Extending IAM and Zero Trust to All Administrative Accounts

1. Find Solutions for Legacy System Challenges

Healthcare is full of legacy systems, such as diagnostic and lab tools installed 25 years ago that remain in use without hope for a software upgrade. IAM products have steadily advanced to address these challenges, and they have new ways to keep admin usernames and passwords out of the hands of ordinary users. For example, with credential injection, the IAM system pushes the credentials when they are needed during an interactive session, so the user never sees them. Just-in-time accounts — in which the IAM creates or enables an admin account only when needed, then disables the account as soon as the user’s task is completed — are another example. Healthcare IT teams should re-evaluate whether the needle has moved on all legacy systems and apps.

2. Use Translators to Link IAM and Identity Providers

IAM’s tools for authentication and authorization have become sophisticated and web-based, but large areas of healthcare IT are still dependent on older protocols. Now is the time to bridge these worlds using protocol translators for LDAP, RADIUS, TACACS and SAML, especially when it comes to admin access. If zero trust focused mainly on modern systems, bringing entire silos of technology to IAM with protocol bridges will dramatically reduce the security exposure.

READ MORE: Navigate identity and access management in the era of AI.

3. Write a PAM Policy for Out-of-Band Systems

There will never be 100% coverage for PAM, despite what some IAM vendors may claim, making it essential to create policies that explicitly address systems outside PAM’s scope. By identifying required compensating controls, password change requirements, logging and monitoring protocols, and network and firewall segmentation rules for these types of systems, IT teams gain clear guidance on how to manage these systems effectively. Meanwhile, security teams can be confident that everyone is doing their best to support zero trust.

4. Us Logs and Audits to Ensure Nothing Slips Through the Cracks

Security information and event management systems should be configured to monitor IAM blind spots, matching up actual access events with IAM logs to ensure that no one is logging in outside of the IAM/PAM framework. This is a great opportunity for healthcare IT teams to begin experimenting with artificial intelligence, using AI-based anomaly detection and automated auditing to quickly flag unexpected access.

EXPLORE: Getting identity management right is crucial for healthcare security.