Cybersecurity Access Control: Framework Analysis in a Healthcare Institution
1
Vanderbilt University Medical Center, Nashville, TN 37232, USA
2
Department of Engineering Management & Technology, University of Tennessee at Chattanooga, Chattanooga, TN 37403, USA
*
Author to whom correspondence should be addressed.
J. Cybersecur. Priv. 2024, 4(3), 762-776; https://doi.org/10.3390/jcp4030035
Submission received: 3 June 2024
/
Revised: 7 September 2024
/
Accepted: 12 September 2024
/
Published: 20 September 2024
Abstract
:Cyber threats are continually evolving and becoming increasingly complex, affecting various industries. Healthcare institutions are the second most targeted industry, preceded by manufacturing. The industry is on the lookout for a reliable cybersecurity system. This research analyzed the feasibility and reality of implementing a Zero Trust Architecture (ZTA) framework within a large healthcare enterprise with a workforce within the range of 45 k to 50 k personnel. It utilizes a baseline concept centered on the widely used Perimeter-Based Security Model (PBSM) in production environments. The focus is on assessing the feasibility of transitioning from a PBSM to a ZTA framework and specifically aims to assess the effects of such a transition on security, control, cost-effectiveness, supportability, risk, operational aspects, and the extent to which ZTA is applicable across different applications. Company X was used as a case study and provided data for analysis in support engagements and host traffic telemetry values. Findings indicated that a PBSM remains effective in providing defense measures for an organization mainly when a significant financial incentive is involved. On the other hand, ZTA offers a more secure environment with a notable reduction in risk, albeit at an additional cost and with added support variables.
Keywords:
zero trust architecture; ZTA; perimeter based; PBSM; zero trust; cybersecurity; security model1. Introduction
In this section, an overview of the research is presented by describing the motivation and background that initiated the study of cybersecurity and narrowing it down to the healthcare sector. Also, the need for focusing on this area is indicative of the literature and research gap, as described in the remaining subsections and continued through various sections of the paper.
1.1. Background
Cyber threats continuously evolve, becoming increasingly advanced and adept at remaining undetected. Their frequency is rising, with statistics from 2023 indicating an average of 11.5 attacks occurring every minute across various industries [1]. Healthcare institutions experienced an average of more than 1463 cyberattacks per week, positioning it as the third most targeted industry [2]. The evolving cyber landscape has compelled healthcare institutions to adapt their cybersecurity strategy and defense posture. This adaptation has led the cybersecurity market to promote product solutions aligned with the Zero Trust Architecture (ZTA) framework. In essence, it is becoming a popular approach for building secure systems [3]. On the other hand, it has been discerned that most institutions still utilize a perimeter-based security model (PBSM), with Gartner reporting only 1% of large organizations achieving a ZTA and trends predicting only a 9% increase in adoption by 2026 [4,5]. While some in the literature suggest that a PBSM is traditional and getting outdated [6,7], the main drivers in the push for companies to adopt a ZTA are a shift in remote access, the use of blended workforces such as contractors, vendors, and full-time/part-time employees, as well as the explosive growth in organization’s adoption of hybrid infrastructure (i.e., cloud and on-premises IT systems).
Remote connectivity has shifted significantly since the start of the 2020 COVID-19 outbreak. The evolving model of the present-day workforce requires organizations to extend company intranet connectivity capabilities to a national and international scope, transitioning remote access services (i.e., VPN technologies) from significant to critical infrastructure. As of 2023, 40.9% of full-time employees work either from home or utilize a hybrid model, with the trend of remote workers expected to increase to 32.6 million Americans by 2025 [8].
Moreover, identity, permission management, and isolation of network access to company-compliant end-user systems have developed into a more complex focus with the increased use of blended workforces. The combination of dedicated staff, contractors, and vendors utilizing company intranets and IT systems with managed and unmanaged systems has compromised the PBSM’s effectiveness by introducing what has developed into a growing threat vector (e.g., trusted and untrusted assets inside the castle walls).
Cloud computing enables organizations to access computing resources, capabilities, and services without requiring a hardware footprint, internal support personnel, or extensive capital expenses. Nonetheless, it has also initiated the transfer of organizations’ essential services beyond the confines of on-premises data centers (DCs), aiming for cost-reduction strategies.
It is worth noting that Company X utilizes a PBSM architecture with various production components that align with the ZTA framework. It also utilizes a defense-in-depth architecture that utilizes role-based and identity-based access control at the infrastructure level. The cybersecurity defense capabilities are delivered through market-leading hardware-based solutions (e.g., next-Generation Firewall [NGFW] and cloud-based services [e.g., Software as a Service]). However, as a case study for this research, Company X desires to find a reliable framework that mitigates cyberattacks while considering the cost–benefit analysis of investing in the chosen framework.
1.2. Problem Definition
The research aimed to assess the real-world need for and implementation of the ZTA cybersecurity framework in a United States-based healthcare enterprise employing a PBSM. It examines the implications for the organization, considering factors such as security, control, cost-effectiveness, supportability, risk, and operational aspects. The intent is to discern favorable and adverse impacts while objectively assessing the necessary and feasible degree of adoption of the ZTA framework solution.
ZTA and PBSM have demonstrated both benefits and drawbacks across various categories. Given that much of the information originates from vendors with vested interests, primarily driven by profit motives, organizations encounter the difficulty of discerning the most suitable solution that addresses present cybersecurity requirements and aligns effectively with their technology infrastructure.
Deploying a PBSM or ZTA solution within a large enterprise typically incurs costs ranging from thousands to millions of dollars. Both solutions involve an investment-based implementation with recurring annual costs and significant effort to achieve successful deployment. Transitioning or resetting to an alternative solution is exceptionally expensive, considering capital expenditures (CAPEXs) and operational expenditures (OPEXs). The ability to accurately pinpoint a viable solution within the cybersecurity architecture domain enables the emphasis behind the need to conduct additional research within the cybersecurity access control space (e.g., PBSM and ZTA).
