Look Before You Leap! Network Access Control and Network Segmentation (NAC/NS)
June 2017
Look Before You Lead Network Access Control / Network Segmentation (NAC/NS)
What You’ll Learn Today
Agenda
Topic Content Presenter(s)
Introductions • Who Are We? Kurt Griggs, Mayo Clinic
Jim Bearce, Deloitte & Touche, LLP
NAC/NS Business & Internal Audit Perspectives
• What is Network Segmentation & Network Access Control
• Why Is NAC/NS Important
• Understand & Assess
• Plan, Prepare & Monitor
Kurt Griggs, Mayo Clinic
Jim Bearce, Deloitte & Touche, LLP
NAC/NS Planning • Success Requires Detailed Planning
Shane Swanson, Deloitte & Touche, LLP
Shawn Riley, State of North Dakota
Regulatory & Cybersecurity Consideration
• Business Characterization
• NAC/NS Security Considerations
• Cybersecurity Framework
Shane Swanson, Deloitte & Touche, LLP
Jim Bearce, Deloitte & Touche, LLP
Shawn Riley, State of North Dakota
Question & Answers
1
Our Team
Collaboration At Its Best
Look Before You Lead Network Access Control / Network Segmentation (NAC/NS)
Our Team Collaboration At Its Best
Mayo Clinic
• Kurt A. Griggs, IT Audit Manager
State of North Dakota
• Shawn Riley, Chief Information Officer
Deloitte & Touche, LLP
• Jim Bearce, Sr. Manager
• Shane Swanson, Specialist Master
A Meeting
of the
Minds
2
NAC / NS Business Perspective
What is NAC & NS? Why is it Important?
Look Before You Lead Network Access Control / Network Segmentation (NAC/NS)
NAC / NS Business Perspective
Network Segmentation (NS)
The splitting of a computer network into many “sub networks” known as segments.
Segmenting allows organizations to group applications and like data together (e.g., clinical, education, research, admin).
Segmenting your network allows you to limit the range of access provided to an insider, partner, or a third party.
Network Access Control (NAC)
A method to enhance security of a network.
Enables you to restrict the availability of network resources.
Permitted endpoint devices must comply with a defined security policy.
Benefits
Reduces Congestion
Improves Security
Allows You To Contain Network Problems
Helps You Restrict Access
What Is NAC & NS?
3
Look Before You Lead Network Access Control / Network Segmentation (NAC/NS)
NAC / NS Business Perspective
Healthcare providers face unique challenges:
Cybersecurity Challenges:
• Cyber security threats (Hacktivists, Nation-State, Criminal Organizations)
• Patient and employee privacy (PII / PHI)
• Risky medical devices (Connected Medical Devices)
Regulatory Challenges:
• Strict privacy laws and guidelines:
− Health Insurance Portability and Accountability Act (HIPAA)
− Payment Card Industry Data Security Standard (PCI DSS) Enhanced security
Innovation Challenge:
• Organization’s must find new ways to secure and protect:
− Patient medical, financial, and protected health information (PHI)
− Personally identifiable information (PII)
− Proprietary Information (Intellectual Property)
Why Is It Important?
4
NAC / NS Internal Audit Perspective
Understand, Assess, Plan, and Monitor
Look Before You Lead Network Access Control / Network Segmentation (NAC/NS)
Clinical Drivers Business Drivers
Organizational Drivers (Leadership, IT, Non-IT, IS)
Text
NAC/NS
• Stakeholder Engagement • Goals & Objective • Pre-Assessment • Design • Implementation
• Patient Safety • Patient Privacy • Innovation
• Interdependencies • Innovation • Efficiency
NAC / NS Internal Audit Perspective Understand and Assess Identifying and understanding NAC/NS Clinical, Business and Organizational Drivers
5
Look Before You Lead Network Access Control / Network Segmentation (NAC/NS)
Plan, Prepare, and Monitor
NAC / NS Internal Audit Perspective
Detailed Plan of Attack Operational Readiness Monitor & Report
(During and After)
• Define Security Objectives
• Low Level Design (Comprehensive & Updated Continuously)
• Pilot Testing Using Test Environments
• Detailed Implementation Plan with Interim Milestone Validations
• Resources
• Management of Device Types
• Third Party Collaboration
• Training
• Implementation Milestones
• Testing Results
• Quality Goals
• Key Performance Indicators
6
NAC/NS Planning
Success Requires Detailed Planning
Look Before You Lead Network Access Control / Network Segmentation (NAC/NS)
NAC Planning
Network Access Control looks easy, it smells easy, well….. It is NOT easy
Considerations when planning
Fully understand where you are going to implement
• Diversity of health environments is huge
You will need a complete, accurate inventory
• Do you KNOW where your systems are right now?
