Q&A: Palo Alto Security Expert Paul Kaspian on Why Healthcare Needs Zero Trust

HEALTHTECH: Why has this approach become such an important factor in cybersecurity?

KASPIAN: Remote work was part of it, but we’ve also seen much more sophisticated attacks. Ransomware has become very big over the past couple of months. Attackers are much more sophisticated, and we see that urgency reflected in things such as the executive order back in May, where the federal government and its vendors were instructed to take a zero-trust approach.

Unfortunately, in the security industry, every time there’s a new type of security risk or attack, we tend to go find a new tool or technology to try to deal with that. That’s put us in a situation where we have this disparate set of technologies and tools that may or may not integrate.

Zero trust can also be looked at as a strategic approach that takes a more of a holistic view of security in general. It tries to eliminate much of the complexity that we’ve built up over the years. This is the right time for healthcare organizations to consider a zero-trust architecture. They don’t have to do it all at once. They can start in steps and increase their security protections over time, but this is an opportunity to rebuild security as we start changing the way that we build our infrastructures and migrate to the cloud, etc.

EXPLORE: How hospitals can establish a zero trust security model.

HEALTHTECH: How has digital transformation affected the need for zero trust?

KASPIAN: If you look back over the past several years, organizations have changed a lot of things. We’ve been experiencing network transformations such as SD-WAN; data center transformation, with a lot of applications moving from on-premises to the cloud; and finally SecOps transformation in the sense that many security operations centers are working on modernizing their approaches and automating tasks within security.

As these transformations occur, they not only have forced healthcare organizations to look at the way they’re approaching security, but they’ve also presented this wonderful opportunity to rebuild some of these pieces that previously were not as scalable and were more difficult to manage.

The way I see digital transformation fitting into zero trust is by creating an opportunity for healthcare organizations to retool their approaches to security as they’re rebuilding these various facets across their networks, data centers and security operations.

Click the banner below for CDW resources to dig deeper into security and incident response planning.

HEALTHTECH: What are some of the steps that healthcare organizations need to get started with zero trust?

KASPIAN: We see three main areas in the zero-trust journey: users, applications and infrastructure. Users is where a lot of organizations start. That involves simple things such as making sure you have good visibility into who’s connecting to the network or who’s accessing applications and resources on the network. Make sure you have insight into the devices that those users are using and that you deploy zero-trust best practices, such as multifactor authentication and least-privilege access, so that users only have access to the resources they need to do their jobs.

Many healthcare organizations start in this user pillar because identity is one of the first steps. Once you have identity, you can build out the security policies that relate to those different types of users. This is the way we see the zero-trust journey for customers.

DISCOVER: Why healthcare organizations should consider zero trust.

HEALTHTECH: How can a zero-trust architecture protect data as healthcare organizations explore new ways of working?

KASPIAN: When we think about data in the context of zero trust, it’s honestly the thing that we’re trying to protect the most. One of the first steps to begin a zero-trust journey is figuring out what’s in your environment. Where is your data? Where’s your sensitive data? What types of applications are talking to that data, or what kinds of users are accessing those applications? Once you know what’s in your environment, you can start putting in some of those zero-trust best practices and controls to eliminate that implicit trust we talked about.

You can’t just trust a user; you have to assume some of those users are malicious or that their devices are infected with malware, for example. If we look at zero trust and the data protection angle of it, by trying to eliminate that implicit trust —constantly validating the user identity and that their device’s posture is sound before it connects, and making sure the user and device should have access to that application or that set of data — we dramatically reduce risk.

If we put those zero-trust best practices in place, we are going to protect that sensitive data a lot better than using the previous approach, in which if someone authenticated, they had access to everything and we implicitly trusted that they’re safe and their device is safe.

HEALTHTECH: How does zero trust affect users?

