Fitting into Zero-Trust Architecture
The areas of focus for the zero-trust model, according to the Cybersecurity and Infrastructure Security Agency, include identity, devices, networks, applications and workloads, and data. Many healthcare IT teams are already using zero-trust principles. Even maturing one or two of these pillars within an organization can help strengthen its cybersecurity approach.
When organizations have strong identity management, they are poised to respond more quickly and precisely when a potential threat appears. IT teams can better track and report red flags, prompting swift action to stop potential impostors.
The attack surface of an identity is smaller than a network’s. Organizations are not dealing with one large, flat network in today’s IT landscape. With the private cloud, public cloud and on-premises data centers, organizations have large network scopes that can be difficult to understand. But identity can cross those scopes, whether it’s on-premises or in the cloud. Network segmentation sets up the proverbial fences to work within a perimeter. But with identity segmentation, think of a guard at the fence who repeatedly asks for ID no matter how often you’ve already entered the perimeter — you have to request clearance every time.
Challenges for Identity Segmentation Implementation in Healthcare
Of course, when it comes to implementing stricter controls, the battle between usability and security, and business case versus risk, will rage on. That’s why it’s key to have a big-picture understanding of security across the organization to put things into perspective.
Identity segmentation uses a risk-based policy to restrict access based on identity. When trying to implement identity segmentation, it may seem like it could be easier to put in exceptions. Maybe a CEO decides that a rule applies to everyone except for a handful of leaders. But that misses the point of a zero-trust approach and complicates management.
Many in healthcare must also familiarize themselves with cloud strategies and move away from an on-premises mindset. For example, the use of a cloud access security broker is today seen as elemental and can be bundled with secure access service edge architecture or a software-defined WAN connection.
Remember the Five P’s for Identity Segmentation
Proper planning prevents poor performance.
Don’t execute identity segmentation haphazardly, without a developed plan that includes a proof of concept and testing. Avoid tacking on solutions for short-term aims.
Plans must ensure that security basics are continually enforced. For example, do you have visibility and enabled logging? Do you have a basic understanding of network traffic for macro-segmentation? Do you have a core identity and access management program that’s an ongoing, evolving process?
Fully adopting a zero-trust framework will take time. It is a journey to mature each pillar, but there are fittingly incremental gains that organizations can take to improve their cybersecurity position.