Network segmentation, strong authentication, and detecting unusual network behavior can slow attackers already inside your network
After a year of debilitating ransomware attacks and a presidential order partly in response, healthcare faces a cybersecurity call to action in 2022: Adopt the principles of zero trust.
According to NIST Special Publication 800-207, Zero Trust Architecture, published in August 2020 by the National Institute of Standards and Technology, zero trust security models assume that an attacker is present in the environment and that an enterprise-owned environment is no different—or no more trustworthy—than any non-enterprise-owned environment.
The importance of zero trust grew in 2021 as President Biden on May 12 signed Executive Order 14028, “Improving the Nation’s Cybersecurity,” to support US cybersecurity efforts and protect the critical infrastructure and federal government networks underlying the economy.
The executive order falls under the category of guidance, so there are no penalties for noncompliance. But one cybersecurity analyst points out that the guidance applies not just to government computing resources, but also to essential national technology infrastructures, including those operated by healthcare organizations.
“Zero trust is not a piece of technology,” says Joshua Magady, a senior consultant, section manager for the solutions architects team, and practice technical lead at the security consulting firm 1898 & Co. “It’s really a methodology.”
Joshua Magady, senior consultant, section manager for the solutions architects team, and practice technical lead at 1898 & Co. Photo courtesy 1898 & Co.
Building on the recognition that attackers are already likely inside the perimeters of enterprise networks, the zero trust methodology aims to slow or stop lateral movements by these attackers to compromise other enterprise assets, Magady says.
With each passing week, news headlines seem to bear out the assumption that the bad guys are already inside enterprise networks. Just this month, the Log4J vulnerability found in Apache Web servers demonstrates that compromises abound and won’t all be easily or quickly patched.
“Zero trust takes the stance that the adversary is already inside of your networks,” Magady says. “It’s about reducing your reliance on the security perimeter.”
Don’t think of zero trust as abandoning past approaches such as security perimeters, which still serve many useful purposes. Zero trust, when implemented well, reduces network administrators’ reliance on perimeters, and any implicit trust zones inside those perimeters now must face stronger scrutiny.
“Zero trust is really about reducing those implicit trust zones,” Magady says. “You can never remove it fully from a system, but you can reduce its scope and its size to a much smaller manageable area, where you can then have verified trust in there and not have to go with so much unverified trust.”
Prior to zero trust, people logging into computers basically authenticated once, and were then let into a network for which they were authorized.
“If you think about a castle, I dropped the drawbridge, I’m in, and now have access to all parts of the castle,” Magady says.
But in a zero-trust environment, just because that person has crossed the drawbridge doesn’t mean they have access to every location within the castle.
“I’m there watching you, monitoring you, and causing you to have to reauthenticate yourself,” Magady says.
Such monitoring can flag unusual behavior such as visitors logging in from unusual browsers, IP addresses, or geographic locations, and lock down critical network resources to ward off the actions of attackers.
Of course, that stronger authentication – how often it happens, where, and when – ends up getting weighed against the inconvenience it causes the people being reauthenticated. And zero trust isn’t exactly a new idea; many enterprise IT shops already implement aspects of it.
“Most organizations already have some elements of zero trust in their enterprise infrastructure or are on their way through implementation of information security and resiliency policies and best practices,” states Zero Trust Architecture.
“It’s a multi-year investment,” Magady says. “One of the things companies can do is to take their existing flat networks and segment them. It’s really grouping all of these security best practices that we’re already supposed to be doing, and then call it zero trust.”
Zero trust also requires enterprise security leaders to consider not just on-premises implementation of zero trust, but implementation in its cloud-based resources as well.
“Part of that zero-trust implementation is you’re moving the authentication closer to the service that’s being consumed,” Magady says. “If I had some financial application hosted in the cloud, I’ll put my authentication proxy right in front of it. You hit the proxy first and authenticate yourself, and then get passed on to the application.”
By contrast, some older security technologies such as virtual private networks (VPNs), permit access to all resources without the nuanced security considerations Magady described.
1898 & Co. is a business unit of Burns and MacDonald, a family of companies comprising 7,600 engineers, construction professionals, architects, technologists and scientists involved in many industries providing critical infrastructure in the US. Magady says healthcare organization IT infrastructure falls inside the definition of critical infrastructure, and healthcare organizations should take heed of Biden’s May 12 executive order.
And just because the May 12 EO doesn’t penalize healthcare organizations that don’t act, that doesn’t mean they’re off the hook with regulators. Magady points out that other government directives impose penalties on healthcare organizations for data breaches, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
“We’ve got to do better than what we’re currently doing, especially when it comes to critical infrastructure,” Magady says.
As such, fully implementing zero trust architectures in healthcare IT can definitely provide protection against ransomware attacks and the other threats IT faces in 2022.
“I may not be able to prevent it in its entirety, but I can substantially limit how effective it is,” he says.
Scott Mace is a contributing writer for HealthLeaders.