You can’t just trust a user; you have to assume some of those users are malicious or that their devices are infected with malware, for example. If we look at zero trust and the data protection angle of it, by trying to eliminate that implicit trust —constantly validating the user identity and that their device’s posture is sound before it connects, and making sure the user and device should have access to that application or that set of data — we dramatically reduce risk.
If we put those zero-trust best practices in place, we are going to protect that sensitive data a lot better than using the previous approach, in which if someone authenticated, they had access to everything and we implicitly trusted that they’re safe and their device is safe.
HEALTHTECH: How does zero trust affect users?
KASPIAN: From an IT security standpoint, we’re thinking of users in two ways. One is that we want to make sure that those users are secure on the network. We want to eliminate that implicit trust where we would say, “OK, we know Paul is Paul, and now Paul can do whatever he wants on the network.” So that’s where zero trust is key. Now, the other side of the coin that’s also important is the user experience. It’s not just about the security but creating a user experience where the zero-trust controls are transparent to the user. That’s something we’re able to accomplish with zero-trust network access.
From a user standpoint, they really don’t see anything different in terms of the resources and applications they can access. However, in the background, we’re applying security rigor to those users and resources on the network to make sure we’re protecting them from a malicious user or a compromised workstation or mobile device.
Within zero trust, you need to make sure you’re protecting your data and infrastructure from the user or a compromised device, but you also want to make sure that users have a good experience. They need to have the tools to do their jobs without security impeding that experience.
HEALTHTECH: How does zero trust affect applications and infrastructure?
KASPIAN: Getting back to the digital transformation angle around applications, we’ve gone all-in on cloud. I’ve talked to a lot of customers, and many have told me they have a goal of eliminating all on-prem applications. They want to be 100 percent cloud. That’s a big change from the way that we did things years ago, and that’s why zero trust is an approach that can be applied to different domains within security.
You can imagine how critical it is to apply controls to applications as well in the sense that a lot of healthcare organizations are making that migration quickly. They’re accelerating that migration from on-prem to the cloud. So, putting those security controls in place is important, especially because many of those applications are not only new, but they’re also changing constantly. There’s a much more agile type of development happening with those cloud applications. When that’s happening, security becomes really important.
On the infrastructure side, the Internet of Things is growing tremendously. If you look at the number of connected devices, they’re in the tens of billions of devices, and each one of those devices represents an opportunity for an attacker to get a foothold into an organization. One hacker exploited a vulnerability in a fish tank thermometer and used that vulnerability to move laterally and exfiltrate gigabytes of data out of an organization.
We’re seeing that more and more with these devices. They’re very vulnerable, and they give attackers a way to get into the network, move laterally and look for sensitive data. Zero trust is the way that you break the attack chain for a lot of those types of attacks. You prevent that lateral movement. You prevent someone from exploiting a stolen password or vulnerability beyond that device. Those are some good examples of why zero trust has become more critical and why it goes beyond just users as an example.
LEARN MORE: Discover best practices for zero-trust implementation in healthcare.
HEALTHTECH: How do AI and machine learning fit into zero trust?
KASPIAN: Even if you put zero-trust controls in place, you might be asking yourself, what is the role of the security operations center? That’s one area where it’s been critical in the sense that the SOC is an audit point for zero-trust controls. You can put strong authentication in place. You can put different least-access control policies. You can monitor all the different traffic. You can put a lot of great security controls, but you want to be able to go back and make sure that those trust decisions were the right ones. And you want to be able to find things that still may have slipped through your particular security posture around zero trust.
The SOC is critical to a comprehensive zero-trust strategy. Using tools like AI is becoming much more prevalent in the SOC to find different types of events and do correlation and behavioral analytics to detect those advanced threats that may have found a way to slip through some of your security controls. That’s the role of the SOC, and it’s becoming much more automated and using machine learning and AI more extensively now.
HEALTHTECH: What are some best practices that organizations should follow as they implement zero trust?
KASPIAN: You want to take a top-down approach. I’d really encourage you to work with a trusted third party that can give you feedback on what your plan looks like. Really look at zero trust more holistically across not just the users, but across your applications in your cloud infrastructure, across your supply chain, across your unmanaged infrastructure like IoT, and really try to put those different types of best practices and control points in place. Organizations like NIST do a great job of getting specifications and reference architectures for how to implement that.
That’s the advice I would give. Engage a third party and get some help on how to put together a more strategic approach. In many cases, you can use the tools and technologies you’ve already purchased. It isn’t necessarily about procuring a new tool or technology. Then as you follow that strategic plan, you can begin to integrate some of your existing technology with newer technologies or tools to continue that journey.
A lot of times organizations aren’t using what they already have as effectively as they could be. Some of it is just figuring that out and implementing best practices to work with those tools and technologies. It makes a big difference.