What Is a Zero-Trust Identity Strategy?
Identity is the foundation of a zero-trust framework rather than just a step in its implementation. A healthcare organization’s zero-trust environment cannot exist without considering all the discrete characteristics of identity anatomy. This should be embedded in every aspect of the zero-trust infrastructure. However, zero-trust identity cannot be achieved through a point solution. The realization of a zero-trust strategy should consider people, processes and technology.
Zero-trust identity begins with governance, frameworks and workflows. Identity registrations, authentication mechanisms, access policies, analytics, and automation and orchestration engines should all be correlated and coded to execute under a single policy governance structure. In a private ecosystem, every entity is vetted by an integrated policy-as-code engine to ensure that it is known by the network.
The goal of a zero-trust identity strategy is to confirm each person’s identity when they attempt to access a healthcare organization’s resources. When a sign-on attempt is made, the environment references a vetted identity store to verify a digital entity’s identity and whether it has current state privileges to access a specific resource. That applies whether the resource is a device, service, application or data.
How to Implement a Zero-Trust Identity Strategy
A successful plan considers the participation of an interdepartmental governance framework. The absence of a holistic, identity-centric framework may increase the attack surface and leave an organization with a false sense of security.
A typical engagement within a zero-trust identity strategy is broken down into three major evaluation components:
- Component Relationship: This includes the hardware and hardware interoperability. Interoperability is essential to achieve end-to-end monitoring and policy execution. All security solutions should be able to communicate to ensure the entire network is secure.
- Workflow Planning: This includes business processes, data mapping and the categorization of workflows.
- Access Policies: These policies should be considered from a component perspective as well as holistically.
It’s common to lead the path with a discovery of network components, services, data flow and core business applications to build the nucleus of a zero-trust architecture. This is followed by an assessment of existing network policies such as firewalls, intrusion detection prevention systems, virtual LAN configurations and data loss prevention systems that may exist in the ecosystem. The deployment phase then begins and employs this reference architecture, followed by the main policy engine.
All the policies that every component is executing individually are being correlated and funneled up to a main policy that coordinates every single event from end to end. Once in operation, the environment and policy rules are monitored continuously for effectiveness.