Zero Trust: Not the Relationship Type

Zero trust. It’s not exactly what you want in a relationship. But it’s everything you want in a remote access security solution

So since we’re on the topic of relationships, let’s think about the qualities of a good relationship. Any good relationship is typically composed of some of the following elements: openness, communication, and trust. When you enter into a relationship with someone, you want to share every bit of life with them so they can know you better and you can know them better. A good relationship is anything but superficial. 

Now let’s talk about the qualities of a bad relationship: shallow, conditional, closed off, guarded, little engagement, assumes the worst, and little to no trust. In fact, there might be… 

Zero trust.

This is the exact idea behind the cybersecurity concept of zero trust – only allowing limited access into an organization’s network, just like the limited access you’d give to another party in a bad relationship. The last thing you want to do is open up your network to cybercriminals looking for vulnerable access points. 

The relationship between organizations and their third parties tends to be complex. It involves a number of components, such as servers, checkpoints, credentials, remote access, authorization, and – perhaps the most important component – risk. Any time an organization grants remote access to anyone, it’s a risk.

Over half of all data breaches are caused by hackers utilizing remote access into a network that’s been granted to a third party. So when an organization permits third parties to access their network for support, they are expanding their attack surface and creating another entry point to their network that could be exploited. 

Many organizations are using solutions like VPNs and desktop sharing tools to provide third parties with access into their network. The trouble with these solutions is that organizations still don’t have control over the amount of access their vendor has, which makes it difficult to limit the scope of what a bad actor could access if they were to gain access through a third party’s remote connection and compromise a network.


DTR(A) – Define the Remote Access

The zero trust principle strips remote access down to the most restricted level, evaluating each access attempt for validity and authorization into the network. As the name implies, remote access operates on the principle of no trust – exactly what you want with an external third-party access request.

Zero trust access begins from no access and slowly adds access via granular permissions and controls so that third parties only have access to those areas of support they are responsible for. This is in contrast to other methods that start with full access and try to isolate and limit that complete access as best as they can. This principle of always verifying and never trusting the access is accomplished with security protocols and practices such as multi-factor authentication, credential vaulting, and auditing.

If you ask us, multi-factor authentication is one of the most underrated cybersecurity tools but continues to be one of the most effective ways to prevent credential breaches. Because hackers will so often utilize third-party credentials for remote access into an organization, higher forms of protection are needed besides tricky password requirements. MFA requires an additional step of legitimate credentials in order to move forward with the access, providing an extra layer of defense and stopping hackers in their climb to gain further privileged access

To complement MFA, credential vaulting should also be implemented as a zero-trust practice. Storing login information in a password vault keeps confidential credential information secure, just like a bank vault. However, a user needs to go through a privileged access management (PAM) system to be authorized to use those credentials to log in to a network. Think of it like the heavily-armed guards protecting a bank vault. They won’t let in just anyone to access the good stuff – you have to have the authority to get in and use the goods (money or passwords) for the purposes at hand. 

Least privileged access is the foundational concept behind zero trust. This practice restricts access and privileges to only the area that a user needs access to and nothing more. So rather than granting a third-party vendor access to your entire system, so they can scour your network to find what they need, they are only granted access to the specific end-point needed for them to do the job they need to do. Pretty simple it seems, but still, many organizations don’t use this type of limited access with their third parties. 

All of these practices aid in the implementation of zero trust, but to make sure all i’s are dotted and t’s are crossed, an organization’s auditing process needs to support the restricted access procedures put in place. Audits are the only way to actively monitor and factually prove that your vendors are doing what they say they’re doing and that your system is working as it should. A good audit is able to log all vendor activity while in the network through video recordings of the network session, keystroke logs, and tracking of all vendor activity. Once this is in place, organizations can rely on these monitoring systems to track any suspicious behavior in their network and, in a worst-case scenario, track the source of a data breach based on past user activity. 


The Foundation of Remote Access Security

When an organization entrusts a third party with remote access into their network, it shouldn’t be treated as a good relationship. Openness and accessibility are two weaknesses when it comes to remote access, which is why organizations need a solution that operates on zero trust. 

So what are the lessons to be learned? Don’t give your whole heart (and network) away. Start with zero trust – the foundation of any secure relationship.

If you’re unsure of your relationship status with a third party, use our vulnerable vendor checklist to see if your third party’s remote access is a possible point of entry for a cyberattack.