NEW VIDEO: Security Weekly - How to protect AWS metadata services (used in Capital One breach). Watch now!
 
 

Zero Trust for Third-Party Vendor Management

The extent of most organizations’ supply chains is unknown, yet third-party vendor relationships can add tremendous cyber risk if not managed correctly. The old adage, “you cannot manage that which you can’t measure” definitely applies in a world where unattended vulnerabilities in a partner’s network can lead to downstream financial, reputational, or operational ruin. However, getting a handle on the vastness of a company’s third-party ecosystem could take months (or even years) at larger organizations where networked partners may number in the tens of thousands. From the office supply vendor to the HVAC company to the company’s cloud providers, every digital transaction carries accompanying risk due to the fact that every organization is capable of and executing on varying levels of cybersecurity maturity. For most security and networking teams, managing their own, internal security is challenging enough. Having to rely on other businesses to affect top-notch security practices is fear-inducing.

Outside of contractual agreements which include language that permits your organization to audit a partner’s/supplier’s/vendor’s networks and systems, there simply isn’t much your security team can do to ensure the third party has tuned firewalls correctly, is triaging alerts, or is applying all recommended security patches in a timely manner. Inattention to any one of these security basics (and many more), though, could lead to disastrous consequences. Just ask Target about best practices for managing your HVAC vendor.

Taking a step back:

First problem, knowing all the vendor relationships your organization has and the extent of how each of those vendors is tied in to your corporate networks.

Second problem, maintaining point-in-time security assessments for each vendor.

Third (and most tricky) problem, affecting any semblance of control over the security posture of all connected third parties.

Simply put, the last factor is almost entirely out of your control. Contractual agreements are the only real force that can be applied, outside of pulling the plug on the relationship, at which point you would have to find another supplier to fill that need and ensure they are also in agreement and compliance with your requirements.

Gaining complete network visibility with zero trust

There are a few ways organizations can shore up third-party access — next-generation firewalls, web filters, intrusion detection systems, disabling unnecessary remote access technologies. But none of these present a unified strategy (they’re all tools based) that affords complete visibility into:

  • Everything connecting to your networks
  • How and with what other systems supplier systems are communicating
  • The risk of each added connection

If you can’t see your entire network topology, there is no chance of shutting down risky network communication as it’s happening, especially without disrupting large chunks of the network.

Zero trust, however, can accomplish these things, and it doesn’t require re-architecting your whole network. 


Stay on the cutting edge. Subscribe to our blog.


You can’t secure what you can’t see

Since nothing in a zero trust network is allowed to communicate unless its attribute-based identity is verified, assets are discovered automatically and data paths are revealed as third-party systems attempt to communicate. Thus, a zero trust network will always provide real-time visibility into:

  • Which partner systems are requesting network access
  • What’s sending/receiving communications
  • What data paths they’re using
  • Which other systems they’re talking to
  • Normal traffic patterns 

What this means is that a zero trust network can always see which partners you have and how their systems are interacting with your network.

Policy enforcement with zero trust

The core tenet of zero trust is, “Never trust, always verify.” In practical terms this means that every data request is authenticated, irrespective of previous permissions, every time they try to communicate with/on your network. In a zero trust network, data access decisions are dynamic and based on a collection of criteria—not just usernames and passwords or approved ports, for example —that form an identity (or fingerprint). For instance, if the identity/fingerprint of an application doesn’t meet criteria because malware has been added, the connection is denied. Same goes for a system that appears to have been updated out of band, or where the connection request is coming from a location never before seen. As such, if your supplier has been exploited, the attack progression is stopped at your doorstep.

Importantly, internal communications are subject to the same verification process as external requests. Just because a user, device, host, application, or workload as been verified by its identity and made its way onto the network, that doesn’t mean it wasn’t exploited on the inside. This is the main difference between a zero trust (i.e., untrusted) network and a trusted network (i.e., a typical network that assumes internal traffic is OK because it passed a previous “check”).

Moreover, a zero trust network removes the need to rely on contracts to enforce security policies (to the extent that that’s effective). If a partner network is vulnerable because of a missing patch, your zero trust network can prevent their systems from talking to yours. If your partner network has been breached due to stolen credentials (which is a hard problem to prevent), and an attacker uses those stolen credentials to try to escalate privileges, the attacker is stopped because a zero trust network doesn’t allow for privilege escalation. If the stolen credentials have administrative privileges and the attacker adds malware to the system, it can’t propagate in a zero trust network because an identity for the malware won’t be built.

Conclusion

Supply chains are an ever-growing problem. The more networked systems you have to account for, the bigger the vulnerability. Removing trust from your networks—whether they’re on premises, in a public cloud, or somewhere in between—tamps down the number of vulnerabilities you will have to manage. A zero trust network:

  • Ensures greater data awareness (data mapping and asset identification)
  • Operates on the principle of least-privilege access
  • Creates security policies based on the identity of communicating assets
  • Enforces access based on identity verification (versus network constructs)
  • Adapts to change

With these design principles implemented, when your operating ecosystem grows, risk remains in check. Vulnerabilities in third-party systems don’t automatically translate to your environment because security controls that prevent hostile communications are in place; everything and everyone is repeatedly authenticated and authorized. In this way, security is not compromised...and neither are your networks.  

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.