White Paper: Understanding the Basics of Zero Trust
Securing healthcare organizations and connected medical and IoT devices is full of unique challenges, but research shows that a Zero Trust infrastructure is the safest and fastest way to tackle them.
What Is Zero Trust?
Before we dive into how healthcare organizations can address their security challenges with Zero Trust, it's important to understand the basic tenets of Zero Trust in general. Unlike traditional security frameworks that focus on building security perimeters to prevent threat actors from penetrating their networks, Zero Trust assumes that there is no security perimeter. Period. Every event and every connection--internal and external--is considered malicious and unreliable. This means that according to Zero Trust, every component must be secured.
Some Zero Trust History
The Zero Trust architecture was introduced a little over a decade ago to address the new breed of security threats and vulnerabilities created by IoT devices, cloud systems, containers, and various short-lived computing systems. It also addresses the growing sophistication of social engineering attacks and the prevalence of insider threats.
In the summer of 2020, NIST released a report on Zero Trust defining it as a cybersecurity paradigm that treats all entities as potential threats. It goes on to explain how Zero Trust shifts from perimeter-based defenses founded on static networks to dynamic defenses.
A Zero Trust View of Threats
Zero Trust views every entity connecting to and within the network as a possible threat and defines them as:
- Users--employees, contractors, or guests of the organization, are all assumed to be malicious
- Assets--equipment and systems, are assumed to be compromised
- Resources--confidential data like ePHI is assumed to be accessible to threat actors
Zero Trust was designed to keep networks protected even when faced with increasingly complex threats and shifting boundaries. To achieve this level of security, Zero Trust only grants the least amount of privileges to users, devices, and applications needed to function. It also means that:
- All communications between two assets on the network must be authenticated first
- Even after communications are authenticated, an entity should never have more privileges than it needs to function properly
- Bad actors might still be able to control authenticated and authorized entities, as in the case of compromised accounts
The Six Principles of Zero Trust
Zero Trust is a set of guidelines meant to be applied broadly, not only to the on-premises network, but to the external network infrastructure, as well, e.g. the public cloud or WiFi networks used by employees, guests, and contractors. The NIST report on Zero Trust outlines six principles to guide the structure of true Zero Trust networks:
- No security perimeter--All assets and connections--including authenticated and encrypted connections--should be secured as if the network has already been breached.
- Non-enterprise-owned devices--Any devices not owned by the organization, like bring your own device (BYOD) personal devices, devices operated by external contracts, etc., must be highly regulated, as they may need access to resources inside the network.
- No resource is trust--Whether it's an authorized, authenticated, and encrypted asset owned by the organization, a BYOD, or a device operated by a vendor or external contractor, Zero Trust treats everything as if it's suspicious and/or compromised.
- Non-enterprise resources--Data (e.g. ePHI, cloud services) may not be owned by the healthcare organization but still needs to be protected, especially since it may need to connect to external networks operated by third parties.
- Local networks are never trusted--All remote resources accessing the local network are assumed to be hostile, and therefore, the local network is also hostile. Attackers might monitor and modify traffic, meaning all communications--both internal and external--require confidentiality, authentication, and integrity verification.
- Consistent policy across organization-operated and externally-operated infrastructure--Whether workflows or assets operate within the organization's internal network or outside it, security policies should be equally applied to everything, and include support for assets that move between on-premise, non-enterprise, and public cloud environments.
To learn more about applying Zero Trust and how to apply it safely in healthcare environments, download the full White Paper here >>