Cultural and operational impacts are other variables that drive complexity around the determination to adopt a ZTA. The PBSM presents a significant level of trust and access to internal resources, which is the antithesis of the principles that make up ZTA. The impact on a user’s experience resulting from the behavioral changes ZTA brings to an enterprise IT environment is noticeably conspicuous.
2. Materials and Methods
The research study adopts an exploratory research design, employing a balanced blend of qualitative and quantitative methodologies for research and analysis. The quantitative methodology established the practice of identifying patterns to validate or predict potential trends and producing values to validate specific outcomes [9]. The qualitative methodology facilitated the exploration of the human dimension by providing opportunities to acquire further insights from practical experience and current implementations of the frameworks under examination in the study [10]. Using a guiding framework original to the research project illustrated in Figure 1, the research objectives of both PBSM and ZTA concepts were examined based on the following core criteria: compliance, capabilities, impacts, and cost.
Each criterion sources information from strategically applicable data streams. The literature-based data stream yielded more relevant data for compliance and capabilities analysis. In this study, compliance analysis is overseen by the NIST Cybersecurity Framework (CSF) and NIST Special Publication (SP) 800-207, with enforcement mandated by regulations specified in the Health Insurance Portability and Accountability Act (HIPAA). Based on Gartner and Forrester’s research and advisory firm reports, capability analysis focuses on leading vendor solutions in the ZTA and PBSM spaces.
Technology solutions operating within Company X and assets based on vendor datasheets and product documentation contribute to capability analysis. Financial documentation and telemetry data streams produced the most accurate values utilized in qualitative analysis for impact and cost criteria. All criteria qualified for quantitative analysis through a survey-based data source, incorporating a synthesizing aspect across all data streams. The input from professionals across multiple sectors enriches the data by offering an unbiased, neutral, and realistic perspective on a market-driven concept (e.g., ZTA).
Materials
Data supporting compliance analysis and capabilities were obtained from peer-reviewed literature, business articles, concept papers, framework publications, product solution datasheets, and technical white papers. Compliance is governed through the HIPAA Security Rule, which, according to the Office for Civil Rights [11], establishes the national standards that protect electronic personal health information (PHI) through established compliance requirements that must be met to avoid financial penalties.
The HIPAA Security Rule compliance standards outline the requirements for medical institutions to ensure administrative, physical, and technical safeguards to maintain the cybersecurity “CIA triad”—Confidentiality, Integrity, and Availability. NIST remains the leading developer of cybersecurity frameworks and standards, with a global adoption rate of 48.7%. NIST SP 800-207 and NIST CSF offer the foundational concepts and elements that underpin the ZTA framework and guidelines relevant to both ZTA and PBSM. NIST 800-207 and NIST CSF define the scope and compliance criteria for a ZTA and PBSM architecture by outlining baseline guidelines and roadmaps.
Quantitative impact and cost analysis data were collected from diverse sources, encompassing support engagements, cost analysis, and network traffic values. Customer service, network security systems, and Information Technology Service Management (ITSM) systems internal to Company X provided data for analysis in support engagements and host traffic telemetry values. Furthermore, baseline cost values for analysis were derived from market value quote reports obtained through third-party VARs and IT support personnel within Company X.
Qualitative data stemmed from a probability list-based sampling internet survey published with authorization from the University of Tennessee at Chattanooga (UTC) Internal Review Board (IRB) under approval number 24-030. The sample size was targeted to a volume of 10–20 respondents within a 90-day timeframe. Utilizing a list-based sampling frame due to the specialized domain of the study, the survey was distributed to sample members known to work professionally in the IT industry. Using a framed approach, the researcher established a 33% completion rate threshold, in line with the recognized average completion rate [12]. The completion rate was prioritized over the response rate because data from unfinished surveys was disqualified due to the correlated nature of the questions.
3. Results
The rising complexity and sophistication of cybersecurity threats, coupled with the widespread adoption of encryption, necessitate cybersecurity solutions to operate more granularly, moving closer to the individual host and segmenting at the micro level. Although effective to some extent, a PBSM still leaves a gap that indicates trends of advancing exploitation. Among the top 10 healthcare institutions breached in 2023, affecting over 112 million individuals, none implemented a ZTA [13]. ZTA solutions emphasize mitigation and detection mechanisms at the host level. Ensuring complete payload visibility (i.e., post/pre-encryption), runtime-based detections, user authentication, and anomaly detection.
A phased approach to adopting a ZTA is recommended for enterprise-level organizations. ZTA comprises multiple components that can be deployed individually, allowing organizations to align their procurement strategy with their current financial capabilities. Moreover, phased implementation would enable the development of expertise among support personnel regarding the newly adopted solutions. Implementing a gradual approach enables the organization to harmonize the culture, centered on the open access of a PBSM, with the tenets of Zero Trust (ZT). The approach successfully introduces ZT cybersecurity measures at a pace manageable for the end-user population, thus minimizing the risk of adverse reactions.
Further research initiatives are recommended with the infancy and present low adoption rate of ZTA. The survey for this study indicated a 33% adoption rate by healthcare organizations of 5000 to over 10,000 employees. Given that the nature of this study was exploratory research, as more organizations move towards a ZTA, the increase in qualitative and quantitative data will be substantial. Additionally, the increase in ZTA/Secure Access Service Edge (SASE) solutions to the market will shift the data’s capabilities and financial aspects.
Further research incorporating data sources from regions beyond the southeast or even the United States would enhance the insights into adopting a ZTA and a PBSM. This extends to various industries. Initiating studies across different sectors and examining the implementation of PBSM and ZTA would introduce additional perspectives and potential extraneous data variables, thereby enriching the understanding of ZTA and PBSM in the healthcare industry. Finally, a supplementary study employing additional vendor solutions to introduce varied cost and capability parameters or concentrating on contrasting a SASE deployment against a complete ZTA deployment provides an impartial and potential alternative recommendation to PBSM beyond solely ZTA.
