How does Zero Trust work to prevent opportunistic ransomware and targeted nation-state cyber attacks by regulating access control?
How Does Zero Trust Work?
Zero Trust works on the basis of well-known, frequently voiced, but usually not fully implemented security principles of 'Least Privilege' and 'Trust But Verify'. Trust your staff but verify their activity and don't provide them more access than they need to do their jobs. The principles are not too dissimilar to military personnel, where access is granted on the basis of 'need to know' following 'mandatory access control' principles - based upon your role, rank and assignment.
In other words, instead of being given access to everything when you join an organization, you should be provided access only to what you need in order to do your job. You get a key to this box and that box but no other boxes and what you access is monitored. Essentially you have segmented or compartmentalized access rather than carte blanche. As your role or assignment changes, so certain keys are revoked and new ones are provided.
Fox in the Hen House
One way of looking at this segmentation approach is to think about the story of a fox in the hen house. Rather than one large hen house and one large door, segmentation places each hen in its own hen house with its own locked door. A hungry fox can then only get to one hen with each breach rather than them all at once as is the case in most hen houses today. By limiting and containing a successful attack, the fox only gets to steal one hen which may not be worth the effort to break down its coup door. The loss of one hen won’t put the farmer out of business and alerts him to the fact that there is a fox in his midst and to get his shotgun.
Of course, in this example the fox is an outside threat, but malicious insider threats are another growing concern with rising levels of cyber espionage and theft of commercial trade secrets and intellectual property by staff.
Threats from Within
The recent story of Xiaolang Zhang is a good example. Zhang had worked at Apple in the Bay Area for several years on its autonomous self-driving car project before announcing his intention to leave the company in order to join a competitor XMotors (aka Xiaopeng Motors) based in Guangzhou. This declaration came soon after he returned from a trip to China,
Before handing in his resignation however, he trolled the Apple network for data and copied over 40GB of trade secrets. He then walked out the building with a Linux server and circuit boards in hand. He was arrested by the FBI at San Jose airport before he was able to board a plane out of the country. Zhang was caught because he had gone outside of the swim-lane required for his role and had raised suspicions. 'Trust but Verify' a fundamental principle of Zero Trust, in this case landed Zhang in court when verification of his activities took place and were found to be illegitimate.
In healthcare, there is an implicit trust across staff to do the right thing and a common belief that everyone is mission-oriented to provide the best possible patient care. However, that may not always be the case. The value of healthcare data – PII, PHI, and IP such as clinical research into new drugs and treatments is rising in value, and a number of clinical researchers have been caught stealing intellectual property of the hospital or research facility they work for.
Last year, a husband and wife team, Yu Zhou, 49, and Li Chen, 46, were charged with stealing intellectual property related to pediatric medical treatments they had worked on while employed at Nationwide Children's Hospital in Ohio, in order to launch their own pharmaceutical company in China. When they took this company public in China, it netted them millions of dollars based on the cutting edge research developed at Nationwide Children's.
Zhou and Chen are not alone however, and nor are they the only Chinese citizens involved in medical IP theft. The NIH and FBI are investigating 180 individual cases of alleged intellectual property theft of biomedical research funded by the U.S. government, primarily involving Chinese or Chinese American researchers, The New York Times reports.
While the principles of Zero Trust and Segmentation would probably not have averted all of these attacks, it is likely that many could have been contained to smaller thefts of data, or led to alerts being raised earlier as verification of access took place, thus alerting security staff to suspicious activity.
Zero Trust is a key ingredient in helping to solve healthcare security. Not only is it a very effective preventative control, restricting access by users and objects like applications or devices to data, but it's also a critical indicator of risk, letting your operations team know when anomalous access behavior is attempted. Zero Trust is one of the guiding principals of Cylera's Med Command platform for the monitoring and management of healthcare IoT and other medical devices. See how it works at https://www.cylera.com/demo.