its benefits were outstripped by the cloud. “We made a few business cases,” recalls Van Haren. “Our existing service providers would have still had a role to play in a hybrid solution, but there wasn’t much they could add in a full-blown Azure implementation.” These initial business cases also surfaced the potential automation benefits of Azure. “Our Azure proof-of-concept experiments showed that there was a lot more automation available within Azure than we could ever build ourselves,” adds Van Haren. “We were struggling with the scripting of multiple technologies at the time, and the unified, automated Azure infrastructure really presented itself as the best way for us to improve efficiency moving forward.”

Next, VECOZO approached Microsoft with questions about its Azure infrastructure. Microsoft engaged with the organization on several aspects of the solution, and along with the help of several Microsoft cloud solution architects, helped build on the design’s core principles of Zero Trust, at-a-glance security, and platform as a service construction. “We left the idea of virtual machines and began looking into a real fabric as a service implementation,” says André Beerendonk, Team Manager for IT Operations at VECOZO. “Our IT team was made up of some great administrators, but we were asking them to also become proficient DevOps cloud engineers, so training was our initial focus.”

VECOZO initially focused on Azure DevOps, which provides version control, reporting, testing, automated builds, project management, requirements management, and release management capabilities to its users. The organization worked with Microsoft to organize training sessions and self-led courses in both operations and software development, and the Microsoft team was also aligned on all aspects to make sure that everything went as smoothly as possible. “With the Microsoft training content and our in-house training, our IT team members took part in a four-week training program,” says Beerendonk. “Even today, a year later, we’re in frequent communication with Microsoft regarding our learning focus. Staying abreast of the Azure road map is a steadily ongoing process.”

A new paradigm in security

Much of last year’s work, as VECOZO designed and deployed its Azure infrastructure, centered around security and compliance. “We started with a blank slate and built compliance and security from the ground up,” notes Van Haren. “We had to make sure everything was created in a way that keeps us compliant with the General Data Protection Regulation and our healthcare regulations, and we took security just as seriously.”

VECOZO’s security journey with Azure began with top-level analysis. “In our on-premises environment, each security layer was standalone, presented in several dashboards,” recalls Beerendonk. “In Azure, we wanted to focus not only on the available solutions, but also combining their functionalities into a single easy-to-deploy, easy-to-manage, highly secure environment.” The out-of-the-box security that Microsoft Defender for Cloud provided the organization was a good starting point. “In our on-premises days, it was almost impossible to have all the security data regarding our systems combined in a single dashboard,” says Beerendonk. “With Defender for Cloud, we not only have that information at a glance, but we can quickly see our overall security score and use the recommendations to identify and implement opportunities. It’s a fundamental improvement.”

New Azure services are released regularly, and existing Azure services are expanded with security features that contribute to safer and better services for organizations like VECOZO. This inherent dynamism adds to the security of the Azure platform as security services routinely change and their configurations are regularly updated. For example, mutual authentication in Azure Application Gateway is currently in public preview. When it becomes generally available, it will also be applied to VECOZO’s web services, which can be done through Azure API Management. This ensures unambiguous access, even as Azure Web Application Firewall policies are applied to the organization’s web services—blocking unwanted traffic earlier than ever.

Azure Firewall uses next-generation firewall capabilities to protect the kind of Azure virtual networks that are required for highly sensitive and regulated environments. Web Application Firewall protects web apps from the Open Web Application Security Project’s top 10 most common web-hacking techniques, including SQL injection and security vulnerabilities like cross-site scripting. “Our Zero Trust approach to network security incorporates Azure Firewall, Web Application Firewall, API Management, SQL auditing, and Azure DDoS Protection Standard, in addition to database segmentation, service segmentation, and other authorization requirements for people who are using each of our services,” says Van Haren.

VECOZO uses Microsoft Azure DDoS Protection for its public-facing interfaces, and it also implemented  API Management, through which the organization presents its web services to end users. “We have a comprehensive policy of checking incoming web service messages—for example, certificate validation—which validates a system’s preregistered source IP address and the number of messages sent in a given time frame,” says Van Haren. Cloud engineers use Azure Bastion to access Azure resources, providing more secure and seamless implementations of Remote Desktop Protocol and Secure Shell Protocol. Privileged Identity Management, an Azure Active Directory service, works alongside Azure Bastion to selectively elevate administrative rights to the correct level. This process requires approval by an internal DevOps cloud engineer to succeed.

An expanded view of future possibilities

“There’s always security work to be done,” says Van Haren, “but with Azure, we’ve gained improved visibility, removed some of the most tedious work from our administrators’ agendas, and adopted a number of solutions that aid our Zero Trust security approach. Segmentation has always existed within our on-premises datacenters. At one time, every application and every functionality had its own network segment, meaning that more than 900 segments existed across the VECOZO infrastructural landscape.”

Today, segmentation at VECOZO is more identity-based, allowing only those with the correct credentials to access a given service or machine. Services, which have their own identity credentials, must authenticate for cross-service transactions. “Each database is owned by a unique microservice based on managed identities,” adds Van Haren. “Microsoft is responsible for keeping this identity store available, so we have a joint responsibility in this.”

VECOZO is still building new services that rely on the security of its infrastructure to be effective. One such service enables general practitioners to efficiently communicate with hospitals. Because this kind of communication is highly time sensitive, VECOZO must ensure that its services are always available. “If that service were to go down, doctors wouldn’t be able to get their patients data to the hospital,” says Beerendonk. “There are a lot of opportunities in Azure, and those who are ambitious and willing to think outside the box regarding cloud security can design and implement a secure Azure platform that’s capable of accelerating development. I encourage anyone who is looking to move away from on-premises infrastructure to get acquainted with the possibilities in Azure, because the breadth of potential is truly surprising.”

Find out more about VECOZO on Twitter and LinkedIn.

“Our Azure proof-of-concept experiments showed that there was a lot more automation available within Azure than we could ever build ourselves.”

Igor van Haren, Lead Architect, VECOZO (Info Support)

Take the next step

Fuel innovation with Microsoft

Talk to an expert about custom solutions

Let us help you create customized solutions and achieve your unique business goals.

Drive results with proven solutions

Achieve more with the products and solutions that helped our customers reach their goals.

Follow Microsoft