Zero Trust is a cybersecurity approach that restricts network access so only the right people are accessing the specific information they need —and nothing more. Here’s everything you need to know about the basic principles of Zero Trust and how to apply them to third party risk management (TPRM) to create more secure remote access connections.
The term was coined by John Kindervag at Forrester Research in 2009, and related frameworks include Google’s BeyondCorp and Gartner’s CARTA. However, it’s been recently making headlines as a very important concept for organizations that outsource business functions to third party vendors who need remote access. Basically, every organization in today’s interconnected business world.
You’ve probably heard “trust but verify” in the context of cybersecurity and third party risk. To that, Zero Trust responds: “never trust, always verify”. Trust is a vulnerability.
According to this approach, nothing is ever 100% inherently safe inside nor outside the network perimeter. Authentication or verification is always needed before granting access to sensitive data or protected resources.
Zero Trust deems all resources as external to the organization’s network, and continuously verifies users, resources, devices, and applications before granting the minimum level of access required.
But time is precious and there aren’t enough hours in the day to review every access attempt. In order to make this concept applicable, Zero Trust uses broad data sets and dynamic risk-based policies to aid access decisions and perform continuous monitoring.
There are some technologies and infrastructure settings that can help organizations.
In August 2020, NIST released the NIST Special Publication 800-207: Zero Trust Architecture, which describes the components of a zero trust architecture, possible design scenarios, and threats. It also offers a roadmap to implement its main principles.
Dedicated third party risk management (TPRM) solutions like ThirdPartyTrust also allow you to manage custom privileges for your third party vendors based on job titles, departments, and roles. This makes it easier to manage the provisioning and de-provisioning of user permissions, with network access based on the least-privilege principle and granular controls to restrict third-party remote access to only the application they need and nothing else.
You might have noticed a spate of third-party cybersecurity attacks since the start of the year, with Kaseya, Colonial Pipeline, and SolarWinds as the most resonant headlines. A study released in May 2021 by the Ponemon Institute found that:
In addition, the covid19 pandemic accelerated digital transformation and shifted the focus of security teams to more tactical needs, such as enabling remote workers, securing changes in operations to ensure business continuity, migrating to the cloud, re-assessing third-party and supply chain risks, accelerating and increasing vendor onboarding, and more.
In a world where the network perimeter is enlarged and has blurry boundaries, Zero Trust allows organizations to constantly re-evaluate in real-time anything and anyone that touches their data.
Organizations make significant efforts to control and secure the access given to third party vendors, in order to avoid data breaches, security incidents, or noncompliance. Zero Trust is another tool for mature enterprise risk management practices, establishing the framework for minimizing third-party risk on every network access.
With grounds on continuous verification, third party vulnerabilities and insufficient security practices can be properly addressed.
While no security and defense strategy is immune, and data breaches will keep happening, Zero Trust reduces the attack surface and limits the impact of a cyberattack.
Are you building a third party risk management program? Or scaling one to be more effective? Read this before you get started.
From mapping to continuous monitoring and analysis, these are the five biggest tips that will save your organization time.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |