The concept of zero trust, which entails treating everything as a resource and consistently authenticating and authorizing people and devices, is a universal goal. However, can zero trust be universally implemented across all industries in the same way? Are there variations that call for adjustments to the approach?
Christopher Kuhl, an enterprise architect at Wright-Patt Credit Union, has gained insight into this matter over the past decade. Before moving to the Ohio-based credit union, Kuhl served as CISO and CTO at Dayton Children’s Hospital, where he helped build its initial zero-trust architecture.
“While the basics of implementing zero trust are very similar, there are plenty of other issues that separate industries,” Kuhl explained. The key lies in understanding the different priorities, procedures, threats, and user requirements, as well as the data, applications, assets, and services that support the organizations.
Before diving into the variations of zero trust across industries, it’s worth pointing out where it’s similar, particularly in terms of handling compliance and industry regulations. For example, finance and healthcare are heavily regulated sectors yet can both apply zero trust in relatively similar ways despite the differing focus of regulations, according to Chris Hills, chief security strategist at BeyondTrust.
Similarly, when it comes to cyber threats, there are shared aspects with certain caveats. Across industries, stolen or compromised credentials remain the primary attack vector. However, the prevalence of specific threats may differ among industries. For example, healthcare organizations have consistently faced relentless data breaches for consecutive years, according to the Identity Theft Resource Center. These breaches comprise patient-related information such as medical history, condition, treatment, and diagnosis details, as well as medical insurance and provider accounts. The financial services industry follows closely, with 63% of financial institutions reporting an uptick in destructive attacks, VMware found. Furthermore, the manufacturing sector is currently identified as the most frequently targeted industry, an IBM report noted.
Different Industries, Different Drivers
In the healthcare industry, patient safety serves as the driving force behind every decision made. This prioritization of patient safety led to certain considerations taking precedence at Dayton Children’s Hospital, Kuhl said. For instance, the hospital routinely employs robots for brain surgery, and making sure that those devices wouldn’t compromise patient safety was paramount and took top priority.
The age and type of equipment used in different industries also influence the implementation of security measures. Manufacturers, for example, tend to use equipment and software for longer durations than industries like healthcare and financial services. This longevity exposes them to a higher risk of security issues. Many factories today still rely on Windows 98 in some capacity, Hills noted.
Hospitals also tend to have outdated devices that run on operating systems and software that are more susceptible to vulnerabilities. Although it’s sometimes feasible to patch those systems, there are instances where patching becomes impractical due to the age of the technology. There are other ways to protect the systems, typically by creating network segmentation – physical or logical security boundaries around different classes of devices – explained Andrew Rafla, a zero trust leader at Deloitte.
“If you create a logical boundary within the network, even if a device were to get compromised, the ability of the attacker to move laterally across the environment is very limited,” Rafla said. “That’s the goal in healthcare: You don’t want anybody to be able to hop from a compromised medical device into a system hosting sensitive patient information.”
The way connected devices are proliferating in different verticals makes them a significant security consideration across the board, although there are differences among sectors. For example, the average hospital room now incorporates dozens of connected devices, such as monitors and IV pumps. Surprisingly, more than half of these devices have known critical vulnerabilities, according to healthcare IoT security provider Cynerio.
Similarly, the financial services industry relies on connected devices like closed-circuit cameras, security monitoring systems, and ATMs, all of which require network connectivity to function properly. Vulnerable devices can serve as a launchpad for attacks.
In the manufacturing industry, there has been a surge in connected devices. Modern interconnected environments make use of sensors attached to physical assets to collect and store data. These environments use analytics and machine learning to generate actionable insights, enhancing efficiency. However, the industrial internet of things (IIoT) can be vulnerable to cyberattacks and malware infections. A recent report by security vendor Otorio revealed that wireless IIoT vulnerabilities can provide hackers with a direct path to internal networks, bypassing the common protection layers in such environments.
All this doesn’t mean that companies always need entirely distinct technologies or approaches to secure connected devices. However, it does emphasize the importance of prioritizing the specific needs of the organization and its industry. It’s one of the reasons why Kuhl, for example, opted for Ordr’s connected device security designed for healthcare, rather than choosing a more generic option, he said.
Asking the Hard Questions
Ultimately, it comes down to this: While the fundamental processes of implementing zero trust may share similarities, the requirements of each organization and industry may demand different approaches. The key is to ask questions that will give you a thorough understanding of your assets.
“Every company, in every industry, has to understand what they are trying to protect: What assets they have? Where they are located? [How critical are] those assets? Who and what should be able to access those assets and under what conditions?” Rafla said. “Those are hard questions to answer, but it gives you the awareness of what you’re trying to protect so you can contrast it with the threat actors you’re facing.”
Considering all these varying factors should guide the program or organization toward specific actions required to address and mitigate those threats, Rafla explained.