What Is a Zero-Trust Identity Strategy?
Identity is the foundation of a zero-trust framework rather than just a step in its implementation. A healthcare organization’s zero-trust environment cannot exist without considering all the discrete characteristics of identity anatomy. This should be embedded in every aspect of the zero-trust infrastructure. However, zero-trust identity cannot be achieved through a point solution. The realization of a zero-trust strategy should consider people, processes and technology.
Zero-trust identity begins with governance, frameworks and workflows. Identity registrations, authentication mechanisms, access policies, analytics, and automation and orchestration engines should all be correlated and coded to execute under a single policy governance structure. In a private ecosystem, every entity is vetted by an integrated policy-as-code engine to ensure that it is known by the network.
The goal of a zero-trust identity strategy is to confirm each person’s identity when they attempt to access a healthcare organization’s resources. When a sign-on attempt is made, the environment references a vetted identity store to verify a digital entity’s identity and whether it has current state privileges to access a specific resource. That applies whether the resource is a device, service, application or data.
How to Implement a Zero-Trust Identity Strategy
A successful plan considers the participation of an interdepartmental governance framework. The absence of a holistic, identity-centric framework may increase the attack surface and leave an organization with a false sense of security.
A typical engagement within a zero-trust identity strategy is broken down into three major evaluation components:
- Component Relationship: This includes the hardware and hardware interoperability. Interoperability is essential to achieve end-to-end monitoring and policy execution. All security solutions should be able to communicate to ensure the entire network is secure.
- Workflow Planning: This includes business processes, data mapping and the categorization of workflows.
- Access Policies: These policies should be considered from a component perspective as well as holistically.
It’s common to lead the path with a discovery of network components, services, data flow and core business applications to build the nucleus of a zero-trust architecture. This is followed by an assessment of existing network policies such as firewalls, intrusion detection prevention systems, virtual LAN configurations and data loss prevention systems that may exist in the ecosystem. The deployment phase then begins and employs this reference architecture, followed by the main policy engine.
All the policies that every component is executing individually are being correlated and funneled up to a main policy that coordinates every single event from end to end. Once in operation, the environment and policy rules are monitored continuously for effectiveness.
Considerations for a Zero-Trust Identity Strategy in Healthcare
Healthcare organizations should resist the temptation to set up zero-trust architectures on their own. There are many solutions on the market today that claim to achieve zero trust. While the hardware is extremely important, it is only about 20 percent of achieving zero trust. Eighty percent of the effort will be handling governance and understanding workflow, then jotting this down into executable code for the system to manage.
To organize this type of identity-centric approach to security, it seasoned professionals must assist with the planning, evaluation and deployment of zero trust to ensure a successful outcome. In successful deployments, governance is at the fore of interdepartmental collaboration. This is the approach that works best for zero-trust implementation. In healthcare, there are special challenges to consider, particularly around medical devices and certain workflows that are unique to the delivery of care. These challenges are best handled when organizations embrace partnerships as part of their strategies.
CDW knows healthcare. Many of our strategic advisers and technical competencies come from the healthcare environment itself. CDW has the experience in performing zero-trust assessments, enabling healthcare organizations to align their entire infrastructures and business operations into this cohesive framework. CDW offers advisory services, professional services, products and managed services to address each component of the zero-trust model.