Over the last few years, healthcare and medical research have become a global operation. Organisations have expanded their networks of hospitals, researchers and caregivers across the globe. While beneficial for advancing medical science at a more rapid pace, this global expansion has created issues surrounding privacy and secure access to data. Furthermore, governments worldwide have begun to enact data protection laws that limit access to certain types of data from outside their borders without proper anonymisation and controls.
All of these changes have stressed cybersecurity and network operations, leading to increased risk of breach data theft and exposing patients to risks of which they are not necessarily aware. The traditional cybersecurity approach leads organisations to chase risks and apply point solutions continually. Over time, the environment becomes complex and costly to manage, with risks often under-protected and overlooked. The time has come for the healthcare industry to pivot from traditional cybersecurity approaches to Zero Trust, lowering cost and complexity and enabling the free and secure exchange of data amongst healthcare professionals and organisations.
Background
Traditionally, healthcare has been a relatively localised operation. Patients visit a facility, get care, and are released. However, the advent of large-scale health and research studies has driven the need for sharing data on a global scale. This data exchange has led to numerous breakthroughs in genomics, biologics and infectious disease tracking; take the COVID-19 pandemic, for example. Without this data exchange, research could take much longer than is currently possible. Additionally, the industry has become highly dependent on broad data sets and high-performance computing, which are unavailable in all geographic locations. As the industry continues to evolve, data sharing will accelerate the development of treatments for many diseases that we don’t have treatments for today. Thus, data sharing will become even more critical and may come under additional regulatory scrutiny.
Today, many healthcare organisations don’t share data because they don’t have the means to do so securely. Some organisations handle data exchange by ‘onboarding’ medical professionals to their networks, further putting both the organisation and the data at risk. The traditional perimeter-based security model only puts up a false sense of security. Once organisations onboard member professionals with their own resources, in many cases, there is no control over where data they have accessed goes. This creates further issues, as an organisation may not comply with many regulations that dictate the sovereignty of sensitive data.
Consider Zero Trust
To solve these problems, consider Zero Trust. Zero trust, put simply, is least-privileged access to information based on context. It is a strategic architectural approach, leveraging multiple tools coalesced together to provide centralised policy management across numerous enforcement points. It is not a single tool, single-vendor solution, or a traditional perimeter approach. Zero Trust doesn’t need to be complicated to architect, deploy or manage, unlike when organisations layer many traditional security tools to attempt to address gaps in cybersecurity.
Zero trust starts with a solid foundation of identity and context – the identity of devices, users, networks, non-user entities, data, applications, locations, policy, etc. When everything in the environment has an identity assigned to it, organisations can write policies to limit access between two or more identities, allowing for the development of comprehensive controls. For example, a user at one location may be granted access to data at a second location. However, because the user is utilising a non-managed asset, the data must be funnelled through a filter that anonymises the data and strips out sensitive data that could put the organisation or the owner of the data at risk. Complex policies such as this are not easily achievable with a traditional perimeter-based security approach.
When organisations enact Zero Trust policies such as these, it provides secure access to data when needed and visibility of who/what is accessing what, when, from where, and for how long. Through the many architectures and strategies we have developed, we have found that the complexity of the toolset, and thus the cost, is often significantly lower when leveraging Zero Trust as compared to a traditional perimeter-based model. Additionally, the overhead of managing the organisation's security policies is reduced, as now the security organisation is focused on policy management rather than countless enforcement tools across the network. It also allows the organisation to control access to data more effectively and limits its exposure to ransomware by limiting the lateral movement of users throughout the environment.
Looking Past Zero Trust Marketing
As stated before, Zero Trust is not a product or service provided by any one company. Instead, it is a strategic approach to security, leveraging all of the IT and security organisations’ skills together to secure data. In a true Zero Trust environment, applications developers, networking, security, cloud, compute, end-user support, and the entire IT organisation work together under a common strategy and set of goals. Gone are the days of siloed groups, as that only complicates the discovery, protection and classification of resources and data within the company. Many vendors purport to have a ‘Zero Trust’ solution, but in many cases, they are just a small piece of the entire puzzle. Perhaps they provide identity management, remote access, data classification, or other functions. None of these is Zero Trust as a whole, but necessary components of an end strategy and architecture customised for the organisation’s specific needs.
Building a Better Blueprint
To start, organisations need to throw out their preconceived notions of the traditional perimeter security model. Data is no longer ‘contained’ within perimeters; it’s everywhere. Data is on workstations, portable devices, medical devices, applications in data centres, the cloud, partner organisations, etc. It’s impossible to put a fence around all of these locations and expect to have comprehensive controls, let alone the ability to manage them properly.
Additionally, data moves and often needs to be portable. Data may move from on-premise devices to a cloud, to another location, and then back on-premise. This, as stated before, leads to potential regulatory and data sovereignty issues, all of which complicate the management under traditional perimeter models. When data is applied a classification and resources are assigned identities, it simplifies the enforcement of and access to that data. Organisations can now think about enforcement capabilities distributed across the entire data plane rather than focusing on ring-fencing and creating perimeters. Under a comprehensive Zero Trust strategy, every point of access and every source of data now has the potential to enforce the policy.