4. Discussion
As highlighted above, the research focuses on the feasibility and realistic adoption of the ZTA framework within an enterprise-level medical center compared to the previously adopted industry standard PBSM. According to Sarraf [14], the number of organizations adopting the ZTA framework has tripled from 24% to 61% in 2023, with 35% planning to implement a zero-trust security initiative in 2024. However, Hackney [4] reports that only 1% of large enterprises have a mature and measurable ZTA program. Following the PBSM/ZTA analysis framework and adhering to the seven ZTA tenets outlined in NIST SP 800-207, an unbiased analysis is anticipated to generate results endorsing the hypothesis that the implementation of a ZTA leans towards a hybrid state. This hybrid approach incorporates elements of the PBSM, with tenant adoption showing varying degrees of compliance with the defined ZTA framework.
4.1. Capabilities, Risk, and Support
The PBSM framework is the most common model utilized, with 67% of survey respondents utilizing the PBSM castle and mote style topology, also commonly referred to as a “Defense-in-Depth” (DiD) or “Layered Security”. The DiD delineates trusted vs. untrusted assets based on the logical location in the network, physical controls, and administrative policy [15]. This study centers on the network dimension of the model, with the segmentation implementation conducted at a macro-segmentation level organized around security zones. The concentric circle diagram depicted in Figure 2 and tailored for this study illustrates the layers of a DiD. Figure 2 delineates the trusted and untrusted network segments denoted by green and gray shadings, respectively, with a protective or access barrier delineated in orange separating them. The simplified model showcases the macro-segmentation facet of the PBSM framework capabilities and underscores the open architecture of the design.
Through this openness, PBSM offers capabilities around decreased overhead and minimal impact on users and operations. Devices deployed within a trusted ring (e.g., green ring) have unrestricted network access irrespective of the assigned numerical value (i.e., subnet or IP address) or medium types such as Local Area Network (LAN) and Wireless Local Area Network (WLAN). These trust zone devices only confront access restrictions when traffic needs to pass through a defense barrier (e.g., orange ring), such as a firewall, network device-enforced access control list (ACL), or proxy server. Most defense barriers necessitate a review and approval process, enabling manual implementation by an IT professional. Under a PBSM, Company X adheres to the review and a manual implementation procedure, averaging 336 monthly engagements in 2023, as depicted in Figure 3.
According to the survey findings, PBSM operations encounter an average of 10 support tickets daily, with approximately 6.67 support hours devoted daily to managing policy changes. Furthermore, the survey indicates that after-hours support engagements average around 3.33 per week. Company X’s PBSM places defense barriers primarily between DC assets and the internet. The model facilitates most change requests to alter a host’s access to restricted assets or services within DCs (i.e., services with controlled or exclusive access). Core services (e.g., DNS, DHCP, Active Directory, etc.) and general internet traffic (e.g., SSL/TLS) are typically permitted by most organizations and fall outside the scope of change request volume, as illustrated in Figure 3.
Although PBSM demonstrates the capabilities of positive elements in operations, user experience, and administrative support, the model displays gaps in security and risk-reduction capabilities. Hosts within the same trust ring, in essence, have unrestricted access to communication regardless of whether it is desired or undesired. No defense barrier segment exists in a PBSM that segments the host at the micro level. The only defense barrier at this level is host-based. IEEE developed and published the 802.1x-2020 supported standard in 2020 that activated access-based control capabilities at the switch port level (e.g., the immediate layer above the endpoint/system) [16].
Network Access Control (NAC) is the solution developed by IT vendors to leverage an automated product that would enforce an authentication process to identify a connecting host and apply the proper permissions. The NAC solution, however, is limited in scope to LAN and WLAN on-premises network segments and deployed on a per Virtual Local Area Network (VLAN) basis. Most deployments utilize a clientless deployment option that leverages the 802.1X protocol, enabling an authentication service at the switch port or access point level. NAC enables a micro-segmentation capability within the PBSM architecture but is less optimal to scale for Enterprise-of-Things (EoT) and is cumbersome to maintain [17]. Remote connectivity (i.e., SSVPN) is out of the scope of an NAC solution and typically leverages a one-time multi-factor user-prompted authentication method.
ZTA, which, according to the survey, has an adoption of 33% by respondents, shifts the deployment framework from a macro-segmentation application focusing on infrastructure-level solutions and instead places the deployment of solutions at the micro-segmentation level. Operating on the principle that no user or device on the network is inherently trusted, hosts are consistently challenged and monitored to ensure they are authorized and privileged to perform attempted actions or access [16]. NIST SP 800-207 outlines the ZTA with three core components, as shown in Figure 4: the Policy Engine (PE), the Policy Administrator (PA), and the Policy Enforcement Point (PEP).
The Policy Decision Point comprises the PE and the PA. The PE is responsible for determining whether to grant or restrict access to resources based on policy and additional information from other integrated sources. The PE partners with the PA, which completes the PE’s decision execution by signaling the command to the PEP. The PEP executes the command from the PA on the individual host and defense barrier (e.g., gateway) [18]. The PE utilizes policy-driven configuration values to determine the permissions eligible for a specific host. ZTA increases the level of granularity from PBSM to the utilization of additional security artifacts (i.e., IP address, username, MAC address, device ID, geographical location, etc.). The increased level of granularity over PBSM policies increases the risk of overhead associated with support elements and the implementation and development of these policies.
PEP introduces a client to the critical path, requiring all endpoints to have a client or agent installed on the host system. Survey results reported a range of three to seventeen daily support engagements with an average of ten daily and an average of nine after-hours engagements. During 2023, Company X, operating under a PBSM with a remote access solution that employs a client, experienced an average of four monthly support engagements concerning the remote access client, with approximately 4000 users connecting to the organization daily on average. See Figure 5.
