Healthcare security sound bites

Security begins with access but it doesn’t need to end there.
09:14 AM
healthcare security

By Kurt Roemer, Chief Security Strategist

Outdated IT practices that give too much access by default are causing recurring security nightmares and it’s time to wake up to the new reality: Access should be specific to its purpose.

Submit your credentials upon login and what do you get? An All Access Pass. Everything you have access to through your role, rights and relationships that connect you to disparate applications and data that likely you don’t need for the task at hand. For many of us, enabling default access to everything that might be useful means that we live our online lives cloaked in excessive access.

In order to protect against unintended use and disclosure while meeting compliance objectives, maintaining privacy and securing intellectual property. Access to sensitive apps and data must be strictly controlled. Through excessive access, sensitive data is overly-exposed while in transit, in use and at rest. Unfortunately, damaging breaches teach this lesson all too often. To compound the problem, today’s access is primarily safeguarded by the erstwhile login event.

To be specific to purpose, access must be aligned with the sensitivity of data and the situation in which the data is being requested and used. We call that contextual access.

Contextual access policies scrutinize trust elements across the 5W's of Access (who, what, when, where and why) to grant specific usage entitlements only when required trust objectives are verified as being met end-to-end. Contextual access is a continuous process that extends from the request event through specific data usage entitlements and dynamic policies that govern the data security lifecycle.

While the promise of contextual access and mitigating the “All Access Pass” has been a goal for many years, its implementation has been elusive. All of the necessary elements, including multifactor authentication (MFA), dynamic identity management, endpoint analysis, encryption, information rights management (IRM), application-specific networking and data usage policies have been inordinately difficult to construct and manage as an end-to-end security solution. Fortunately, we have an evolving framework today in virtualization and containerization that gets us much closer to the goal of mitigating excessive access.

Can you do this on your PC?

As a couple of representative examples of how virtualization and containerization enable a contextual access model, consider the following:

Need: The organization demands that the ability to copy data from one application to another be restricted. This need is especially critical to mitigate data exfiltration from SaaS and cloud-based apps, as well as for home-based users and third-party access.

Solution: Use virtualization to either prohibit copy and paste, or institute one-way clipboard policy with format filtering to allow only specific data to be copied in or copied out. Format filtering specifies whether copied and pasted data can be plain text, rich text, HTML, or bitmaps (to name a few). And the policies can be applied across the board, to groups of apps, or to individual apps.

Need: Data must be contained for use by specific roles, within teams and ideally, it must exist in project-based enclaves. Enclaving is essential to control ownership, distribution, versioning and expiry across a dynamic data lifecycle that includes BYO users, contractors, international travelers and highly-sensitive third parties (e.g. attorneys).

Solution: Implement containerization along with the application and data-specific enclaves to protect enterprise data across the enterprise, BYO and third-party usage. Containers are enterprise-encrypted and managed, with strict controls over what data can be copied into, out of, or between defined enclaves. Data can be dynamically wiped as it is expired, information rights management policies are continually applied, digital watermarking can help identify ownership, multifactor authentication is enabled and usage-specific logging documents access governance.

Redefining access in order to leverage the principles of contextual access is critical to advancing security and privacy today –and to eliminating the All Access Pass. With the imminent proliferation of devices and services connected through the Internet of Things, an automated access-specific layered defense and visibility is even more essential to protecting tomorrow's access. This is how virtualization and containerization of enclave-sensitive applications and data can help to control access across the complex workflows that define our online lives.