August 19, 2020//Tony HowlettLast Updated: June 17, 2021
Zero Trust Network Access (ZTNA) is everyone’s favorite buzzword these days, particularly with security vendors hawking their products. It has become a popular catchphrase describing a next-generation security practice that was formalized by Gartner and implemented by Google in their BeyondCorp concept years later. Zero Trust refers to a set of concepts around securing corporate data assets in a more granular fashion and getting away from the classic “castle and moat” concept of cybersecurity. If you look at the different implementations, it can mean different things to different people and particularly for different products and applications. But what does it mean when it comes to the security of third-party connections to your organization such as vendors with remote access? In this article, we will examine the basic principles of Zero Trust and how they can be applied to third-party risk management to have more secure vendor connections.
Let’s start by first breaking down Zero Trust into its component principles so we can understand how to apply it to remote access for vendors. Zero Trust calls for robust authentication capabilities that tie access to verifying users to finite resources under specific conditions. It promotes the use of technologies such as multi-factor authentication (MFA), the principle of least privilege, and segmenting assets into micro-zones. To implement it, you need to be able to compartmentalize authorization to specific assets, to servers or applications, or even time slots when those resources can be accessed by that user. It can also be applied to allow for a lockdown of assets if and when a breach happens to prevent deeper damage. The concept is to apply authorization based on the data and the specific user’s need to access it rather than based on what infrastructure they are using or how they are getting in. Traditional perimeter security and checkpoints have turned out to be woefully inadequate to the modern use of public networks like the internet.
To meet the minimum principles of Zero Trust with regard to third-party relationships requires applying some advanced security controls to them. This includes MFA and other controls on access including the ability to require approval at a granular level, down to possibly a per-session basis. Support for credential vaulting or Privileged Access Management (PAM) is also important as it severely limits the use of a stolen privileged credential, essentially neutering them.
In general, you will want to do anything that controls and limits vendor access to resources to the minimum required to do their job; no more, no less. This leads us to our next set of requirements
This concept has been around forever and we practice it often when giving internal users their access. However, when it comes to third parties, simply using VPN access to vendors which gives them carte blanche on your network isn’t going to cut it anymore. Look instead to being able to lock down access beyond the network level and down to specific servers for specific applications and for specific time periods. Least privilege for vendors needs to mean more than that used for employees. The ability to do this for vendors is embodied in a technology called Vendor Privileged Access Management or VPAM. VPAM applies additional controls both on the front end when you onboard vendor users, giving them the granular least privilege that the Zero Trust concept requires and then offboarding those users quickly and completely when they are no longer employed by the vendor. However you do it, you want to make sure that vendor access and rights are a circle, secure from beginning to the end of the relationship.
Having good logs and audit capability is important for all functions of your systems, but particularly when it comes to Zero Trust and vendor access. It goes to the concept of “trust but verify.” So, after we apply that granular least privilege, how do we verify that those users are not violating those restrictions, either through malicious activity or just careless actions? Having a very detailed log of their activity is the only way to do this efficiently.
You will want more than the visibility that a simple firewall, router, and system logs show you. To paint a full picture for audit purposes, you want to be able to see the actual actions taken. This can be achieved by having “high-definition” audit records that have actual keystroke logs for command-line activity or video captures of graphical sessions. These can be very useful in catching an incident in real-time so you can stop it before real damage is done and also for forensic analysis after a breach. Having these types of logs and viewing them regularly can mean the difference between a minor, non-reportable incident, and a full-on, costly breach.
Zero Trust is a complicated concept and the devil can indeed be in the details. This is not to be considered to be an exhaustive list but rather a list of basics to start with. You can always do more and new technologies and approaches are always coming out. You should be reviewing your vendor management processes and particularly, how Zero Trust is applied every year with the intent of continual improvement. When it comes to third-party vendors and their access to your data, using concepts Zero Trust, PAM, and VPAM can help you keep the bad guys from using your vendor relationships against you. To learn more about how to keep the bad guys out of your networks, and why you’re only as strong as your most vulnerable vendor, download our eBook on the Anatomy of a Third-Party Breach.