Put extra effort into your profiles
• And test them, and test them some more
• Know the characteristics of profiles up front
Understand the use cases
Know ALL of the onboarding processes
• Both current and future state
Expect to put in extra time on certificates & Public Key Infrastructure (PKI)
• Process, process, process
You will never be done – operational tail is long
Success Requires Detailed Planning
Technology is easy, people and process are hard
Given the maturity of network access control solutions, many healthcare IT leaders under estimate the complexities of implementation.
7
Look Before You Lead Network Access Control / Network Segmentation (NAC/NS)
Complete Asset
Inventory
Develop Use Cases
Onboarding Processes
PKI & Certificates
NAC Planning Success Requires Detailed Planning Given the maturity of network access control solutions, many healthcare IT leaders under estimate the complexities of implementation.
8
What Assets / Devices / Applications
What Facilities / Regions and Segments
Define Use Cases (etc., Med. Devices, PHI)
Device / User Profiles
Process for Onboarding New Users / Devices
Authentication of Users / Devices
Putting the pieces of the Network Access Control puzzle together requires a great deal of thought!
Look Before You Lead Network Access Control / Network Segmentation (NAC/NS)
NS Planning
Network Segmentation looks hard, it smells hard, and you guessed it…
It is harder than that
Considerations when planning
You need to know EVERYTHING that happens on the network
• Every thread, every packet
Typically your customer knows NOTHING that happens on the network
• The customer, and even the vendors rarely know how their applications communicate
You will be tempted to over do the segments
• If you build one, you will feel like you need thousands
Stakeholders and workflows are critical to success
Some people will think segmentation is a silver bullet
Find a partner – one that can demonstrate previous success
Success Requires Detailed Planning
Network Segmentation has great potential to increase security while significantly lowering the operational expenditures over models like “zero trust in the data center.” Planning for segmentation is complicated and requires considerable depth.
9
Cybersecurity / Regulatory Considerations
Look Before You Lead Network Access Control / Network Segmentation (NAC/NS)
Sensitive data to protect
Increasing expectations for the protection of sensitive information – including personally identifiable information (PII) for current and past employees, payment card data, sensitive financial information and customer information.
Evolving regulatory expectations that include new SEC guidelines requiring the disclosure of cyber breaches and numerous state breach reporting requirements.
Extended attack surface
As mobile, web-based applications and telematics are used to enhance customer service and drive operational efficiency, they also present new attack vectors that could be used by an adversary.
Many organizations now may make attractive targets for activists, nation-states.
*The diagram is for illustrative purposes only.
Cybersecurity Considerations
As organizations grown through acquisition and evolve their services and/or products, the nature of cyber
risk the organization faces continually changes.
Business environment characterization
10
Look Before You Lead Network Access Control / Network Segmentation (NAC/NS)
Cybersecurity Considerations NAC / NS Security Considerations
Network Access Control
Monitor mode can have a great value
• Inventory, identification
NAC is a physical control
• Value is different and needs to be weighed with a much sharper eye
Be aware of PKI requirements
• Enterprise PKI - for e-prescribing?
Device and User can be integrated together to create a solid Identity Management security approach
Network Segmentation
Very useful for managing specific pain point systems
• Win XP, specific medical devices
If done well, you will have a very secure environment
• Managed devices, managed users, managed protocols, and managed ports
Threat Landscape & Evolving Infrastructure
11
Look Before You Lead Network Access Control / Network Segmentation (NAC/NS)
Governance &
Oversight
The organizational structure,
committees, and roles &
responsibilities for managing
cyber risk
Policies &
Standards
Expectations for the
management of cyber risks
Risk Metrics &
Dashboard
Reports identifying risks and
performance across cyber risk
domains; communicated to
multiple levels of management
Management Processes
Processes to manage risks in
cyber risk management and
cyber risk oversight
Tools &
Technology
Tools and technology that
support the risk management
lifecycle and integration of risk
with cyber risk domains
Operating
Model
Components
Business
Objectives
Compliance Growth/Innovation Brand Protection Operational
Efficiency
Risk-based Decision
Making
Cyber Risk
Domains
9. Vulnerability
Management 12. Cyber security
Operations
10. Threat Intelligence 13. Predictive Cyber
Analytics
11. Endpoint Monitoring 14. Insider Threat
Monitoring
Vigilant
5. Application Security
and Secure Development
1. Risk & Compliance
Management
2. Identity & Access
Management
6. Asset & Change
Management
7. third-party Risk
Management
3. Data Protection &
Management
4. Infrastructure Security 8. Physical &
Environmental Security
Secure
15. Crisis Management
16. Resiliency &
Recovery
17. Cyber Simulations
18. Incident Response &
Forensics
Resilient
Cybersecurity framework A strong cyber risk framework aligned with industry standards, leading practices, and cyber risk principles can help organizations manage both, cybersecurity risk as well as regulatory compliance risks.
Cybersecurity Considerations
12
Q & A – THANK YOU!