Clinical staff at a fictional provider need remote access to sensitive systems from unmanaged devices. The existing VPN is slow and offers no visibility into what users actually touch.
Planned: review identity, device posture, and network paths against the CISA Zero Trust Maturity Model and identify gaps in device trust and application-level segmentation.
Proposed architecture: identity as the primary control plane (SSO + phishing-resistant MFA), device posture at access time, and per-application tunnels replacing the flat VPN.
- 01Enforce phishing-resistant MFA and conditional access on all clinical apps.
- 02Introduce device compliance signals from Intune before granting session tokens.
- 03Replace flat VPN with per-app connectors and continuous verification.
- 04Write a 90-day rollout plan sequenced by clinical risk.
- · Clinicians will route around security if it costs them 30 seconds per patient.
- · The right architecture is the one the operations team can actually run.
- · A phased rollout builds trust faster than a big-bang cutover.
Learning objective: show a zero-trust design a small clinical team could actually adopt — safer access, better experience, and an audit story leadership can defend.