At the time of this report, Company X boasted an employee population of 44,000, which is 11 times larger than the number of remote/client-based users. Based on these figures, projections suggest that under the ZTA, Company X’s support engagements will surge to 11 times the current volume. This translates to an anticipated average increase of 44 monthly support engagements, adding to the existing 336 support engagements reported by Company X, bringing the total to 380 support engagements monthly under the ZTA model. As illustrated in Table 1, there are notable increases in delta values from PBSM to ZTA for daily support tickets and weekly after-hours engagements, highlighting the significant difference in user impact and support overhead between the two approaches.
4.2. TCO and ROSI
The Total Cost of Ownership (TCO) calculation shown in Figure 6 facilitated the analysis of the financial aspects associated with the PBSM and ZTA frameworks. The TCO was established for each model covering a standard five-year life cycle term based on the United States Internal Revenue Service (IRS) published depreciation value [19]. The inflation rate value of 3.1% was derived from the 2023–2024 report by the U.S. Bureau of Labor and Statistics [13]. Taking these inputs (inflation rate and quantity or model) helps avoid some of the common mistakes outlined by Greaves [20]. Figure 7 shows the topology of Company X’s PBSM, which is divided into two DCs: a core and a perimeter. The provided topology offers an appropriate framework that utilizes an industry-standard model for examining core asset volume, asset type, and associated list price values.
The CAPEX and OPEX values, as seen in Appendix A, are derived from products and services sold by a leading cybersecurity vendor based on reports by Gartner and Forrester research firms. While a consumer may have additional requirements depending on its internal needs (which is beyond the scope of this research), Appendix A is intended to provide a glimpse of the values or solutions expected for a range of prices. The TCO analysis, as seen in Table 2, displays CAPEX costs representative of industry standard “High Availability” (HA) security clusters (i.e., one synchronized pair of security devices in an environment). Furthermore, Table 2 subdivides each year based on asset quantity, with the sole ongoing CAPEX procurement stretching from years 2 to 5 to accommodate capacity expansion. For instance, each year entails expanding HA cluster capacity by one card, equivalent to an aggregate throughput rate of 13.2 gigabits per second.
The OPEX values account for licensing that follows an annual renewal cadence throughout the hardware’s lifespan. The initial hardware support contract encompasses the entire operational duration of the equipment, aligning with a common practice observed in many enterprise organizations. This approach offers cost savings compared to annual support renewals. The Total Cost of Ownership (TCO) for the analysis of the PBSM, based on a 5-year life-cycle term, amounts to United States dollar (USD) 22,906,851.10, with the highest-cost year being year one at USD 9,949,160.00.
The organizational structure, host population, and workforce within Company X laid the foundation for implementing a Zero Trust Architecture (ZTA). The topology for this study replicates Figure 7, with the only physical alteration being the removal of the log collection server assets. Cost values for ZTA solutions were derived from the list prices offered by the same cybersecurity vendor utilized for the PBSM. The same vendor is a leader in the industry for ZTA and Secure Access Service Edge (SASE)-based solutions, according to Gartner [5]. Table 3 illustrates an increase in operational expenditures (OPEXs) mainly due to the licensed-based Software as a Service (SaaS) model that encompasses the architecture of the ZTA solution. The reduction in CAPEX comes from eliminating the on-premises logging infrastructure, as this functionality is migrated to the cloud to align with the ZTA solution.
A total of 93% of Chief Information Security Officers advocate migrating security assets and services to the cloud to improve organizational efficiency [21]. Aligning with this trend, the financial analysis emphasizes the implementation of a Zero Trust Architecture (ZTA) using a leading ZTA Solution. The solution adopts a hybrid approach by combining cloud-born services with on-premises solutions. Therefore, a hardware CAPEX similar to the PBSM remains essential. The TCO for a 5-year ZTA solution is calculated at USD 68,684,762.04. The highest cost is assumed in year one at USD 18,145,160.00 due to the initial CAPEX purchases and 5-year support contract.
The Return on Security Investment (RSOI) (Figure 8), which is a form of cost–benefit analysis, is computed as described by Doan [22]. ROSI serves as one metric to quantify the value of investing in cybersecurity, hence assessing the bottom line. In other words, it serves to ascertain the returns an organization garner from its cybersecurity protection investments, as outlined by Lapidus [23]. The SLE is assessed at USD 11 million, derived from a healthcare institution’s typical data breach cost. The ARO value used is 40, reflecting the average number of cyberattacks experienced by medical centers annually [24]. The MR values fluctuate depending on the model, with the MR for the existing PBSM at Company X standing at 60% and the ZTA at 90%.
The MR for the PBSM is averaged from the data for Company X, indicating that the current production model enables the capability to conduct deep packet inspection at the infrastructure level on approximately 60% of the enterprise’s traffic. Additionally, the average risk of internal threat is valued at 40%, indicating a mitigation ratio of 60% [25]. The ZTA MR values are established based on ZTA solutions’ capability to each endpoint, facilitating 100% endpoint detection and response and the potential for deep packet inspection covering approximately 90% of enterprise traffic. Each cost figure is drawn from the preceding TCO calculations in Figure 6.
The PBSM ROSI analysis in Figure 9 returns a positive percentage of 1052.5% return on investment, equating to a savings of USD 241,094,607.83. The ZTA ROSI analysis in Figure 10 returns a positive percentage of 476.5% return on investment, equating to a savings of USD 327,282,891.12.
PBSM and ZTA demonstrate favorable returns, suggesting that both models offer financial benefits in enhancing cybersecurity postures. PBSM generates a higher ROSI when considering the cost-to-financial impact ratio. The incremental cost of implementing the ZTA solution over PBSM translates to USD 2,289,492.07 per 1% increase in mitigation ratio.
