This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] even step one is a dramatic risk reduction that happens as you're moving into your zero trust plans. Welcome to This Week Health. Today we're continuing a six part series on Zero Trust Hospital, the CXO vision. It's a new book by Zscaler. We have one of the authors, Tamer Baker, the healthcare CTO for Zscaler on board with me today. I'm Drex DeFord, President of Cyber and Risk at This Week Health and the 229 Project. Tamer, welcome to the show.
Thanks for having me. Super excited to be here.
Yeah, it's always fun to see you.
We've done four of these episodes. The first one started off with bill. We just talked about digital transition and all this stuff that's happening with the digital transition of our. Healthcare world right now and how that opens up all kinds of new challenges and issues.
And we've gone through several sections of the book, actually, kind of chapter by chapter. We've given a little bit of a hint about some of the kinds of stuff that's in the book. This [00:01:00] is in episode five. We're gonna talk about where to begin with zero trust. And so for hospitals starting their zero trust journey, what's some of the most critical foundational steps they should take get on the path.
Yeah, think I mentioned in an earlier episode, it might have been episode three where we talked about inertia. I think one of the foundational things to do is you have to overcome that inertia within your organization. So once you've read the book, you get an understanding of what zero trust is and what it means to all the different stakeholders within an organization and how we can Better ourselves, improve operational efficiencies, improve financial, et cetera. That's where that inertia we have to overcome, and we actually outline a lot of that inertia that needs to be overcome and how we do it. But second to that, once you've overcome that inertia, I'd say one of the most interesting things that Is a foundational level for zero trust that needs to be done is you got to get your identity squared away without identities.
It's very difficult to get zero trust done because is a [00:02:00] cornerstone of foundational step. So whoever you use for identities, we operate with all of them. Obviously, as long as you get that squared away and your identities are cleaned up and you know who's in your environment.
That's a First step one is get your identity done. If you're thinking about getting zero trust on board.
So tell me more about the identity cleanup and the challenges behind identity. It feels every time I'm with a CISO one of the challenges that they talk about is this struggle that they have with figuring out.
Both human identities and non human identity service accounts and all those kinds of things. Some of them, , sometimes they don't even know what they have in the environment and they don't have a good way to go look for that stuff.
Yeah.
Can Zero Trust and Zscaler help with that?
This is where that multi vendored approach we talked about is one of the myths that need to be busted is identity is a core requirement because you do have to understand your identities that exist and you do have to have some level clean up.
[00:03:00] Now, understanding who's got access to what or any of that stuff. You don't need to do first, right? That's where we come in and show you this is who's talking to what already today. This is who hasn't talked to anybody in six months. Maybe that identity should be cleaned up a long time ago. There's other components that we would help with.
But working with your identity vendors. I think is a critical step. I'm not an identity expert like they would be. So you're going to want to work with again. There's many vendors out there. I love them all. They're all great. They all have strengths, they're all there to help you basically get through those projects.
It is a core requirement for this, including The non human identities, right? Because we are doing also the device piece of that segmentation for zero trust.
Identities is the first step on the path. What comes after that?
So after that is where things get a little bit more interesting, right?
Because you have to decide there are stages and phases to zero trust. We really need to first and foremost understand it. What is going on your environment? So once you start [00:04:00] rolling something like this out, you'll start having an unprecedented level of visibility. You're able to see exactly who's talking to what, whether it's external, internal, your set, your cloud, somebody else's cloud, just general web pages and, on the internet, et cetera.
Once you have this huge amount of visibility, our AI models actually help predict and show you and say, Hey, these are the types of groups that are talking to these types of application systems. This is suggested rules and policies to start implementing and start I think we talked about before, reducing that blast radius and you start making it so that everything else becomes invisible to those users.
It makes it an easy step to see that visibility of Who's talking to what everywhere. Even on that fourth step of data protection, you may not be ready for that piece yet to prevent exfiltration of data, but all that information will be available to you. It'll show you exactly who's accessing what data, where that data lives, where that data is moving and how it's moving so that you can also start thinking about your data protection policies as you're progressing along.
[00:05:00] So these are all, I'd say The very next step is the visibility component, just understanding what's what, how things are looking, so that you can start narrowing down and removing wildcards, let's say, where everybody has access to everything, start removing all that down. But the very most important thing I'll say is when you get to that step, we'll call identity step zero, because it's a requirement to do anything, when you get to that step one, even if you have it all wildcard, All of that infrastructure is now off the internet.
So that attack surface is immediately eliminated. So even if internally, your user can access anything because you haven't flattened all that down, the attack surface has already been significantly reduced. So even step one is a dramatic risk reduction that happens as you're moving into your zero trust plans.
It's interesting, right? So we're doing six episodes and then we're doing a webinar on this. And the more episodes that we record, the more I realized that the other episodes in this actually are all connected [00:06:00] together because as you say that, one of the episodes we do earlier is called, we're Myth busting zero trust and I think a lot of people have this idea that to do zero trust.
First, I have to fix everything and then once everything is fixed, I can start to begin this zero trust journey. And in fact, what you're telling me is fast track past the fixing all this stuff and just get onto the zero trust path right away because it will immediately make you more secure and just the ability to have.
