In light of recent and more sophisticated and complex cyber threats, the National Security Agency (NSA) has recently released guidance on embracing a Zero Trust security model. This security model “assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.” So, what does this mean for us?
Like the NSA states, “The fundamental purpose of Zero Trust is to understand and control how users, processes, and devices engage with data.” Zero Trust could be a big lift depending on your organization, but you can start, like our clients at BlueOrange, by creating a PHI flow diagram. The diagram should outline how PHI flows in and out of your environment and how it’s protected while in your environment. This will show you where to focus your efforts, at first. Once you have an understanding where sensitive information is in your environment, it’s important to embrace the practice of least privilege to the fullest extent, implement MFA, and implement aggressive system monitoring.
The NSA outlines how to leverage Zero Trust design concepts:
- Define mission outcomes – Derive the Zero Trust architecture from organization-specific mission requirements that identify the critical Data/Assets/Applications/Services (DAAS).
- Architect from the inside out – First, focus on protecting critical DAAS. Second, secure all paths to access them.
- Determine who/what needs access to the DAAS to create access control policies – Create security policies and apply them consistently across all environments (LAN, WAN, endpoint, perimeter, mobile, etc.).
- Inspect and log all traffic before acting – Establish full visibility of all activity across all layers from endpoints and the network to enable analytics that can detect suspicious activity.
It’s not a question of if but a question of when your organization will be faced with an attack. It’s critical to understand your environment in order to protect and respond to malicious actors.