5. Conclusions
The research examined the practicality and feasibility of implementing a Zero Trust Architecture (ZTA) framework within a large healthcare enterprise encompassing a workforce of approximately 45k to 50k individuals. The aim was to investigate empirically derived outcomes concerning the feasibility of adopting a ZTA framework and compare the capability, cost-effectiveness, supportability, risk, and operational elements against a PBSM. A non-probability survey was distributed to organizations with a particular employee population size of more than 20k and targeted participants engaged in the IT field, from management to technical experts.
As a case study-driven research, it utilized Company X’s support metrics, user and asset statistics, and topology and solution values to predict or determine specific outcomes based on quantitative data. While Company X has only partially integrated ZTA solutions, it possesses data values that can be correlated with certain aspects of a ZTA deployment under analysis. Also, Company X interviews with subject matter experts and leaders relevant to qualitative data and Appendix A on the current PBSM architecture and the implementation of ZTA.
Quantitative data were employed to examine deviations in support engagements and financial implications across the two models. Analysis of support engagements yielded indicative data that underscored the correlation between an increase in support overhead in the infrastructure-focused PBSM and the host-centric ZTA. As one finding, it was ascertained that the adoption of a ZTA would increase support requirements and costs, given the 70% rise in support engagements and a 170% increase in after-hours engagements. Moreover, considering financial indicators, it was found that despite a potential margin of error of 10–20% on the mitigation ratio, the findings demonstrate that a PBSM deployment offers a more cost-effective approach.
Qualitative analysis of both PBSM and ZTA frameworks would yield a theoretical superiority to a ZTA based on the architecture’s micro-segmentation aspect. Survey results indicated an increased complexity of an enterprise architecture under a ZTA, with the organization’s inherent reduction in risk from a PBSM.
Considering both the qualitative and quantitative analysis together, it was found that a PBSM remains effective in providing defense measures for an organization, mainly when a significant financial incentive is involved. On the other hand, ZTA offers a more secure environment with a notable reduction in risk, albeit at an additional cost and with added support variables. Another important point worth mentioning is that ZTA is still in its early stages of adoption, leading to limitations in obtaining field data and the cybersecurity practitioner’s insights derived from real-world experiences. With the anticipated increase in adoption levels, insights into appropriate applications and the level of ZTA adoption will emerge but it requires further research on the cultural journey of an organization towards ZTA adoption.
Author Contributions
Conceptualization, E.W.T. and W.D.A.; methodology, E.W.T. and W.D.A.; software, E.W.T.; validation, E.W.T., W.D.A., S.D.K. and S.A.O.; formal analysis, E.W.T.; investigation, E.W.T.; resources, E.W.T. and S.A.O.; data curation, E.W.T.; writing—original draft preparation, E.W.T.; writing—review and editing, E.W.T., W.D.A., S.D.K. and S.A.O.; visualization, E.W.T.; supervision, W.D.A. All authors have read and agreed to the published version of the manuscript.
Funding
This research received no external funding.
Institutional Review Board Statement
IRB #24-030: Cybersecurity Access Control: Framework Analysis in Healthcare Organizations Specifically, 45 CFR 46.104(d) identifies studies exempt from IRB oversight. The UTC IRB The chairperson or his/her designee has determined that your proposed project falls within the category described in the following subsection of this policy: 46.104(d)(2)(i): Research only includes educational tests, surveys, interviews, public observation, and recorded information that cannot readily identify the subject (directly or indirectly/linked).
Informed Consent Statement
The UTC IRB has approved this research project. The survey is voluntary, and every survey submission is anonymous. Each participant must be 18 years or older to participate. If you decide to discontinue participation during the course of the survey, only the information provided will be used. All data will be utilized exclusively within the previously outlined research scope. This research is risk-free for the respondent/organization. The data will provide organizational benefits and contributions to the body of knowledge in cybersecurity. If you have any questions about your rights as a subject/participant in this research, or if you feel you have been placed at risk, you can contact Dr. Susan Davidson, the Chair of the Human Subjects Committee, Institutional Review Board, at 423-425-1387. Additional contact information is available at www.utc.edu/irb, accessed 16 September 2024.
Data Availability Statement
The data that support the findings of this study are available on request from the corresponding author. The data are not publicly available due to restrictions (e.g., they contain information that could compromise the privacy of research participants).
Conflicts of Interest
The authors declare no conflict of interest.
Appendix A
| Product | List Price (in USD) | Description |
| ZTA mgmt. service | 75 | AI powered autonomous digital experience management add-on, includes DEM for mobile user to application monitoring, predictive analytics and access analyzer powered by AI/ML/Formal and standard customer success per unit per year. |
| Cloud logging | 2000 | Data lake with 1TB of storage, 1-year, includes premium support. |
| Zero-day threat protection security chassis | 115,210 | Advanced zero-day subscription for device in an HA pair year 1. |
| IPS/IDS threat license—security chassis | 115,210 | IPS/IDS subscription for device in an HA pair year 1. |
| IoT threat license—security chassis | 76,810 | Enterprise IoT subscription, for one (1) device in an HA pair, 1-year (12 months) term. |
| DNS security license—security chassis | 76,820 | DNS security subscription for device in an HA pair year 1. |
| Security chassis (modular) | 148,210 | Hardware bundle, includes AC chassis, 4 × AC power supplier, 2 × fan trays, fan filter, switch management card, logging card, and 4×AMC cards. |
| Network processing card | 213,340 | Network processing card with 8 × SFP/SFP+, 4 × QSFP+/QSFP28, auto speed sensing all ports, 32M sessions. |
| Security appliance (non-modular) | 210,600 | Appliance hardware with redundant AC power supplies. |
| Log server | 63,000 | Server chassis with 16 TB storage (4 × 8 TB RAID certified drives) and 4 post rack mount rails. |
| ZTA (SASE) solution | 120 | Mobile user local enterprise edition includes private app access and outbound internet security for mobile users, premium security subscription, 5 service locations, 2 service connections, and standard access per mobile user per year. |
| Data loss prevention license—security chassis | 153,610 | DLP subscription for device in an HA pair. |
| URL filtering license—security chassis | 115,210 | Advanced URL filtering subscription, 1-year. |
| Zero-day threat protection—security appliance | 6870 | Advanced zero-day subscription for one (1) device in an HA pair, 1-year (12 months) term. |
| IPS/IDS threat license—security appliance | 6870 | IPS/IDS subscription for a device in an HA pair year 1. |
| DNS security license—security appliance | 37,910 | DNS security subscription for a device in an HA pair year 1. |
| Data loss prevention license—security appliance | 75,820 | DLP subscription for a device in an HA pair. |
| Identity services | 70,000 | Identity orchestration and automation services\privilege management. |
| Identity services hardware | 15,000 | Required hardware for identity services. |
References
- Daugherty, T. The Evolving Cyber Threat Landscape. Security Magazine. Available online: https://www.securitymagazine.com/articles/99972-the-evolving-cyber-threat-landscape (accessed on 10 October 2023).
