By Joshua Perri
In today’s networks, having a strong defense at the perimeter-points is not sufficient to keep your data safe. The IT landscape moves very quickly and so do the threats that we face. Strong networks will implement additional defenses to protect the internal boundary points. These additional defenses will ideally vary in strength and type between segments, which house varying sensitivity levels of data. The Healthcare industry has been slowly adopting stricter network segmentation and role-based access throughout the entirety of its networks.
In today’s networks, having a strong defense at the perimeter-points is not sufficient to keep your data safe. The IT landscape moves very quickly and so do the threats that we face. Strong networks implement additional defenses to protect the internal boundary points. These additional defenses ideally vary in strength and type between segments, which house varying sensitivity levels of data. The Healthcare industry has been slowly adopting stricter network segmentation and role-based access throughout the entirety of its networks. These additional defenses are absolutely worth implementing, but we should not stop there. Enter zero trust architecture, which follows the “never trust, always verify” model. Zero Trust architecture does not assume that traffic contained within the same zone is safe.
This Zero Trust model authenticates the user, the device and the session.
Endpoint protection is one of the biggest obstacles in IT. If your organization falls victim to a hacker, odds are it was through a compromised endpoint. In modern networks Intra-zone traffic (lateral moving traffic) is the least restricted traffic. The idea of zero trust is to require multiple authentication methods for access to each host regardless of the user’s location. A user located within the same network zone will be required to authenticate utilizing the same process as a user outside the network. From experience, my implementation of Zero Trust required a username/password, which can easily be integrated into an Active Directory or LDAP identity management system. Then, Multi-Factor authentication must be enabled to a soft token authenticator or one-time password sent to a mobile device. And the last step of authentication for a Zero Trust provider may be a device certificate issued to the device. This Zero Trust model authenticates the user, the device and the session. The transmission of this information is always sent utilizing a secure SSL connection to ensure the data is sent/received securely.
This process of authenticating and validating the device, session, and user creates an ideal security approach. An added benefit of the certificate issued to the device is that the console of the Zero Trust portal will contain an inventory of the devices with access, and details regarding specific access rights granted which can come in handy when the time comes for a security assessment. While it’s difficult to call anything fool proof, this model creates extra layer of security that is needed in the current environment of cyber threats.
The technology utilized by Zero Trust architecture is all technology that exists already in the field, such as Multi-Factor Authentication, RSA certificates, and leveraging your current identity management system. The Zero Trust Architecture simply takes the idea of segmentation and goes to a micro level in which each host is segmented and secured individually. To visualize Zero Trust architecture in action, imagine a burglar breaking into a building only to discover a long hallway with locked steel doors throughout.
Imagine a burglar breaking into a building only to discover a long hallway with locked steel doors throughout.
What does this mean for the future? As the medical field adapts and leans on the Internet of Things (IoT) for reporting medical metrics to hospitals from a patient’s wearable technology, the interoperability of these devices will rely on information sent and received over the Internet. With the increase of patients gaining access to medical devices outside of the hospital, look for the concept of Zero Trust to be the model these devices use. The next generation of medical devices will need to be maintained and updated on the Internet, in addition to sending information securely over the Internet. Any device externally exposed to the Internet will face certain risk, but Zero Trust architecture will create a method for even the smaller devices to have a fighting chance at maintaining security. Technology for medical devices is advancing, so the security infrastructure must keep up.
As new principals in security are flourishing, some newer technologies are emerging parallel to Zero Trust. Software is quickly invading the networking space and Software Defined Networking (SDN) has been a driving force. SDN and Zero Trust will essentially change how networking occurs, and these changes are coming quickly, whether in the cloud or on premises. Zero Trust is the security architecture of the future. With the wide spread acceptance and success of DevOps, this trend will only continue. As developers continue to migrate to the IT space, expect the continued streamlining of automated IT tasks.
In with the new but stay with the old! Remember that just because newer security techniques are appearing, this does not mean we should neglect the basics. If a company doesn’t have an updated list of assets, has never actually tested a restore from a backup, or has never audited user accounts, they’re asking for trouble. We often hear stories of companies who are breached by preventable vulnerabilities – if systems had been implemented correctly or if different security layers were in place, they could have limited the damage of their respective breaches. If a company does the little things right and builds upon that using tools efficiently and effectively, security is achievable. Companies rarely have resources to spot every one of their deficiencies, so it is extremely important to find the right partner to assess the environment, provide a clear roadmap towards remediation, and then reassess to confirm the security posture is moving in the right direction.