Insights into all the things that are happening on your network. That's I hear people ask about that all the time. So
yeah spot on. We're in the sense that even if you haven't turned on all those strict controls It becomes that non disruptive piece another myth that it's super disruptive it's not disruptive because you just change how they access things, but everybody still has the same access.
You haven't reduced anything. You haven't removed anything. You haven't turned on any controls. You're just seeing [00:07:00] how everything works already. Give everybody that same access already before you start locking things down so that it isn't disruptive because you can easily see how things are before you turn down any lockdowns at that point.
Love that. It makes sense. There's a lot of other models out there too. And I know in the book you talk about some of the zero trust maturity models the ZTA models that are out there from NIST and from CISA. Let's talk about those for a minute and how people can also, it can be worrisome, it can be confusing.
What should they think about the models that are out there and how you work inside those models?
Yeah the two most common and most popular, I would say, are CISA and NIST. The difference, I would say, between them Is the CISA version is a lot more geared towards, an executive level kind of conversation.
Really aligned with the CXO level, like how this book is aligned with the CXO level, where we have our architect's book as well. That's way more granular and in depth, and that's what the NIST [00:08:00] does. NIST is I see. The SP, the Special Publication 800 207 is way more on how to, it's more of an implementation guide, like what do you got to do, just like our architect's guide is way more on implementation, it's the.
eye level best way I I describe it depending on who I'm speaking to. If I'm speaking to a CIO, I'm going to point them to CISA. If I'm speaking to network director or something along those lines, I'm going to send them to the NIST. And I love me personally. I love the NIST 800 207 because.
Actually was a contributor in that book, at least the first revision. I know they've had another revision since then, but I met with the team that wrote that and on several occasions and helped write that one. But again, it's way more in depth. That's more like our architects book.
think the overview that you provide in this book too can help people get their heads around what they're going to get into as they look at those other models and those other guides, of
those books. Talk about business value. None of them are specific to health care So we're not talking about the patient or [00:09:00] clinician experience like, they have to be written in a way that anybody can consume Our book is way more focused for our health care users, of course
Yeah, love it.
want to go back to talking about kind of identity again for a minute. Some users in healthcare organization are more risky than other users from the perspective of if they wind up being fished or breached, or , they fall into a trap. How does Zero Trust play into that?
Whether it's high level executives or IT administrators who have a lot more access. How do you guys help with that?
Yeah, think again, once we understand that identity and we're seeing how everything's communicating, it also includes the applications at the back end. What is critical, what applications are in use that you may not even be realized as a critical function.
Those things were giving you that visibility. Those are the first things that we start locking down, quote unquote, meaning. We're not removing access for things. We're just making it so that's all a [00:10:00] access. Those high risk users are typically first ones to go in that. It also makes it. Easier to roll out later for future folks as well, because if you're taking care of the high risk folks like your I.
T. team, they're going to be able to find anything that you may have misconfigured much quicker. I should say Other types of. Immediate risk users that we talk about are the ones coming in externally. That's usually one of the earlier things that we should be taking care of. So those are the remote users, whether that again, we talked about radiologists before, but any remote user.
There's a ton of remote users in our workforce nowadays as well as third party contractors and third party access. So we talked about researchers, but it's not just researchers, it's vendor contractors and all sorts of other third parties that we want to start securing and doing it in a way where, again, we can publish a portal, do a cloud browser, whatever it is, where you don't have to manage them, you don't have to have them maintain a VPN, you don't have to have them, do anything like that, and we'll give them that secure access.
Which has actually led [00:11:00] to, very healthcare specific, when we think about Community Connect, has been another thing that has been an early adopter so one of our large health systems out there actually has started expanding their footprint with us because they realized Community Connect was revenue generating for them, and because we made that access very fast, very simple, and very easy for both sides of the house and more secure and made it another revenue generation option that was a very quick win that they could start adopting as well when you think about you know some of the early adopters because community connect is another high risk thing that we want to start taking care of very quickly since we're granting pretty big access into our environment with very few security controls since we can't manage them.
Yeah, Epic Community Connect is one of those things that I think we're going to see more and more of over time. Bigger health systems offering those services, those kinds of services, not just Epic Community Connect, but we also see them [00:12:00] connecting lots of other core services at the main hospital or the main health system back to those Smaller facilities.
So that's really starting to provide security
as a service, right? They're selling security and this is again, because you don't have to backhaul them through your security platform, the security is everywhere, right? So the security follows the users, no matter where they're at with us.
We basically are they're going through our security stack, which we're hosting for you as a SAS, right? So it makes it so much easier for you to also provide it for your own customers. If you want to sell that as part of your programs too. That is becoming popular.
Such a great conversation.
I'm really glad you joined me today. This has been a lot of fun. We still have more episodes coming. This was episode five in our zero trust series. If you're a listener, don't miss your chance to get a signed copy of the book at HIMSS along with the other book in the series.
Architects Approach. That book is targeted more to your team. And if you want instant access, download the book now. We'll put a link in the video description. You'll be able to click on that and get [00:13:00] a copy of the book right away. We've got one more episode in this series. We have an upcoming webinar on March 27th.
So there's a whole lot more left to explore. you want to register for the webinar, check it out at thisweekout. com slash zero trust. You can get registered there. We'll make sure that you are in thanks again, Tamer for being here. I really do appreciate your time.
Yeah. Drex for having me.