- Check Point Research Team. Check Point Research Reports a 38% Increase in 2022 Global Cyberattacks. Available online: https://blog.checkpoint.com/2023/01/05/38-increase-in-2022-global-cyberattacks/ (accessed on 10 October 2023).
- Fernandez, E.B.; Brazhuk, A. A critical analysis of Zero Trust Architecture (ZTA). Comput. Stand. Interfaces 2024, 89, 103832. [Google Scholar] [CrossRef]
- Hackney, H. Is Zero Trust Achievable? Architecture & Governance Magazine. Available online: https://www.architectureandgovernance.com/elevating-ea/is-zero-trust-achievable/ (accessed on 3 July 2023).
- Gartner. Prisma SASE Reviews. Gartner Peer Insights. 2024. Available online: https://www.gartner.com/reviews/market/single-vendor-sase (accessed on 15 November 2023).
- Alevizos, L.; Ta, V.T.; Hashem Eiza, M. Augmenting zero trust architecture to endpoints using blockchain: A state-of-the-art review. Secur. Priv. 2022, 5, e191. [Google Scholar] [CrossRef]
- Gupta, A.; Gupta, P.; Pandey, U.P.; Kushwaha, P.; Lohani, B.P.; Bhati, K. ZTSA: Zero Trust Security Architecture a Comprehensive Survey. In Proceedings of the 2024 International Conference on Communication, Computer Sciences and Engineering (IC3SE), Gautam Buddha Nagar, India, 9–11 May 2024; IEEE: Piscataway, NJ, USA, 2024; pp. 378–383. [Google Scholar]
- Haan, K. Remote Work Statistics and Trends in 2024. Forbes Advisor. Available online: https://www.forbes.com/advisor/business/remote-work-statistics/ (accessed on 12 June 2023).
- Leedy, P.; Ormrod, J.E.; Johnson, L.R. Practical Research Planning and Design, 12th ed.; Pearson: London, UK, 2019. [Google Scholar]
- Conklin, J. Introduction to the Special Issue on Qualitative Research in Technical Communication. Tech. Commun. 2011, 55, 329–332. [Google Scholar]
- Office for Civil Rights. The Security Rule. U.S. Department of Health and Human Services. Available online: https://www.hhs.gov/hipaa/for-professionals/security/index.html (accessed on 20 October 2022).
- Lindmann, N. What’s the Average Survey Response Rate? Pointerpro. Available online: https://pointerpro.com/blog/average-survey-response-rate/ (accessed on 9 August 2021).
- United States Bureau of Labor and Statistics, Ted: The Economics Daily, Consumer Prices up 3.1 Percent from January 2023 to January 2024. 2024. Available online: https://www.bls.gov/opub/ted/2024/consumer-prices-up-3-1-percent-from-january-2023-to-january-2024.htm (accessed on 15 April 2024).
- Sarraf, S. Most Organizations Globally Have Implemented Zero Trust. CSO. Available online: https://www.csoonline.com/article/656108/most-organizations-globally-have-implemented-zero-trust.html (accessed on 18 October 2023).
- Fruhlinger, J. Defense in Depth Explained: Layering Tools and Processes for Better Security. CSO. Available online: https://www.csoonline.com/article/573221/defense-in-depth-explained-layering-tools-and-processes-for-better-security.html (accessed on 28 July 2022).
- LAN/MAN Standards Committee. 802.1x-2020-IEEE Standard for Local and Metropolitan Area Networks—PORT-Based Network Access Control. IEEE. pp. 1–289. Available online: https://doi-org.proxy.lib.utc.edu/10.1109/IEEESTD.2020.9018454 (accessed on 28 February 2020).
- Patnaik, D. Modernization of Network Access Control (nac) with Zero Trust Security. Linkedin. Available online: https://www.linkedin.com/pulse/modernization-network-access-control-nac-zero-trust-security-patnaik/ (accessed on 27 June 2021).
- Rose, S.; Borchert, O.; Mitchell, S.; Connelly, S. Zero Trust Architecture; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. [Google Scholar] [CrossRef]
- United States Internal Revenue Service. Publication 946 (2023), How to Depreciate Property. 2023. Available online: https://www.irs.gov/publications/p946#en_US_2023_publink1000107772 (accessed on 6 September 2024).
- Greaves, P. Common Mistakes When Calculating the Total Cost of Ownership. Linkedin. Available online: https://www.linkedin.com/pulse/ten-common-mistakes-when-calculating-total-cost-peter-greaves/ (accessed on 18 February 2015).
- Bandos, T. Do the Security Benefits of Cloud Migration Outweigh the Downsides? Techhq. Available online: https://techhq.com/2021/06/do-the-security-benefits-of-cloud-migration-outweigh-the-downsides/ (accessed on 9 June 2021).
- Doan, M. Improving Your Bottom Line with Cybersecurity. MIT Sloan Management Review. Available online: https://sloanreview.mit.edu/article/improving-your-bottom-line-with-cybersecurity/ (accessed on 6 September 2024).
