Health-ISAC Publish Zero Trust Implementation Guidance For CISOs

A white paper has recently been published by Health-ISAC intended to assist CISOs to understand and implement a zero trust security architecture. Traditionally, a CISOs approach includes perimeter defenses, which prohibit unauthorized third parties from gaining access to data. However, the traditional cybersecurity approach is no longer viable in the cloud due to the lack of perimeters. Furthermore, the methods malicious actors employ to successfully gain access to data are rapid changing. In the event that access to the data is gained through perimeter defenses, the malicious actor can travel laterally within networks and have the ability to conduct several malicious activities undetected. 

The zero trust strategy is designed to prevent data breaches and limit internal movement. The strategy is based on the phrase “never trust, always verify”. The structure assumes all communication on the network is untrusted, all devices and systems are required to be authenticated, authorized and continuously monitored. Therefore, in the event that a malicious actor does gain access to a device, its uses are restricted. 

The zero trust strategy had existed as a concept for more than a decade. However, it has become increasingly popular in recent years. In 2021, President Biden emphasized the significance of zero trust measures in an executive order he issued on the condition of the United States’ cybersecurity. Following the order, federal agencies nationwide are mandated to implement the strategy. 

However, while the zero trust strategy can be very beneficial, CISOs often find it difficult to implement the strategy correctly. Health-ISAC recognizes this, “Implementing a zero trust architecture is not as simple as going to one vendor and picking a solution off the shelf. There are several components that need to be integrated together to create a holistic zero trust architecture,”. These components include data security, network security, workload/application security, device security, identity and access management, and cloud security management. Implementing zero trust can be particularly challenging for healthcare organizations using IoT devices. Healthcare organizations may find difficulty in implementing zero trust in IoT devices as they may require extra components and configuration changes. 

The new guidance helps explain what zero trust security means and how to implement it correctly. The guidance is based on the Health-ISAC’s ‘ Framework for CISOs to Manage Identity’, and applies zero trust principles for securing all communications. The Health-ISAC has requested CISOs to issue feedback to their email should there be any.