How zero trust is helping protect government health records
September 5, 2019 12:56 pm
4 min read
This content is provided by Palo Alto Networks and Carahsoft.
“Assume your network is compromised” – how can you protect your data?
Edward Snowden was a wake-up call that resounded throughout the entire public sector. Government agencies, stewards of huge troves of the most sensitive types of data, weren’t just vulnerable from outside threats; they needed to start protecting against insider threats as well. New defenses were needed: enter Zero Trust.
“Snowden broke into the highest side of the NSA network,” said Rick Howard, chief security officer at Palo Alto Networks, who continued, “and once he got in, he had access to every resource on the network. If they would have had a Zero Trust architecture, he would have been limited in the stuff he could have stolen; and so that is the point about Zero Trust and the reason a major government health agency wanted to implement Zero Trust.”
This agency contracted with Palo Alto Networks to put a Zero Trust architecture in place to protect all its sensitive medical data. Electronic medical records can be a very attractive target to bad actors looking to steal data. But hospitals, clinics and other medical facilities can also pose a unique challenge in protecting that data: many medical devices are now smart devices, meaning they’re internet-connected. And the more endpoints a network has, the larger the attack surface is, and the harder it is to secure.
“What they’ve done is created IDs for all the medical devices in the hospital so they can understand which devices are talking to other devices,” Howard said. “That means the firewall can identify all that stuff for them, once they’ve made the signatures for them.”
Because the way Zero Trust works is through least privilege, that means every application (and to a next-generation firewall, everything is an application, from Facebook to medical devices) gets only the access necessary to perform its job.
Howard said this kind of security is based on three main components: application, user and content identification. Basically, you need to know what thing is talking to the network, who is using that thing that’s talking to the network, and what is being sent between the two items talking to each other. That greatly reduces the attack surface, making the network and the data easier to defend.
“Traditional cyber networks – it’s basically laptop servers and routers. But in the internet of things world, it’s all these other things that are connecting to the network. Hospitals, especially, have devices that could do all kinds of crazy stuff,” Howard said. “So being able to identify each device that’s communicating on their internal network, and only allowing it access to the resources that it needs to have access to, will greatly enhance their security posture. So, basically, if the bad guy breaks into the heart monitor, he’s not going to have access to the medical records.”
That also goes for users. Anyone connecting to the network only gets access to the information and areas needed to perform their job – and nothing else. Howard said the original idea for Zero Trust is based on how the military protects its information: Just because you have a clearance, that doesn’t mean you have access to everything. It’s the philosophy of least privilege.
“You religiously scrutinize giving access to anybody to make sure it’s what they need to do their job and not giving them extra,” Howard said. “It is the idea that you assume that your network is compromised and not the other way around. In the old days, we used to think we could keep them out; and we designed our networks, our security posture to do that. But if you assume going in, before you design anything that your network is already compromised, what would you do differently in your design? What comes up is Zero Trust.”
In fact, Howard said he himself, as an executive at Palo Alto Networks, operates under these same parameters. If someone were to break into his account, all they could get access to would be his emails and PowerPoint collection. Palo Alto Networks’ mergers and acquisition database, code library and financial records would still be safe.
That’s a security posture government agencies can adopt to help reduce the insider threat, which is one of the hardest forms of data breach to defend against. Because it doesn’t even require the insider to have malicious intent, they could be compromised as easily as clicking a bad link or downloading the wrong attachment. Then, the real bad actor is inside the network, and the agency’s data is at risk.
“This agency is out in front here compared to other government institutions, thinking ahead and thinking where they need to be in the future,” Howard said. “That’s been fabulous, and Palo Alto Networks is the center stone for their security architecture.”
Rick Howard oversees Palo Alto Network’s internal security program, leads the Palo Alto Networks Threat Intelligence Team (Unit 42), directs the company’s efforts on the Cyber Threat Alliance Information Sharing Group, and hosts the Cybersecurity Canon Project. His prior jobs include the CISO for TASC, the GM of iDefense, the SOC Director at Counterpane and the Commander of the U.S. Army’s Computer Emergency Response Team. Rick holds a Master of Computer Science degree from the Naval Postgraduate School and an engineering degree from the US Military Academy.