KASPIAN: From an IT security standpoint, we’re thinking of users in two ways. One is that we want to make sure that those users are secure on the network. We want to eliminate that implicit trust where we would say, “OK, we know Paul is Paul, and now Paul can do whatever he wants on the network.” So that’s where zero trust is key. Now, the other side of the coin that’s also important is the user experience. It’s not just about the security but creating a user experience where the zero-trust controls are transparent to the user. That’s something we’re able to accomplish with zero-trust network access.

From a user standpoint, they really don’t see anything different in terms of the resources and applications they can access. However, in the background, we’re applying security rigor to those users and resources on the network to make sure we’re protecting them from a malicious user or a compromised workstation or mobile device.

Within zero trust, you need to make sure you’re protecting your data and infrastructure from the user or a compromised device, but you also want to make sure that users have a good experience. They need to have the tools to do their jobs without security impeding that experience.

HEALTHTECH: How does zero trust affect applications and infrastructure?

KASPIAN: Getting back to the digital transformation angle around applications, we’ve gone all-in on cloud. I’ve talked to a lot of customers, and many have told me they have a goal of eliminating all on-prem applications. They want to be 100 percent cloud. That’s a big change from the way that we did things years ago, and that’s why zero trust is an approach that can be applied to different domains within security.

You can imagine how critical it is to apply controls to applications as well in the sense that a lot of healthcare organizations are making that migration quickly. They’re accelerating that migration from on-prem to the cloud. So, putting those security controls in place is important, especially because many of those applications are not only new, but they’re also changing constantly. There’s a much more agile type of development happening with those cloud applications. When that’s happening, security becomes really important.

On the infrastructure side, the Internet of Things is growing tremendously. If you look at the number of connected devices, they’re in the tens of billions of devices, and each one of those devices represents an opportunity for an attacker to get a foothold into an organization. One hacker exploited a vulnerability in a fish tank thermometer and used that vulnerability to move laterally and exfiltrate gigabytes of data out of an organization.

We’re seeing that more and more with these devices. They’re very vulnerable, and they give attackers a way to get into the network, move laterally and look for sensitive data. Zero trust is the way that you break the attack chain for a lot of those types of attacks. You prevent that lateral movement. You prevent someone from exploiting a stolen password or vulnerability beyond that device. Those are some good examples of why zero trust has become more critical and why it goes beyond just users as an example.

LEARN MORE: Discover best practices for zero-trust implementation in healthcare.

HEALTHTECH: How do AI and machine learning fit into zero trust?

KASPIAN: Even if you put zero-trust controls in place, you might be asking yourself, what is the role of the security operations center? That’s one area where it’s been critical in the sense that the SOC is an audit point for zero-trust controls. You can put strong authentication in place. You can put different least-access control policies. You can monitor all the different traffic. You can put a lot of great security controls, but you want to be able to go back and make sure that those trust decisions were the right ones. And you want to be able to find things that still may have slipped through your particular security posture around zero trust.

The SOC is critical to a comprehensive zero-trust strategy. Using tools like AI is becoming much more prevalent in the SOC to find different types of events and do correlation and behavioral analytics to detect those advanced threats that may have found a way to slip through some of your security controls. That’s the role of the SOC, and it’s becoming much more automated and using machine learning and AI more extensively now.

HEALTHTECH: What are some best practices that organizations should follow as they implement zero trust?

KASPIAN: You want to take a top-down approach. I’d really encourage you to work with a trusted third party that can give you feedback on what your plan looks like. Really look at zero trust more holistically across not just the users, but across your applications in your cloud infrastructure, across your supply chain, across your unmanaged infrastructure like IoT, and really try to put those different types of best practices and control points in place. Organizations like NIST do a great job of getting specifications and reference architectures for how to implement that.

That’s the advice I would give. Engage a third party and get some help on how to put together a more strategic approach. In many cases, you can use the tools and technologies you’ve already purchased. It isn’t necessarily about procuring a new tool or technology. Then as you follow that strategic plan, you can begin to integrate some of your existing technology with newer technologies or tools to continue that journey.

A lot of times organizations aren’t using what they already have as effectively as they could be. Some of it is just figuring that out and implementing best practices to work with those tools and technologies. It makes a big difference.