You’re Only as Strong as Your Weakest (Vendor) Link
Establishment of Trust Zones Solves Two Major Concerns
By Randal Asay, @CatbirdSecurity
Visit Catbird at HIMSS in booth #34090
It’s a situation that strikes fear into the heart of every CISO—a breach caused by a vendor relationship. It is a never-ending balancing act of trust on behalf of the client (you) and accountability on behalf of the vendor (your partners) to establish the capabilities needed to accomplish the job, but limit access to a need-to-have basis. Couple this with operational inefficiency and human error and we have a formula destined for disaster. The many recent, highly-publicized data breaches exemplify this all too well, and the healthcare industry is by no means exempt from risk.
Most organizations struggle to control vendor DMZ’s, poking firewall holes, opening odd ports specific to various management consoles, allowing data transfers for troubleshooting and system configuration data. Sound familiar? If so, now would be a good time for a gut check. Far too often, operational challenges overtake a common sense approach to data protection. Leaving yourself vulnerable to human error ensures that it’s just a matter of time before you, too, have a crisis to deal with. Let’s hope you’re not requested to explain to Congress why your practices and policies allowed a 3rd party maintenance consultant to access a critical part of your environment — there is no good explanation! And then there are the huge civil penalties you’ll likely need to pay as a result of your patient healthcare records being compromised. But, let’s assume for a moment that you can prevent this type of situation. How?
To start, you can recognize that security today is a much larger issue than just simple HIPAA compliance. Then, you can develop and enforce a security policy that applies to your business partners as well as to yourselves, utilizing fundamental data segmentation. We are entering into a period of technology advancement that no longer focuses on physical topology. Security policy today should be defined at an application level, moving the intelligence up the stack — so accessing critical portions of the infrastructure must require elevated privileges to reduce the ability of users to abuse rights. At Catbird we refer to these infrastructure areas as trust zones.. The use of trust zones involves employing a software-defined mechanism for securing software-defined networks and data centers, and serving as the fundamental paradigm that embodies a vital simplification of security configuration and automation. As a result, the establishment of trust zones solves two major concerns.
The first concern, operational inefficiency, can be eradicated by taking a comprehensive approach to security policy, thereby rectifying the inability of today’s complex and dynamic data centers to be protected by manual, monolithic systems and static security technologies. Trust zones allow all assets within each established zone to have complete and consistent protection through the use of network security that is simplified, automated, and designed for virtualization.
The second concern, operational human error, can be addressed by applying predefined controls to a zone based on the compliance framework, thus removing the ability to misapply a rule that violates the fundamental data flow restriction policy.
No doubt, a more comprehensive approach to security that integrates multiple security components within a single operations console — and that involves all of your business partners as well as yourselves — addresses the concerns above. What’s more, an automated, secured virtualization infrastructure results in an IT department that is more responsive and robust, which is good for everyone involved, weakest links included.
About the Author: Randal Asay is the chief technology officer for Catbird, a virtual security solutions provider. Randal joined Catbird in 2013 and was previously Director of Engineering at Walmart Stores Inc.