Case Study: High security architecture for healthcare networks
Sara Shuman
Cyber attacks against the healthcare industry continue to rise. The recent cautionary tale of the University of Vermont Health Network’s ransomware scare is but one example of how attackers are ramping up to steal data and disrupt services. Hospitals are working to fortify their defenses to keep one step ahead of the bad guys.
Even long-time users of Secret Server are adding controls and updating their IT environments to increase security. We recently worked with one of the largest hospitals in Canada to enhance their Privileged Access Management strategy as they adopted a new, high-security architecture. Their story is an example for other healthcare systems to follow.
Domain admin behavior increases the risk of Pass-the-Hash attacks
The hospital system realized they needed to shore up their defenses when routine penetration tests flagged IT operations practices that could allow malicious cybercriminals to capture privileged passwords.
When domain administrators were troubleshooting technical issues, the method they used to connect and log into systems opened the door to Pass-the-Hash attacks. Administrators were leaving password hashes behind on remote endpoints. Attackers could potentially scrape system memory or use other techniques to obtain those passwords and gain entry to the hospital’s IT environment as a privileged user.
We needed to create a solution where domain administrators didn’t know the passwords
“That finding drove us to make some changes before we had a problem,” explains their systems analyst. “We needed to create a solution where domain administrators didn’t know the passwords at all.”
Microsoft’s tiered model fortifies hospitals’ defenses
The hospital system’s security team decided to implement Microsoft’s credential tiering system, known as Privileged Access Workstation (PAW). A PAW model creates an isolated virtual zone in which sensitive accounts can operate with low risk. PAW is achievable for most organizations and bolsters controls to keep cybercriminals from compromising your systems.
In a PAW model, administrative tools and applications for critical functions are run on a privileged system and all other functions run on a standard user workstation. In a simultaneous use scenario, a single workstation can be used for both privileged tasks and daily activities; the physical hardware runs a single PAW operating system locally and contacts a remote desktop service for user applications.
Privileged accounts are organized into tiers. In the hospital’s example, domain admins are Tier 0, sysadmins are Tier 1, users and developers are Tier 2.
Secret Server complements the high-security tiering model
The high-security requirements of the PAW model called for the use of Secret Server's Distributed Engines, a Windows Service which handles work such as password changing, heartbeat, Discovery, and more. The team set up an architecture in which one Distributed Engine handles the Tier 0 systems and the other Tier 1. An encrypted RDP tunnel allows traffic to move securely from tier to tier, without the need for users to remember or even see passwords.
The enterprise-scale architecture has also improved the performance of Secret Server. Previously, the hospital used web servers to manage both the web interface and log-in experience as well as password management. Now, with the adoption of Distributed Engines, web servers are focused only on managing on the front end, including the login and web interface. In addition to providing faster login and processing, the same Distributed Engine can change all passwords at once.
With the high-security architecture and best-in-class PAM solution, the hospital now clears penetration tests for password vulnerabilities with flying colors and has fortified its security against cyber attacks.
“The pen tests made it very clear to them that there was a problem, so their awareness was high,” says the Systems Analyst. “But, they didn’t really understand what each component does. Now, I show them the security design and they get it immediately. They see the tiering model and they see Secret Server right in there. A picture is worth a thousand words.”
What does cybersecurity like this cost? Not as much as you think