All projects
Security ArchitecturePlannedL3·12 min

Zero-Trust Architecture for a Fictional Healthcare Organization

A fictional customer scenario: discovery, architecture recommendation, and a rollout plan sized for a 40-person clinical operations team.

Business Problem

Clinical staff at a fictional provider need remote access to sensitive systems from unmanaged devices. The existing VPN is slow and offers no visibility into what users actually touch.

Technical Analysis

Planned: review identity, device posture, and network paths against the CISA Zero Trust Maturity Model and identify gaps in device trust and application-level segmentation.

Architecture

Proposed architecture: identity as the primary control plane (SSO + phishing-resistant MFA), device posture at access time, and per-application tunnels replacing the flat VPN.

Tools Used
Entra IDConditional AccessIntuneSASE (concept)
Solution
  1. 01Enforce phishing-resistant MFA and conditional access on all clinical apps.
  2. 02Introduce device compliance signals from Intune before granting session tokens.
  3. 03Replace flat VPN with per-app connectors and continuous verification.
  4. 04Write a 90-day rollout plan sequenced by clinical risk.
Expected Deliverables
Planned
Reference architecture
Proposed
Rollout plan
Planned
Access policy set
Zero-trust design
Learning objective
Lessons Learned
  • · Clinicians will route around security if it costs them 30 seconds per patient.
  • · The right architecture is the one the operations team can actually run.
  • · A phased rollout builds trust faster than a big-bang cutover.
Executive Summary

Learning objective: show a zero-trust design a small clinical team could actually adopt — safer access, better experience, and an audit story leadership can defend.