- Lapidus, B. How to Calculate Your Return on Security Investments: Fp&a’s Role. Association for Financial Professionals. Available online: https://www.afponline.org/ideas-inspiration/topics/articles/Details/calculating-your-return-on-security-investments-fp-a-s-role (accessed on 16 October 2018).
- Olsen, E. Average Cost of Healthcare Data Breach Reaches $11m, Report Finds. Cybersecurity Dive. 2023. Available online: https://proxy.lib.utc.edu/login?url=https://www.proquest.com/trade-journals/average-cost-healthcare-data-breach-reaches-11m/docview/2844443827/se-2 (accessed on 15 November 2023).
- Goldstein, J. What Are Insider Threats and How Can You Mitigate Them. Security Intelligence. Available online: https://securityintelligence.com/things-to-consider-when-calculating-the-return-on-security-investment/ (accessed on 16 July 2020).
Figure 1.
PBSM/ZTA analysis framework.
Figure 2.
PBSM ring model.
Figure 3.
Company X 2023 access change requests (Firewall, VPN, ACLs).
Figure 4.
ZTA core components.
Figure 5.
Company X 2023 remote client support engagements.
Figure 6.
TCO formula.
Figure 7.
Company X’s PBSM topology.
Figure 8.
ROSI formula.
Figure 9.
PBSM ROSI calculation.
Figure 10.
ZTA ROSI calculation.
Table 1.
PBSM and ZTA compared support metrics.
| Daily Support Tickets | Daily Hours | Weekly after-Hours Engagements | Monthly | |
|---|---|---|---|---|
| PBSM | 10 | 6.67 | 3.33 | 336 |
| ZTA | 17 | 5.5 | 9 | 380 |
| %Δ | 70 | −18 | 170 | 13 |
 | ||||
Table 2.
PBSM TCO worksheet.
| PBSM | Quantity | (CAPEX) | 3.1% | Inflation | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Hardware Description | One-Time/Annual | CapEx/OpEx | Yr 1 Qty | Yr 2 Qty | Yr 3 Qty | Yr 4 Qty | Yr 5 Qty | UNIT PRICE | Year 1 | Year 2 | Year 3 | Year 4 | Year 5 | Total Cost | |
| Security Appliance | One-Time | CapEx | 2 | $210,600.00 | $421,200.00 | $ - | $ - | $ - | $ - | $421,200.00 | |||||
| Chassis Security Hardware | One-Time | CapEx | 6 | $148,210.00 | $889,260.00 | $ - | $ - | $ - | $ - | $889,260.00 | |||||
| Chassis Processing Card | One-Time | CapEx | 12 | 6 | 6 | 6 | 6 | $213,340.00 | $2,560,080.00 | $2,639,442.48 | $2,721,265.20 | $1,280,040.00 | $1,280,040.00 | $9,200,827.68 | |
| Log Collection Servers | One-Time | CapEx | 8 | $63,000.00 | $504,000.00 | $ - | $ - | $ - | $ - | $504,000.00 | |||||
| (OPEX) | |||||||||||||||
| Software Description | One-Time/Annual | CapEx/OpEx | Quantity | Unit Price | Year 1 | Year 2 | Year 3 | Year 4 | Year 5 | Total Cost | |||||
| Zero Day Threat Detection-Chassis | Annual | OpEx | 3 | $115,210.00 | $345,630.00 | $356,344.53 | $367,391.21 | $378,780.34 | $390,522.53 | $1,838,668.61 | |||||
| Zero Day Threat Detection—Appliance | Annual | OpEx | 1 | $56,870.00 | $56,870.00 | $58,632.97 | $60,450.59 | $62,324.56 | $64,256.62 | $66,248.58 | |||||
| IPS/IDS-Chassis | Annual | OpEx | 3 | $115,210.00 | $345,630.00 | $356,344.53 | $367,391.21 | $378,780.34 | $390,522.53 | $1,838,668.61 | |||||
| IPS/IDS-Appliance | Annual | OpEx | 1 | $59,870.00 | $59,870.00 | $61,725.97 | $63,639.48 | $65,612.30 | $67,646.28 | $69,743.31 | |||||
| IoT Security-Chassis | Annual | OpEx | 3 | $76,810.00 | $230,430.00 | $237,573.33 | $244,938.10 | $252,531.18 | $260,359.65 | $1,225,832.27 | |||||
| DNS Security-Chassis | Annual | OpEx | 2 | $76,820.00 | $153,640.00 | $158,402.84 | $163,313.33 | $168,376.04 | $173,595.70 | $817,327.91 | |||||
| DNS Security-Appliance | Annual | OpEx | 1 | $37,910.00 | $37,910.00 | $39,085.21 | $40,296.85 | $41,546.05 | $42,833.98 | $201,672.10 | |||||
| Data Loss Prevention-Chassis | Annual | OpEx | 1 | $153,610.00 | $153,610.00 | $158,371.91 | $163,281.44 | $168,343.16 | $173,561.80 | $817,168.31 | |||||
| Data Loss Prevention-Appliance | Annual | OpEx | 1 | $75,820.00 | $75,820.00 | $78,170.42 | $80,593.70 | $83,092.11 | $85,667.96 | $403,344.19 | |||||
| URL Filtering-Chassis | Annual | OpEx | 1 | $115,210.00 | $115,210.00 | $118,781.51 | $122,463.74 | $126,260.11 | $130,174.18 | $612,889.54 | |||||
| Support Contract (5yr) Hardware | Annual | OpEx | 1 | $4,000,000.00 | $4,000,000.00 | $4,000,000.00 | |||||||||
| Total OPEX/CAPEX Per Year | Year 1 | Year 2 | Year 3 | Year 4 | Year 5 | ||||||||||
| $9,949,160.00 | $4,262,875.70 | $4,395,024.85 | $3,005,686.20 | $3,059,181.23 | |||||||||||
| TCO (5yr Term) | $22,906,851.10 | ||||||||||||||
Table 3.
