Zero Trust Trust 101Meaghan Hudak | Reading time: about 4 minExecutive Order 14028 requires federal civilian agencies to establish plans to drive the adoption of Zero Trust Architecture. But what is Zero Trust and what does it mean to be fully compliant? This session will explore what Zero Trust really means and its potential implications for customer experience in health care settings. Attendees learned: - Zero Trust compliance, and
- The potential implications for customer experience in health care settings.
The Security Landscape TodayKarlene explained that the impact of security breaches is growing and ransomware attacks are on the rise. People working from everywhere and increased reliance on devices connected to the network. The Deceptively Easy QuestionThe audience is asked, "Should this user on this device under this context be allowed to access this resource?" Access Today and Access Under Zero TrustWe were introduced to perimeter style security, or “Castle and Moat.” Once the user is in, they’re trusted to act and access only those areas intended to access. The increased threats/threat sources, with more reliance on applications/cloud – we need to better address
vulnerabilities. Centered on the belief that organizations should not automatically trust anything inside or outside the perimeters: - The organization must verify anything trying to connect to its systems before granting access,
- Zero implicit trust, or zero inherited trust, and
- Appropriate amount of access at the appropriate time.
Is Zero Trust a Technology?Karlene asked us to think of Zero Trust as an approach, not a single solution. Zero Trust matures over time and involves many parts of the organization. Core Zero Trust question: Should this user on this device under this context be allowed to access this resource? - Policy – Who has access and when?
- Technology – How do we verify identity?
- Architecture – How do we use tools to keep bad actors
out? How to we integrate tools? - Culture/Training – How do we promote better security
behaviors?
Why is Everyone Talking About Zero Trust Now?The Zero Trust concept has been around since 2010. The discussion has increased ransomware and consumers demanding protection of their data (Executive Order 14028, M-22-09). Does My Organization Have to Address Zero Trust?| Threat Cases | Organizational
Considerations | Health Care and Health
Organizations |
|---|
- Ransomware.
Supply chain attacks.
| - User experience impact
considerations.
| - Huge range of assets,
users, and access needs.
| | - Industry compliance
requirements (financial
sector, U.S. Government
Zero Trust Mandate).
| - Stakes are high – medical
records, Personally
Identifiable Information,
access issues have
serious consequences.
|
| - Retaining cyber insurance
or certain types of
business insurance.
|
|
Challenges to Implementing Zero Trust We learned that legacy systems and networks rely on “implicit trust” and modernization requires significant investment. There is no consensus on a formal adoption model, some of the adoption models available focus only on the network layer. Adoption requires engagement and cooperation from senior leadership, IT staff, users, etc. The tools and practices used to enforce the model create friction and frustration for users: clunky VPNs slow down traffic, frequent password resets drive users crazy, and device management is too invasive for personal devices. We have to incorporate usability testing and users in Zero Trust solution design. Where Do We Start?Most organizations already have some elements of zero trust in place. It is important to leverage an Agile approach, that matures over time, focusing on: discover, observe, respond and protect. Find an experienced partner: strategy, security, and change management. There are models and frameworks available to review. Industry ModelsForrester | Gartner | DHS Cyber and
Infrastructure Security
Agency (CISA) |
|---|
- Originally released in
2010.
| - Continuous Adaptive
Risk and Trust
Assessment (CARTA).
| - Represents implementation
across five distinct pillars –
including Identity, Device,
Network, Application
Workload, and Data.
| - Re-released as Zero
Trust eXtended (ZTX).
| - Puts continuous risk
assessment at the
center of the model as
it pertains to users,
devices, applications,
data, workloads, etc.
|
| - Data at the center of
the model and
includes data
classification and
protection as core
requirements for Zero
Trust.
|
|
|
Graphic: Gradient implementation across five pillars: minor advancements can be made over time. Maturity – Traditional, Advanced, and Optimal. Zero Trust Rewind – ImplementationKarlene challenged the audience to start with where you are and what you know. Plan immediate changes and long-term changes that coordinate with larger IT modernization strategy. Take an Agile approach to maturing over time. Look to industry best practices and models. Most importantly, address usability.
If you missed Karlene’s presentation, check out the transcript and recording on the CCSQ World Usability Daypage. This page also includes an archive of transcripts and recordings of speaker presentations, session materials, and event photos. For more information about the Human-Centered Design Center of Excellence, refer to the HCD CoE Confluence page. | Panel |
|---|
|
| Column |
|---|
| 
|
| Column |
|---|
| 
|
|
| 
ISG Playbook
APIs