Zero trust is a cybersecurity approach that restricts network access so only the right people are accessing the specific information they need —and nothing more. Here’s everything you need to know about the basic principles of Zero Trust and how to apply them to your third-party risk management program (TPRM) to create more secure remote access connections.
The term was coined by John Kindervag at Forrester Research in 2009, and related frameworks include Google’s BeyondCorp and Gartner’s CARTA. Today, it’s a key component of cybersecurity programs, especially in organizations that outsource business functions to third-party vendors who need remote access to their networks.
How is zero trust different from other approaches?
You’ve probably heard “trust but verify” in the context of cybersecurity and third-party risk. To that, zero trust responds: “Never trust, always verify”.
According to this approach, devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified. Authentication or verification is always needed before granting access to sensitive data or protected resources.
Zero trust deems all resources as external to the organization’s network, and continuously verifies users, resources, devices, and applications before granting the minimum level of access required. In contrast, the traditional approach automatically trusted users and endpoints within the organization’s perimeter.
But time is precious and there aren’t enough hours in the day to review every access attempt. In order to make this concept applicable, zero trust uses broad data sets and dynamic risk-based policies to aid access decisions and perform continuous monitoring.
What are the basic principles of zero trust?
- Least-privilege access, which means increasing granularity on permissions for internal users and third-party vendor users. Apart from limiting who accesses the network, it also limits what services, devices, or applications; where; and when they’re accessed.
- Logs and audits, which help monitor vendor access and verify that they are not violating any access restrictions, either through malicious activity or just careless actions.
- General security mechanisms to apply advanced controls to third-party relationships, such as multi-factor authentication (MFA), identity access management (IAM), and a strong password policy that also disables identities once they are no longer working for the organization.
How to implement zero trust in your organization
There are some technologies and infrastructure settings that can help organizations.
In August 2020, NIST released the NIST Special Publication 800-207: Zero Trust Architecture, which describes the components of a zero trust architecture, possible design scenarios, and threats. It also offers a roadmap to implement its main principles.
Dedicated solutions like Bitsight Vendor Risk Management (VRM) allow you to manage custom privileges for your third-party vendors based on job titles, departments, and roles. This makes it easier to manage the provisioning and de-provisioning of user permissions, with network access based on the least-privilege principle and granular controls to restrict third-party remote access to only the application they need and nothing else.
Why do you need to consider zero trust in your TPRM?
A study by the Ponemon Institute found that:
- 63% of organizations said remote access is becoming their weakest attack surface
- 51% experienced a third-party data breach in the 12 months prior to the study
- 74% said it was the result of giving too much privileged access to third-parties
In addition, the accelerated digital transformation shifted the focus of security teams to more tactical needs, such as enabling remote workers, securing changes in operations to ensure business continuity, migrating to the cloud, re-assessing third-party and supply chain risks, accelerating and increasing vendor onboarding, and more.
Another component of a secure third-party vendor ecosystem
Organizations make significant efforts to control and secure the access given to third-party vendors, in order to avoid data breaches, security incidents, or noncompliance. Zero trust is another tool for mature enterprise risk management practices, establishing the framework for minimizing third-party risk on every network access.
With grounds on continuous verification, third-party vulnerabilities and insufficient security practices can be properly addressed.
While no security and defense strategy is immune, and data breaches will continue to happen, zero trust reduces the attack surface and limits the impact of a cyberattack.