Four Thousand-person healthcare organization has deployed private applications to run their business in two datacenters and in AWS. They have begun a classification process to better understand the sensitivity of data in different applications in their environment.
They currently use VPNs but are in the process of moving away from network access to application access. They are also augmenting their user-based authorization with device posture requirements based on the sensitivity of the data used by each application. For example, applications with HIPAA data (including patient information) should only be accessible to employees using corporate-managed Windows devices. Accessing this data through email would be a violation of the HIPAA rule unless employees ensure the device posture does not allow BYOD, Mac, or IOS access.
They have deployed a New Edge Publisher as a VMware image in their datacenter. They have created three access policies: High, Medium, and Low. The High policy ensures that only corporate managed devices are being used to access HIPAA information. The Low policy allows BYOD access to email.