In this interview, the CISO of a healthcare payer discusses the identity-defined security strategies that make up zero trust. We’ve left the company and the identification of the CISO anonymous for privacy and security reasons. Thank you for understanding.
Making zero trust part of an organization’s DNA is difficult. See the story of how one CISO is making it happen…
How has the healthcare dimension of your organization affected your construction of zero trust?
Zero trust is one of those areas that we’re starting to tackle head-on. There are diverse components of zero trust.
We are a local state payer, but because of our brand, we need to be able to allow for data interoperability and access from other states and other payers or providers. That’s where it starts to get more complicated…Because we don’t necessarily know a given provider from across the country, we don’t know their identity. Therefore, we need to have trust in the federation that it is set up to allow our systems to be interoperable, and to be able to perform basic inquiries. For example, coverage or pre-authorizations before somebody is able to seek care.
There are also other dimensions to zero trust within the ecosystem…For instance, there’s a completely different philosophy around zero trust for your employees versus zero trust from your customers’ side of things.
Zero trust is tricky. It’s actually one of my least favorite terms, and I think that sentiment is shared amongst my fellow CISOs and security professionals. On some level, zero trust is completely overused, and we really need to talk about ‘what is it that we’re protecting?’ It’s all about data-centric security and at some point in your journey you’ve defined your trust boundaries.
So what does the future look like, in terms of zero trust? What are you hoping for in a year or two?
Our zero trust journey started around identity and data. Therefore, making sure there was MFA (multi-factor authentication) at all of our critical points; bringing in a privileged identity and access management system (PIM/PAM) to make sure that any access to sensitive data, which was elevated above normal access, as well as administration of applications and systems is vaulted through that and PIM/PAM solution.
Then, we began looking to implement levels of micro segmentation and ring fencing of applications and services. Now, we went down this route several years ago, looking for a purely network-based (non agent) approach, and unfortunately it was not successful. The complexity right out of the gate began to show how difficult this would be to manage across two physical datacenters. We’ve since rebooted the project and succumbed to an agent-based approach across our environment, with the hope that, this year, we will be much more successful in our ability to isolate the necessary applications and services across the environment that are required to communicate to each other. As a result, if an endpoint or a system is compromised, we can isolate it -within the network- reducing access to the systems and services that it has access to, and not allowing it to move laterally across the environment.
When it comes to zero trust, and looking further out, there are always new goals to offer as well as a more frictionless user experience– For example, in looking at identity, and going passwordless, security professionals hope to get rid of that friction related to physical passwords and even multi-factor authentication, because we’re starting to see user login fatigue.
However, folks are starting to become a little too complacent when they receive a push notification on their device saying ‘hey, I see that you’re trying to access our service ‘do you want to allow this to happen? Simply press allow…’ If folks aren’t present and aware, they could be authorizing a threat actor who’s trying to leverage stolen credentials.
The easier we make it for folks to stay secure, the better. Again, it’s about finding that balance between ‘how can we, as an organization, remain secure and also make it easy for employees to use systems efficiently at the same time?’
What kind of advice do you have for other cyber security professionals for implementing zero trust?
Make sure you understand what zero trust really means because there are companies that will try and sell you a single zero trust solution that will meet all of your needs and those that you didn’t know you had. I think that’s probably the best advice I can give you — understand exactly what zero trust “actually” means.
Regarding network security and network access, it’s multi-faceted. You have your identity and your network controls then, ultimately, your data controls, which all work in harmony. Know where your crown jewels are and understand the associated threat vectors.
Finally, you must understand your environment and risk tolerance. Do you have endpoints that are connecting into your environment that only have specific applications that they should have access to? There are solutions that are for that. Are you looking to make sure that your data is protected from trusted and untrusted endpoints? Maybe you need to have an identity-centric solution.
There’s not a one size fits all capability. Again, understand your environment, the respective threats associated with it, and make sure you’re focusing in the right area.
Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.