Cybersecurity and Healthcare have a lot in common which isn’t immediately visible to the average eye. Take, for instance, the ‘Response Plan’ in case of an incident. Identification of the breach is usually the first step in case of a cybersecurity incident. This is followed by containment, eradication, and recovery. Similarly, a Health incident response plan is brought into effect after the identification of Patient or Ground Zero. Then the patient is quarantined to contain the further spread of the pathogen followed by efforts to eradicate the disease.
Today, the two fields have been brought to the forefront of global discourse for all the wrong and most tragic reasons. In the process, a new, indirect link between them has been exposed. As we all know, the novel Coronavirus, apparently having jumped from animals to humans, has taken the lives of more than 100,000 people. This spectacle of death has forced all of humanity to suspend all daily activities and stay at home. To ensure undisrupted productivity, however, enterprises have been forced to ask employees to work remotely. This has been enabled by the growth of technologies such as the Internet and cloud-based services over the past decade. With remote work being the new normal for now, cybersecurity has never been a greater issue. The average employee is susceptible to innumerable malicious attacks as he accesses sensitive company data with multiple insecure devices. The fear the common man has for the novel Coronavirus is also being exploited by malicious actors through phishing campaigns and whatnot. Overall, Cybersecurity issues have come to the fore as never before.
Traditionally, a remote worker uses a VPN to establish access to the corporate network. VPN’s are intended to secure the connection and at the same time grant access. However, there is an issue with VPN’s in particular and the current enterprise security architecture, at large: Trust. With a single pair of credentials obtained unlawfully, someone can lay siege to the entire corporate network. This is because the network considers anything or anyone within the perimeter (usually firewall) of the network to be trustworthy. A typical Castle and moat situation. Once within the perimeter, a malicious actor can go into reconnaissance mode and take down the entire network system by system.
So, if the trust is the issue here, why not eliminate it? Don’t trust anybody, within or without the firewall. This suggestion might sound crude. It is the equivalent of asking the television to be destroyed just because you couldn’t tune into a channel. But this idea, called the Zero Trust Security Model, has gone on to become one of the hottest topics in Cybersecurity.
Zero Trust is a security strategy founded on a set of concepts and ideas which collectively suggest only one thing: No one is to be trusted. In a classical network, trust is placed upon the user with the login credentials and access is granted. For all good reasons, this ‘user’ might be with stolen credentials. This will result in end-point data theft. Hence, the system must treat each user with Zero Trust. The security plan developed for an organization with this basic principle in mind is known as the Zero Trust Architecture.
Zero Trust Architectures may be deployed in different ways. One usual implementation is where the identity of the user and the device is considered. Additional data such as device certificates are also taken into account. The credentials are checked and cross-verified before access is granted to resources. Any discrepancies in the data usually limit the access granted to the user. The simplest form of such a model is the now ubiquitous and heavily in-demand Multi-factor Authentication (MFA) system.
Another popular implementation involves Micro-segmentation of resources with the use of Next-Generation Firewalls as gateways. This model identifies the key resources of the organization and a layer of protection is created around those resources. Simply put, each resource has its own shield against threats.
Zero Trust Networks can be built using technologies that are already in common use today. RSA Certificates for Encryption, Multifactor Authentication Systems are some examples. In fact, most public SaaS offerings are already Zero Trust configured. So, if you use cloud services such as Office 365, you may already partly be Zero Trust ready.
Cloud security is a major issue that the Zero Trust Architecture is expected to solve. Most enterprises, these days, deploy their applications and systems in different settings. While some may be hosted in the private data centre, others may be present in public or hybrid clouds. Different security measures are adopted for each deployment. This can cause a headache to the Information Security Personnel and leave in its wake a fragmented security architecture. A solid Zero Trust Architecture needs to be implemented in such a setting.
Transitioning a large enterprise that is highly dependent on legacy access control systems to a Zero Control Architecture is definitely a huge ask. It requires the combined efforts of people from all walks of corporate life: right from the CISO to System Administrators. But the benefits that an enterprise will reap by investing in Zero Trust is huge. MFA and Single Sign On (SSO) will enhance the user experience as employees won’t have to jot down their passwords again. Security Administrators will have greater visibility into network traffic. The returns outweigh the initial investment. Major companies such as Google and Coca-Cola have embraced Zero Trust. Even the United States House of Representatives has advocated the use of Zero Trust. While it may be tough making a transition, I anticipate that renewed interest and vigour in Cybersecurity with the widespread adoption of cloud-based Infrastructure services and the ever multiplying commercial solutions will surely make things easier in the near future.
Zero Trust is definitely the security architecture of the future. It can only serve well if companies view Zero Trust not only as a technological solution, but also as a strategy and, more importantly, a mindset. This approach is important as we march ahead to a future where all devices will be interconnected in the Internet of Things.
The novel Coronavirus so far has made us introspect deeply. Fundamental questions about human nature and society are being asked everywhere as we deeply reflect on what’s important in life. It has also given us the time to appreciate people better. As we celebrate the services of doctors, nurses and all healthcare workers, let us also take the time to appreciate the low-profile Healthcare Sysadmins.
Great post! Thanks for sharing the knowledge and keep up the good work.