The federal government shifted to a zero-trust strategy in 2022 to bolster its cybersecurity posture; private enterprises should take note and follow suit. Zero trust is a fundamental security concept that asserts nothing should be implicitly trusted — including user/vendor identities, all devices (servers, laptops, mobiles, etc.), network components, and more. This concept is referred to as “Do not trust. Verify every time,” instead of the traditional “Trust but verify” security model.
Zero trust protects your business network and data from intrusion and exploitation. It requires all users of a given network to be authenticated and continuously validated to maintain system authorization, regardless of where they are. And with remote work more prolific, zero trust is more vital than ever.
The Zero-Trust Model
The zero-trust model (based on NIST 800-207) consists of three core principles:
- Continuous verification
The objective is to avoid the concept of verifying the initial access to resources and just assuming that everything will be OK. Organizations should always verify access, all the time, for all resources on a continuous basis.
- Limiting the “blast radius”
Organizations should be implementing identity-based segmentation to minimize potential impact if an external or internal breach occurs. This ensures no single intrusion or user can compromise the network fully.
- Automating context collection and response
Organizations should also strive to increase their behavioral data visibility by collecting and analyzing information from the entire IT stack. This includes sources such as:
- User credentials (user/service accounts, privileged/nonprivileged accounts, SSO, etc.)
- Endpoints (laptops, desktops, mobiles, etc.)
- Cloud service providers (AWS, Azure, GPC, etc.)
- Network devices
- Other sources via APIs like SIEM, identity providers (e.g., AD), and threat intelligence
Zero trust is a foundational part of today’s digital transformation and an important part of your third-party risk management framework. The continuous verification model makes providing secure third-party access to internal systems much easier.
Zero Trust in TPRM Security
In the third-party risk management context, a zero-trust strategy generally involves ensuring that the organization has comprehensive controls in place to limit vendor access to the minimum resources required to perform the job — no more, no less.
With zero trust, vendors and internal users are properly siloed and have checks and balances, regardless of when, where, and how they access system resources.
Third-party trust can be difficult to manage with so many vendors coming and going without geographic restriction. That’s why zero trust combines tech like multi-factor authentication, endpoint security, and modern cloud management to verify and maintain systems.
Implementing this correctly requires two key components:
- Vendor privileged access management (VPAM): VPAM is a technology that ensures granular least-privilege controls are applied during the vendor user onboarding process. It also ensures that those users are offboarding quickly and completely when service contracts are terminated or no longer required.
- Comprehensive audits: Once vendor users have been onboarded, it is essential that continuous and comprehensive auditing has been implemented. This ensures those vendor users are not violating any restrictions, either maliciously or inadvertently, and that the organization is immediately alerted if any breach occurs.
Organizations must start implementing zero-trust capabilities within their organizations, particularly if they are granting third parties any form of access into their internal environment. Over 80% of cyberattacks involve credential use or misuse, according to Crowdstrike.
Another survey from the CyberRisk Alliance and SecurityScorecard found that over a third of respondents had at least 100 third-party vendors. And 91% of them experienced a security incident related to these third parties. This highlights the need to follow the government’s lead and implement a zero-trust strategy sooner rather than later.
4 Steps to a Zero-Trust Strategy
Although this blog serves as a great resource for third-party risk management and building a zero-trust strategy, there’s no better source of information than the NIST 800-207 document, the standards document that outlines it directly. Organizations should refer to the NIST 800-207 to become familiar with the general tenets of a zero-trust architecture.
Once the document has been reviewed, organizations can then take some initial steps to implement a zero-trust architecture by:
- Identifying resources: The first step to zero trust is figuring out what resources your organization already has. This includes data sources and computing resources. Check for basic authentication and request validity evaluations. Existing asset databases, configuration databases, etc. can be used to validate some of this.
- Listing organizational identities: Identities are used to create user profiles to limit what access users have to which parts of the systems. Creating a list that includes how many and what type of identities are being managed makes it easier to understand your network briefly while issuing and revoking access much more efficiently. Existing identity and access management solutions can be used to facilitate this effort.
- Discovering all touchpoints: Another important step is identifying locations where the identities need to interact with the resources. This involves creating data flow diagrams to help identify the level of access to provide at various levels of trust. It will help the business understand exactly what to look for and structure the organization’s digital footprint.
- Leveraging current resources: The final step is identifying if current access control tools can provide the level of functionality required to implement zero-trust capability. If not, calculate the risk associated with not being able to identify the level of confidence. If the risk is unacceptable, look for a solution that returns to an acceptable range.
Zero Trust, Zero Problems
Zero trust is not a buzzword: It’s an essential ingredient in any third-party risk management framework. With a proper zero-trust strategy in place, organizations can provide the highest level of security within their networks. It will ensure that every user is treated the same and allowed access based on authenticating and verifying their identity.
From there, resources are continuously monitored to ensure everyone stays within their allowed usage.
By implementing zero trust, organizations secure vendors, customers, and employees through every interaction within the company. This does more than provide security — it also lays the foundation for automation and advanced technologies. Contact us to learn how to implement a zero-trust strategy in your TPRM security today.