Telematics 2.0: Privacy and Data Sovereignty in Zero Trust Architectures

Zero-trust architectures are becoming significantly more important for IT security. In enterprise environments, they focus on protecting company data. However, when it comes to healthcare and public authorities, sensitive personal data of patients and citizens must be protected while respecting data sovereignty. This requires other approaches.

An opinion piece by Steffen Ullich, Technology Fellow, genua GmbH

Zero-trust architectures aim to enable secure access to data in an insecure environment such as telework, while also minimizing the possible damage caused by compromised users or systems. On the one hand, this is achieved by strictly and meticulously limiting opportunities: Minimal access rights are granted and only for as long as necessary. On the other hand, effective user authentication methods and the checking of access devices ensure that the security level that can be accessed by the user reflects the level of protection required for the data.

In enterprise environments, the focus is on protecting company data. In the case of access for employees, partners or service providers, a check via the access devices and a behavior evaluation of user access are generally accepted as important security factors. Risk assessments balancing efficiency, usability, privacy and data protection can be carried out at the company level. 

Telematics Have High Privacy and Data Sovereignty Requirements 

In healthcare, however, protecting patient data is the priority. The data is accessed via patients' private devices or using service providers' devices, some of which are more secure than others, in practices and clinics. According to the understanding of privacy, data sovereignty and data protection in Germany and the EU, extensive intrusion into these devices to check security should be avoided, for example when electronic patient files are accessed. Moreover, any behavior analysis for zero-trust purposes, which would be standard in company IT, must take into account the fact that even access patterns may constitute medically relevant personal data. Equally, the patients' interests must be considered when weighing up any risks involving patient data. This includes the risk that critical service providers such as identity providers may gain universal access to patient data while operating a zero-trust architecture.

The issue of high privacy and data sovereignty requirements in healthcare also applies to public authorities and administration. In this case, the priority is to protect the personal data of citizens with regard to the digitization of administration-related public processes. However, even with regard to enterprise architectures, it is beneficial if the security features of zero-trust architectures can be guaranteed sufficiently while also respecting employees' privacy. Risks posed by service providers who are involved in operating a zero-trust infrastructure have also drawn attention. This is largely due to incidents such as: 

• Security gaps and unsafe processes in Microsoft's management of keys and access rights

• The partial compromise of the identity provider Okta

• The diverse security gaps in the access control products of various security manufacturers, which have endangered the reliability of the access control or even the security of the end devices 

Anchoring Requirements in the Design at a Fundamental Level 

In the fall of last year, gematik, the German national agency for digital medicine, commissioned a consortium of German manufacturers to devise a detailed concept for a zero-trust architecture. This concept incorporates the special requirements of healthcare into the design at a fundamental level rather than trying to make existing designs somewhat suitable using additional solutions. The consortium comprises genua GmbH in the role of consortium leader, Bundesdruckerei GmbH and D-Trust GmbH (all three companies belong to Bundesdruckerei Gruppe GmbH) as well as CompuGroup Medical Deutschland AG and the Fraunhofer Institute for Applied and Integrated Security AISEC, and each member contributed their own specific experience and skills to the design of the architecture. Thus, in close collaboration with gematik, the consortium created a detailed concept that is not only secure and privacy friendly but also easy to use, effective, scalable, flexible, open and future proof.   

Preventing Data Omnipotence in Digital Healthcare 

A key requirement was the prevention of omnipotence. This means that no service provider in the infrastructure can gain universal access to data. Identity providers were viewed as a particular risk. If they were compromised, an attacker could assume various user identities. The problem was solved by deciding that the identity provider would not be able to make access decisions unilaterally. There are always multiple independent parties involved. Specifically, this means that the data must be accessed not only by an authenticated user but also via a registered device. The identity provider for device registration is different than the identity provider for user authentication. The separate access checks are performed by a local policy enforcement point controlled by the respective specialist service before access to the service-specific patient data available there and to its processing is granted. For the storage of highly sensitive data, e.g., in electronic patient files, client-side encryption also takes place as before, thereby providing an extra level of protection.

To avoid extensive intrusion into the devices of users, security is attested via the existing platform services of the operating system providers, which can be used without extended rights to the system. To support the greatest possible number of end devices while ensuring ease of use for the user, the security requirements are adapted to the level of protection required: The patients' own data on their own end devices is treated as a different risk class than the collection of data belonging to various patients on the end devices of the service providers.

An in-depth description of the architecture can be found in the comprehensive detailed concept (160 pages, German only), which is available to the public free of charge in the gematik specialist portal.

This article originally appeared in German in: Behörden Spiegel dated 05.09, A Focus on IT Security.