Executive summary
I assessed a healthcare clinic's security posture and designed a defense-in-depth Zero Trust architecture aligned with NIST CSF 2.0, CIS Controls v8, PHIPA, and HIPAA — including a 6-zone VLAN segmentation model, Microsoft Entra ID IAM, and a ransomware-resilient 3-2-1-1-0 data protection strategy.
The problem
- Critical gaps existed: no MFA, a flat network, and legacy SMBv1/NTLM protocols.
- PHI exposure risks left the clinic vulnerable to ransomware and data breaches.
- The design had to satisfy PHIPA and HIPAA data-protection requirements.
The solution
- Designed a defense-in-depth architecture aligned with NIST CSF 2.0 and CIS Controls v8.
- Engineered a 6-zone VLAN Zero Trust segmentation model to limit lateral movement.
- Proposed a Microsoft Entra ID IAM framework with MFA, RBAC, and Conditional Access.
- Built a 3-2-1-1-0 backup strategy with DLP, encryption, and secure Azure migration.
Technical architecture
How the system fits together - each layer reflects technology used on the real build.
Network
Zero Trust segmentation
Identity
Access control
Data Protection
Ransomware resilience
Compliance
Regulatory alignment
Engineering challenges
Eliminating credential attack vectors
Introducing MFA, RBAC, and Conditional Access via Entra ID closed the most exploitable gaps.
Containing lateral movement
A 6-zone VLAN Zero Trust model replaced a flat network to improve incident containment.
Compliant data protection
A 3-2-1-1-0 backup model with encryption and data residency satisfied PHIPA and HIPAA.
Performance & SEO outcomes
Zero Trust VLAN architecture limiting lateral movement.
MFA, RBAC, and Conditional Access policies.
Ransomware-resilient data protection strategy.
Aligned with NIST CSF 2.0 and CIS Controls v8.