FedHealthIT’s President, Susan Sharer, recently sat down with Cisco’s Cybersecurity Federal Civilian Sales Leader, Doug Cowan, and Federal Strategist, Steve Vetter, who explained Zero Trust, setting Zero Trust priorities, and the unique opportunity Zero Trust presents to Federal Healthcare.
Why the Need for Zero Trust?
Fundamentally, the way we work is changing. With more mobile access, movement to the cloud and the need to access information from anywhere at any time, we need to look differently at how to protect an organization’s data. The old days of a static, exterior firewall perimeter, doesn’t work as well in this new environment. We have to shrink the perimeter, define it with software and apply identity authentication and authorization to protect microsegments of the network and data.
What is Zero Trust?
Zero Trust is a term initially coined by research and advisory firm Forrester. It is a security architecture and enterprise methodology used to orchestrate an organization’s security approach. A Zero Trust Architectural framework allows explicit authorization for people who are cleared to use specific data and ensures they are accessing only that data we expect them to work with.
Artificial Intelligence (AI) and Machine Learning (ML) have really empowered Zero Trust so we can now isolate individual users, devices and applications, blocking anything that raises concern. Not only does this effectively manage risk, but it gives people the increased confidence and ability to actually trust. In the oftentimes scary world of the Internet of Things (IoT), and the Internet of Medical Things (IoMT)Zero Trust can provide the comprehensive control that is required to more safely use needed medical devices and protect patient data.
How does Policy Come into Play?
To quickly innovate, leveraging an agency’s existing, effective security capabilities is key. In addition, you need to understand an agency’s requirement(s) for identifying users, for confirming they are authorized and what is accepted as confirmation of their identification. Most importantly, you need to understand normal behavior so we know when users and devices are behaving in a manner they shouldn’t be.
An entire agency’s workplace environment needs to be considered within a Zero Trust approach including how users are accessing devices, applications, workloads and data. Agency security policies guide access decisions and provide governance to enhance dynamic security flexibility and effectiveness. Once these policies are defined, they guide how resources are expected to interact. This in turn will drive granular micro-segmentation and enterprise identity policy enforcement rules and actions that allow agencies to effectively manage it all.
How do you Work with Customers to set Priorities?
You start by looking at the maturity of an agency’s security posture. How effective are they in gathering key information and then identifying how they want access controls to behave and respond in both normal and abnormal situations?
There must also be a focus on identifying the areas of greatest risk. Within the VA for instance, am I an employee or a Veteran? What rights do I have if I am connecting to Wi-Fi? Part of allowing access depends on ensuring the identity of the user, but also the nature of the device they are using for access. It’s critical, whatever the boundaries and restrictions, that everything is simple to use and transparent to users.
A Zero Trust security mentality is already in vogue in the commercial sector and its use is rapidly expanding. Think of airport security and all of the checks and authorizations along the way confirming your identity and your intended path, and now think of banking and the checks and verifications of you and your device’s identity.
What are the Unique Opportunities in Healthcare?
Zero Trust really hones in on the things that are of the utmost importance to people in healthcare. Zero Trust helps determine how you share information and what you can access to help manage overall security and privacy risk. Most importantly, Zero Trust provides the means to securely manage the risk of medical device use when necessary to produce needed clinical outcomes.
Whether in a hospital or the Rio Olympics (where Cisco has supported clinical environments and huge numbers of mobile, BYOD users, respectively, with no security incidents), Zero Trust can help identify risk and then streamline and automate security to enhance mission and clinical outcomes. When an application, user, device or workspace becomes compromised, effective countermeasures can be automatically applied within a Zero Trust environment because the infrastructure is smart enough to recognize authorized devices and work continues with no interruptions and full protection.
The increased use of telehealth is a perfect Zero Trust use case. A Zero Trust approach addresses the workforce (users with multi-factor authentication), the workplace (segmenting home or rural office access) and the workloads (restricting access to medical applications and data). With this approach, clinical outcomes can be achieved while managing both security and privacy risk. Significantly, a Zero Trust approach allows data to be locked down with different access rules whether at home, traveling or in a medical center and exceptions can be automated depending on clinical needs. Establishing proper governance and policy is critical and usually one of the hardest Zero Trust elements to implement.
Another challenge is regarding asset records. It can be hard to maintain an inventory of what applications and equipment are present and overly complex procedures can stymie operational effectiveness. People are hesitant to touch or influence an existing way of working because they don’t know or can’t predict the full impact of the change. The most effective way to move forward is providing comprehensive visibility via an understanding of what you have, how it works and what is needed. Zero Trust helps simplify and then tailor and automate your security policies and rules.
Agencies and industry are being asked by OMB and the Federal CIO to embrace Zero Trust capabilities to enhance mission outcomes. Suzette Kent has even called Zero Trust the basis for IT modernization, leveraging what we already have to better manage security and privacy risks – and in the healthcare arena, the results can be truly transformative in helping deliver improved clinical outcomes.
To get a more detailed sense of industry’s ability to support Zero Trust, download a copy of the latest FORRESTER WAVETM – Zero Trust eXtended Ecosystem Platform Providers at: https://blogs.cisco.com/security/cisco-named-a-leader-in-the-2019-forrester-zero-trust-wave
Steve Vetter serves as a senior strategic solution
executive and federal strategist for Cisco’s Federal Sector.
Doug Cowan is the Cybersecurity Sales Leader for the Federal Civilian sector. His team provides integrated cyber security solutions to secure the country via CDM, Zero Trust, and other initiatives.