Assembling the Zero Trust Blueprint
Before the implementation of Zero Trust can be successful, organisations must understand all the inputs. Complete these mapping exercises before completing any tooling or application evaluations. Output from these exercises will be used to create the identities in the Identity and Access Management (IAM) platform, as well as drive the initial set of policy definitions and enforcement through the Policy Engine (PE).
Starting with data classification and data sources is key. The organisation must clearly define all the potential sources of data, whether they are internal or external, the sensitivity of the data, and how that data may be accessed. Once completing the data classification, the next step is to understand if there are any specific sovereignty or privacy regulations that apply to the data. Next, it is critical to understand the user personas (people accounts) and service personas (non-people accounts). Define roles such as physicians, researchers, staff, leadership, IT, etc., along with applications, servers, workloads, containers, etc. Without these key pieces of information, an organisation can not clearly define the policies, and they may be too permissive.
After completing the data sources and classification exercises, complete another mapping exercise to understand the data relationships between the personas (both human and non-human) and the data. This will likely be a complex exercise; the more inputs defined, the more relationships to map out. In a recent exercise completed for a fortune 100 company, there were over 4,000 relationships that were defined at first. Through a series of follow-on exercises, we grouped many of these relationships together, and the organisation, in the end, established that there were fewer than 100 actual relationships that needed policies applied to them. The ultimate lesson: you don’t know what is ultimately important to the organisation from a business perspective until you establish all the ground rules and players.
Next, the organisation should start establishing how, where and when data can and should be accessed. Understanding the methods of access, whether they are on-premises, remotely, or by third parties, what is accessing the data, such as managed or unmanaged devices, and where the data resides is critical in developing the policy sets that establish least-privileged access.
A further consideration in establishing policies may be needed when considering the type of data that needs to be accessed. In some cases, data must be anonymised, and the policies that permit access to that data either need to verify it has been anonymised, assume it is (a predetermined risk assumption) or actually anonymises the data ‘on the fly' while it is being accessed. The latter option requires additional tooling in the environment to accomplish this effectively.
Regulatory Compliance & Breach Prevention
One of the key goals for developing a Zero Trust strategy and architecture is to ensure compliance with key regulations and the ability to show an audit trail of data access. By leveraging Zero Trust, compliance is ‘baked in’ from the start and is quite simple to validate. Many of our clients, especially in the healthcare and financial services markets, discover that the annual audit requirements for some regulations become quite simple to satisfy, as they can simply run reports against policies to demonstrate that certain personas did not access certain types of data. This is a far simpler approach than the traditional firewall rule and log audits of the past. Additionally, as regulations change, organisations can adapt the policies to meet the new requirements. Since the policies drive enforcement automatically across the entire environment, there is no need to go back and refresh hundreds or even thousands of firewall and endpoint device rules.
The organisation gains visibility into who is accessing what from a compliance point of view. They also gain visibility into who attempts to access certain resources – authorised or not. This key capability helps the organisation detect compromised resources and accounts, as they will quickly filter to the top of the alerts for policy violations. In a traditional security implementation, this critical piece of information is oftentimes lacking or buried under mounds of logs.
Getting Started
As mentioned, building the strategy requires a lot of input. You should ‘throw out’ any preconceived ideas about how a ‘secure ecosystem’ is built before completing all of the discovery exercises. Don’t put the cart before the horse, and certainly don’t try to haul ten tonnes with one donkey. The tooling and policies must be appropriately sized and selected for the desired outcome, and that requires starting with an in-depth understanding of the environment. You can’t embark on this journey alone either; key stakeholders across all areas of the business, including the users, application developers, IT, security, and potentially more, must be on board with the strategy from the start. If you don’t establish complete alignment from the outset, there may be significant challenges ahead for the development of the architecture and, ultimately, the implementation and support of the tooling. Communication across the entire organisation is key.
Once you have laid the groundwork for a comprehensive strategy, you can make tooling decisions. However, governance is often an overlooked aspect of any well-executed security strategy. The organisation must consider the ‘care and feeding’ of the initial strategy and perform regular reviews as the business, capabilities, and data evolve. Without this critical feedback loop, the strategy will quickly become stale, and the capabilities needed to support the organisation will become inadequate at best. It’s important to remember that any security strategy should be a living, breathing thing that requires constant re-evaluation.
ISTARI is well-positioned to help organisations develop and execute a comprehensive Zero Trust strategy. Our portfolio of companies can help address numerous critical elements of Zero Trust, including remote access, data and device discovery, heuristics and even the management of a finished environment. Our team has delivered countless strategies and architectures for Fortune 50+ clients across numerous industries. We know what works, what doesn’t, and where the pitfalls are. We are here to help.