ZTA TCO worksheet.
| ZTA | Quantity | (CAPEX) | 3.1% | Inflation | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Hardware Description | One-Time/Annual | CapEx/OpEx | Yr 1 Qty | Yr 2 Qty | Yr 3 Qty | Yr 4 Qty | Yr 5 Qty | UNIT PRICE | Year 1 | Year 2 | Year 3 | Year 4 | Year 5 | Total Cost | |
| Security Appliance | One-Time | CapEx | 2 | $210,600.00 | $421,200.00 | $- | $- | $- | $- | $421,200.00 | |||||
| Chassis Security Hardware | One-Time | CapEx | 6 | $148,210.00 | $889,260.00 | $- | $- | $- | $- | $889,260.00 | |||||
| Chassis Processing Card | One-Time | CapEx | 12 | 6 | 6 | 6 | 6 | $213,340.00 | $2,560,080.00 | $2,639,442.48 | $2,721,265.20 | $1,280,040.00 | $1,280,040.00 | $9,200,827.68 | |
| (OPEX) | |||||||||||||||
| Software Description | One-Time/Annual | CapEx/OpEx | Quantity | UNIT PRICE | Year 1 | Year 2 | Year 3 | Year 4 | Year 5 | Total Cost | |||||
| ZTA (SASE) Solution (Cloud) | Annual | OpEx | 44,000 | $120.00 | $1,760,000.00 | $1,814,560.00 | $1,870,811.36 | $1,928,806.51 | $1,988,599.51 | $9,362,777.39 | |||||
| Cloud Logging Data Storage | Annual | OpEx | 60 | $2,000.00 | $120,000.00 | $123,720.00 | $127,555.32 | $131,509.53 | $135,586.33 | $638,371.19 | |||||
| Management Service | Annual | OpEx | 44,000 | $75.00 | $3,300,000.00 | $- | $1,100,000.00 | $1,134,100.00 | $5,534,100.00 | ||||||
| Zero Day Threat Detection-Chassis | Annual | OpEx | 3 | $115,210.00 | $345,630.00 | $356,344.53 | $367,391.21 | $378,780.34 | $390,522.53 | $1,838,668.61 | |||||
| Zero Day Threat Detection—Appliance | Annual | OpEx | 1 | $56,870.00 | $56,870.00 | $58,632.97 | $60,450.59 | $62,324.56 | $64,256.62 | $66,248.58 | |||||
| IPS/IDS-Chassis | Annual | OpEx | 3 | $115,210.00 | $345,630.00 | $356,344.53 | $367,391.21 | $378,780.34 | $390,522.53 | $1,838,668.61 | |||||
| IPS/IDS-Appliance | Annual | OpEx | 1 | $59,870.00 | $59,870.00 | $61,725.97 | $63,639.48 | $65,612.30 | $67,646.28 | $69,743.31 | |||||
| IoT Security-Chassis | Annual | OpEx | 3 | $76,810.00 | $230,430.00 | $237,573.33 | $244,938.10 | $252,531.18 | $260,359.65 | $1,225,832.27 | |||||
| DNS Security-Chassis | Annual | OpEx | 2 | $76,820.00 | $153,640.00 | $158,402.84 | $163,313.33 | $168,376.04 | $173,595.70 | $817,327.91 | |||||
| DNS Security-Appliance | Annual | OpEx | 1 | $37,910.00 | $37,910.00 | $39,085.21 | $40,296.85 | $41,546.05 | $42,833.98 | $201,672.10 | |||||
| Data Loss Prevention-Chassis | Annual | OpEx | 1 | $153,610.00 | $153,610.00 | $158,371.91 | $163,281.44 | $168,343.16 | $173,561.80 | $817,168.31 | |||||
| Data Loss Prevention-Appliance | Annual | OpEx | 1 | $75,820.00 | $75,820.00 | $78,170.42 | $80,593.70 | $83,092.11 | $85,667.96 | $403,344.19 | |||||
| URL Filtering-Chassis | Annual | OpEx | 1 | $115,210.00 | $115,210.00 | $118,781.51 | $122,463.74 | $126,260.11 | $130,174.18 | $612,889.54 | |||||
| Support Contract (5yr) Hardware | Annual | OpEx | 1 | $4,000,000.00 | $4,000,000.00 | $4,000,000.00 | |||||||||
| Total OPEX/CAPEX Per Year | Year 1 | Year 2 | Year 3 | Year 4 | Year 5 | ||||||||||
| $14,625,160.00 | $6,201,155.70 | $6,393,391.53 | $6,166,002.25 | $6,317,467.08 | |||||||||||
| TCO (5yr Term) | $37,938,099.67 | ||||||||||||||
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
MDPI and ACS Style
Tomlinson, E.W.; Abrha, W.D.; Kim, S.D.; Ortega, S.A. Cybersecurity Access Control: Framework Analysis in a Healthcare Institution. J. Cybersecur. Priv. 2024, 4, 762-776. https://doi.org/10.3390/jcp4030035
AMA Style
Tomlinson EW, Abrha WD, Kim SD, Ortega SA. Cybersecurity Access Control: Framework Analysis in a Healthcare Institution. Journal of Cybersecurity and Privacy. 2024; 4(3):762-776. https://doi.org/10.3390/jcp4030035
Chicago/Turabian StyleTomlinson, Erik William, Wolday D. Abrha, Seong Dae Kim, and Salvador A. Ortega. 2024. "Cybersecurity Access Control: Framework Analysis in a Healthcare Institution" Journal of Cybersecurity and Privacy 4, no. 3: 762-776. https://doi.org/10.3390/jcp4030035
APA StyleTomlinson, E. W., Abrha, W. D., Kim, S. D., & Ortega, S. A. (2024). Cybersecurity Access Control: Framework Analysis in a Healthcare Institution. Journal of Cybersecurity and Privacy, 4(3), 762-776. https://doi.org/10.3390/jcp4030035
