Scalable Secrets Governance Models for High-Sensitivity Biomedical Systems
DOI:
https://doi.org/10.15680/IJCTECE.2024.0701008Keywords:
Secrets Management, Credential Governance, Biomedical Security, Secure Access Control, Encryption Lifecycle Management, Secrets Rotation, Audit Logging, Compliance AutomationAbstract
Credential security is a parameter of high risk of biomedical systems that perform high-sensitivity research and clinical information. Use of unlawful entry or disclosure of credentials in such environments may lead to severe security breach and compliance breaches. The next paper will introduce a scalable secrets governance model, and the proposed model will strive to minimize such risks without adversely affecting the flexibility of operations. The model includes several significant components to enhance the security of the credentials in biomedical systems, which are automated credential rotation, federated access enforcement, and centralized audit log. Credential rotation is automatic and makes sure that access points to sensitive data are vended on a regular basis and exposure period is reduced. Federated access enforcement is an access control policy which is very restrictive to distributed environment and only authorized entity can be granted to access to critical resources. The centralized audit logging system will provide full visibility of the access events of the compliance with the industry standards such as the HIPAA and FISMA.
The combination of these strategies by using the model will assist in reducing the cases of credential exposure, and in the control and effective and safe management of sensitive information. They also possess safe access control measures like the token-based authentication and least-privilege access controls to maintain that the access restrictions are minimized. The model, also requires encryption lifecycle management, and this implies that the data is secured both at rest and when in transit. The solution can be used to achieve a high sensitivity biomedical system through better privacy of data by providing a better resiliency and compliance at the expense of agility through a Zero-Trust Security architecture
References
1. CISA, "Identity and Access Management Recommended Best Practices for Administrators," Cybersecurity & Infrastructure Security Agency, Dec. 2023. [Online]. Available: https://www.cisa.gov/sites/default/files/2023-12/ESF%20IDENTITY%20AND%20ACCESS%20MANAGEMENT%20RECOMMENDED%20BEST%20PRACTICES%20FOR%20ADMINISTRATORS%20PP-23-0248_508C.pdf.
2. Microsoft, "Best practices for protecting secrets," Microsoft Learn, 2023. [Online]. Available: https://learn.microsoft.com/en-us/azure/security/fundamentals/secrets-best-practices.
3. HashiCorp, "5 best practices for secrets management," HashiCorp, 2023. [Online]. Available: https://www.hashicorp.com/en/resources/5-best-practices-for-secrets-management.
4. U.S. Department of Health & Human Services (HHS), "Security Rule Guidance Material," HHS.gov, 2024. [Online]. Available: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.
5. Paricherla M et al, A. Machine learning techniques for accurate classification and detection of intrusions in computer network. Bulletin of Electrical Engineering and Informatics. 2023;12(4):2340-2347. doi:10.11591/eei.v12i4.4708
6. U.S. Department of Defense, "Cybersecurity Resource and Reference Guide," Department of Defense CIO, 2022. [Online]. Available: https://dodcio.defense.gov/Portals/0/Documents/Library/CSResourceReferenceGuide.pdf.
7. CISA, "Final FY 2023–2024 IG FISMA Reporting Metrics," Cybersecurity & Infrastructure Security Agency, Feb. 2023. [Online]. Available: https://www.cisa.gov/sites/default/files/2023-02/Final%20FY%202023%20-%202024%20IG%20FISMA%20Reporting%20Metrics%20v1.1_0.pdf.
8. U.S. Government, "Federal Information Security Modernization Act of 2014 – Annual Report FY23," White House, 2024. [Online]. Available: https://bidenwhitehouse.archives.gov/wp-content/uploads/2024/06/FY23-FISMA-Report.pdf.
