Zero Trust 101
Meaghan Hudak | Reading time: about 4 min
Executive Order 14028 requires federal civilian agencies to establish plans to drive the adoption of Zero Trust Architecture. But what is Zero Trust and what does it mean to be fully compliant? This session will explore what Zero Trust really means and its potential implications for customer experience in health care settings.
Attendees learned:
- Zero Trust compliance, and
- The potential implications for customer experience in health care settings.
The Security Landscape Today
Karlene explained that the impact of security breaches is growing and ransomware attacks are on the rise. People working from everywhere and increased reliance on devices connected to the network.
The Deceptively Easy Question
The audience is asked, "Should this user on this device under this context be allowed to access this resource?"
Access Today and Access Under Zero Trust
We were introduced to perimeter style security, or “Castle and Moat.” Once the user is in, they’re trusted to act and access only those areas intended to access. The increased threats/threat sources, with more reliance on applications/cloud – we need to better address
vulnerabilities. Centered on the belief that organizations should not automatically trust anything inside or outside the perimeters:
- The organization must verify anything trying to connect to its systems before granting access,
- Zero implicit trust, or zero inherited trust, and
- Appropriate amount of access at the appropriate time.
Is Zero Trust a Technology?
Karlene asked us to think of Zero Trust as an approach, not a single solution. Zero Trust matures over time and involves many parts of the organization.
Core Zero Trust question: Should this user on this device under this context be allowed to access this resource?
- Policy – Who has access and when?
- Technology – How do we verify identity?
- Architecture – How do we use tools to keep bad actors
out? How to we integrate tools? - Culture/Training – How do we promote better security
behaviors?
Why is Everyone Talking About Zero Trust Now?
The Zero Trust concept has been around since 2010. The discussion has increased ransomware and consumers demanding protection of their data (Executive Order 14028, M-22-09).
Does My Organization Have to Address Zero Trust?
Threat Cases | Organizational Considerations | Health Care and Health Organizations |
---|---|---|
|
|
|
|
|
|
|
Challenges to Implementing Zero Trust
We learned that legacy systems and networks rely on “implicit trust” and modernization requires significant investment. There is no consensus on a formal adoption model, some of the adoption models available focus only on the network layer. Adoption requires engagement and cooperation from senior leadership, IT staff, users, etc. The tools and practices used to enforce the model create friction and frustration for users: clunky VPNs slow down traffic, frequent password resets drive users crazy, and device management is too invasive for personal devices. We have to incorporate usability testing and users in Zero Trust solution design.
Where Do We Start?
Most organizations already have some elements of zero trust in place. It is important to leverage an Agile approach, that matures over time, focusing on: discover, observe, respond and protect. Find an experienced partner: strategy, security, and change management. There are models and frameworks available to review.
Industry Models
Forrester | Gartner | DHS Cyber and |
---|---|---|
|
|
|
|
| |
|
Graphic: Gradient implementation across five pillars: minor advancements can be made over time. Maturity – Traditional, Advanced, and Optimal.
Zero Trust Rewind – Implementation
Karlene challenged the audience to start with where you are and what you know. Plan immediate changes and long-term changes that coordinate with larger IT modernization strategy. Take an Agile approach to maturing over time. Look to industry best practices and models. Most importantly, address usability.
If you missed Karlene’s presentation, check out the transcript and recording on the CCSQ World Usability Day page. This page also includes an archive of transcripts and recordings of speaker presentations, session materials, and event photos. For more information about the Human-Centered Design Center of Excellence, refer to the HCD CoE Confluence page.
MEAGHAN HUDAK
Meaghan is a Communication Specialist supporting the CCSQ Human-Centered Design Center of Excellence (HCD CoE). Meaghan has been with the HCD CoE since January 2022.