When healthcare IT and security staffs were sent home to work during the height of the Covid-19 pandemic, it had a ripple effect that continues to challenge leaders — particularly when it comes to cybersecurity. “We went from a handful of work locations to hundreds, if not thousands, because everyone’s home became an office,” said Brian Cayer, CISO at Tufts Medicine, during a recent discussion.
As a result, the attack surface — which had previously been limited (at least from a geographical standpoint) — grew exponentially, forcing leaders to rethink their strategies. “All of a sudden, we had a remote workforce and were opening up VPNs,” he said. And while users could be validated, the same couldn’t be said for devices. “How do we know it’s secure? Do we want to connect it to the network? The pandemic has really changed how we think.”
For CISOs, it has meant finding a way to “securely enable processes” in spite of the “very distributed environments” that exist, said Omar Khawaja (CISO, Highmark Health), who also spoke on the panel, along with Tamer Baker (VP of Global Healthcare, Forescout Technologies). It’s a feat that has become increasingly difficult.
Whereas in the past, there were a limited number of devices on the hospital’s network, “now you have an explosion of endpoints, including IoT devices,” he noted. And it’s not just the volume of devices that has raised concerns, but also the growing expectations among users for speed and accessibility.
The answer, according to Cayer, is to “work toward a zero-trust model” that enables organizations to quickly identify and validate users. “I look at it like privileged access management on steroids — not just privileged, but all access,” he said. “Ransomware is impacting organizations, and we need to figure out how they’re getting in. We can’t just keep doing what we’re doing.”
Terminology is everything
However, while many agree that zero trust is the way forward, there’s still of lack of understanding as to what it actually means at the business level. “It’s a very descriptive name from a security perspective, because that’s exactly the intent,” said Khawaja. “But I’ve hesitated to use the name because one of the core behaviors at Highmark is ‘trust working together.’ This feels directly in conflict with that.”
The onus then falls on security leaders to explain what zero trust means and how it can be leveraged to improve security, which can be quite tricky, according to Cayer. “We haven’t fully adopted zero trust as an industry, and so people haven’t seen it implemented — or maybe they have, but not in a good way.” A common misconception? Implementing zero trust means waiting on approvals which, in turn, can negatively affect patient care.
Not exactly a recipe for gaining buy-in.
What leaders should do, according to the panelists, is start by explaining why a zero-trust strategy is necessary — and leave the ‘how’ for later.
Where organizations go wrong
“My direction to the team is that 90 percent of what you talk about is the why; they’re not allowed to spend more than 10 percent of their time on the how. That’s where organizations go wrong,” said Khawaja. In fact, when his role at Highmark expanded to include hospitals, he was cautioned against sending phishing emails to physicians and told it wouldn’t generate the desired response.
And so, Khawaja met with the chairs of every department and explained the consequences of clicking on malicious links. “I didn’t talk to them about dates or specifics; if you do that, they’ll give you a hundred reasons why your plan won’t work,” he recalled. “But if you focus on how (a breach) would directly impact patients and our ability to deliver care, you’re no longer imposing security and risk reduction on the business. The business is pulling you in and convincing you to do it.”
Once that all-important piece has been addressed, organizations can take steps forward, according to the panelists, who provided several best practices for getting to Zero Trust.
- Think high risk. The best place to start, noted Cayer, is by looking at areas of high risk and creating a plan around it. “We started a planned migration to the cloud. It was all net-new, and so we built a zero-trust process around how we can access the cloud and manage it,” he said. “The challenge is determining the right solution to meet those needs.”
- Partner with the business. For Highmark, developing a set of criteria was key in helping leadership decide where and when to apply a zero-trust approach, noted Khawaja. “There’s no shortage of ideas; there’s no shortage of controls either,” he said. “And so, in order to make sure we were being purposeful and deliberate, we partnered with the business and said, ‘These are things we think should determine how we should prioritize different approaches to promote zero trust.” Once buy-in was achieved, they applied the criteria to various use cases, and plotted it on a heat map to show the level of risk reduction that can be gained from deploying a particular zero-trust-friendly control, and the level of effort required to do so. “That gave us a roadmap for how to get to zero trust.”
- Aim for close. Another best practice he found may seem counterintuitive at first, but Khawaja believes zero-trust should be viewed as an “elusive destination.” In fact, he doesn’t think any organization will actually achieve zero trust, but by striving for it — which means taking the necessary steps such as deploying controls and updating configurations – they’ll end up with a more secure environment.
- Block ports. Rather than trying to block every port, Khawaja advised identifying the top 10 or 20 riskiest ports and focusing on them. “Is it perfect? Definitely not, but sometimes that leads to 70 to 80 percent of the risk reduction,” he said. “Well happily take that and be on our way to zero trust versus arguing about the last percentage,” for which it’s very hard to achieve alignment with the business and IT.
- Think beyond users. One of the biggest mistakes organizations make, according to Baker, is failing to incorporate “the entire digital terrain” into the zero-trust approach, focusing only on users or the cloud. “They forget that they need to think about their strategy before they implement anything for the users, workspaces, data center, cloud, medical devices and IoT devices — all of those things that are hyperconnected need to be part of the design upfront,” he said. “You need to know what your digital landscape looks like so you know where to place enforcement points.”
- Don’t skip ahead. Another common pitfall? Neglecting the first four steps of the Zero Trust Architecture established by NIST, and jumping right to the enforcement piece. In doing so, they fail to understand what’s on the network and how different systems communicate, which can lead to significant challenges. “If you skip those steps and the initial planning, and go straight to selecting a vendor and an enforcement point, you’re either going to break things or you’re going to have to revisit and redo zero trust for all the different parts of your network.”
Finally, security leaders must remain conscious of the fact that any change — no matter how minor it may seem — can cause a disruption, so the value needs to be made clear. “You’re adding disruption to the process,” even if it’s just moving the location of a click. “The role of the CISO is 50 percent technical and 50 percent marketing. You need to get that message across.”
To view the archive of this webinar — Exploring a Zero Trust Architecture: Getting Started & Avoiding Pitfalls (Sponsored by CyberMDX, a Forescout Company) — please click here.