Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

White House finalizes its Federal Zero Trust Strategy

White House finalizes its Federal Zero Trust Strategy

On January 26, 2022, the U.S. White House released a new memorandum that finalizes its Federal Zero Trust Strategy.

After several recent high-profile data breaches over the past few years, the U.S. government has taken an offensive position against cyberattacks. And this includes using a zero trust approach to cyber threats. In short, zero trust means trust no one automatically; consider everyone a potential threat.

At Paubox, we agree and welcome the concept of zero trust, especially when it comes to email security (i.e., HIPAA compliant email).

RELATED: HIPAA stands for . . .

For critical infrastructure, like healthcare, it is vital to strongly safeguard personally identifiable information (PII) and protected health information (PHI).

 

What is zero trust security?

 

Zero trust security assumes that anyone that tries to access a network is a possible threat. It contrasts with traditional security frameworks that largely rely on perimeter defenses such as a firewall. In reality, perimeter defenses rarely cover every endpoint or attack surface.

SEE ALSO: What is a threat vector and why is it important to define

And why, in conjunction with other needed defense mechanisms, zero trust inhibits attacks inside and outside a network.

As an IT security framework, zero trust requires strict identity verification for every person and every device accessing private resources. The core principles are:

 

 

In fact, zero trust makes people or devices validate their identity multiple times. And even after confirmation, they will more than likely still not have full, unmonitored access.

 

The Federal Zero Trust Strategy

 

In March 2021, the White House began exploring stricter cybersecurity approaches given what some experts labeled a ransomware epidemic.

RELATED: What is ransomware and how to protect against it

Then in May, the U.S. government released an executive order, Improving the Nation’s Cybersecurity, outlining its zero trust approach. And in September, the Office of Management and Budget released a draft, opening its strategy up to public comment.

The government based the draft on the Cybersecurity and Infrastructure Agency’s (CISA) Zero Trust Maturity Model. In summary, the model directs organizations to:

 

  • Institute enterprise-wide MFA
  • Inventory all devices
  • Encrypt networks
  • Treat all applications as internet-connected
  • Improve data monitoring

 

According to CISA director Jen Easterly, zero trust is necessary to strengthen cyber defenses. Finally, the January memorandum officially disseminated the federal strategy, stating:

This strategy sets a new baseline for access controls across the Government that prioritizes defense against sophisticated phishing, and directs agencies to consolidate identity systems so that protections and monitoring can be consistently applied.

SEE ALSO: What is an email phishing attack?

It requires all federal agencies to adopt its zero trust goals by the start of fiscal year 2024.

 

Zero trust in healthcare

 

Given the benefits of zero trust, all organizations that work with PII or play a critical social role should implement the approach. Especially the healthcare industry, currently lagging when it comes to implementing cyber defense strategies.

SEE ALSO: What you don’t know about cybersecurity can put your business at risk

A zero trust strategy strengthens a healthcare organization’s security by limiting access to PHI. And it helps healthcare providers demonstrate HIPAA compliance and avoid HIPAA violations. Especially as the healthcare industry expands and increases its digital perimeters and access points and therefore increases its vulnerability as well.

RELATED: Smart device security needs higher priority in healthcare

The more access points, the harder it can be to manage and protect a network and PHI.

This is where zero trust comes in, shifting healthcare away from what the U.S. Department of Health and Human Services calls its current “castle-and-moat approach.”

A zero trust framework would provide healthcare organizations better control over who receives, sends, and views PHI. If a threat actor gets ahold of credentials, it is unlikely that they can move deeper into a system. The zero trust barriers prevent further access letting healthcare providers focus on patient care.

 

Zero trust with Paubox Email Suite Plus

 

One simple way to incorporate the zero trust framework into your healthcare organization is by leveraging a HIPAA compliant email solution that contains a zero trust feature, like Paubox Email Suite Plus.

SEE ALSO: Why America needs zero trust email

Our HITRUST CSF certification solution includes our patent-pending Zero Trust Email. Its focus: MFA for inbound email.

Malicious messages are quarantined for further review where we require another layer of verification before delivering an email. In other words, we ask for additional evidence from a sender’s mail server before an email passes inbound security checks.

Zero Trust Email, along with other features of Paubox Email Suite Plus, creates strong inbound security to prevent threats like phishing from entering an inbox. Moreover, we encrypt all outbound email directly from an existing email platform (e.g., Microsoft 365 or Google Workspace), requiring no change in email behavior.

In other words, Paubox Email Suite Plus allows healthcare organizations to send and receive HIPAA compliant email securely. Something especially needed given the rise of cyberattacks.

 

Try Paubox Email Suite Plus for FREE today.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.