+353-1-416-8900REST OF WORLD
+44-20-3973-8888REST OF WORLD
1-917-300-0470EAST COAST U.S
1-800-526-8630U.S. (TOLL FREE)

Zero Trust and Third-Party Risk. Reduce the Blast Radius. Edition No. 1

  • Book

  • 240 Pages
  • October 2023
  • John Wiley and Sons Ltd
  • ID: 5826080

Dramatically lower the cyber risk posed by third-party software and vendors in your organization

In Zero Trust and Third-Party Risk, veteran cybersecurity leader Gregory Rasner delivers an accessible and authoritative walkthrough of the fundamentals and finer points of the zero trust philosophy and its application to the mitigation of third-party cyber risk. In this book, you’ll explore how to build a zero trust program and nurture it to maturity. You will also learn how and why zero trust is so effective in reducing third-party cybersecurity risk.

The author uses the story of a fictional organization - KC Enterprises - to illustrate the real-world application of zero trust principles. He takes you through a full zero trust implementation cycle, from initial breach to cybersecurity program maintenance and upkeep. You’ll also find:

  • Explanations of the processes, controls, and programs that make up the zero trust doctrine
  • Descriptions of the five pillars of implementing zero trust with third-party vendors
  • Numerous examples, use-cases, and stories that highlight the real-world utility of zero trust

An essential resource for board members, executives, managers, and other business leaders, Zero Trust and Third-Party Risk will also earn a place on the bookshelves of technical and cybersecurity practitioners, as well as compliance professionals seeking effective strategies to dramatically lower cyber risk.

Table of Contents

Foreword xiii

INTRODUCTION: Reduce the Blast Radius xvii

Part I Zero Trust and Third-Party Risk Explained 1

Chapter 1 Overview of Zero Trust and Third-Party Risk 3

Zero Trust 3

What Is Zero Trust? 4

The Importance of Strategy 5

Concepts of Zero Trust 6

1. Secure Resources 7

2. Least Privilege and Access Control 8

3. Ongoing Monitoring and Validation 11

Zero Trust Concepts and Definitions 13

Multifactor Authentication 13

Microsegmentation 14

Protect Surface 15

Data, Applications, Assets, Services (DAAS) 15

The Five Steps to Deploying Zero Trust 16

Step 1: Define the Protect Surface 16

Step 2: Map the Transaction Flows 17

Step 3: Build the Zero Trust Architecture 17

Step 4: Create the Zero Trust Policy 17

Step 5: Monitor and Maintain the Network 19

Zero Trust Frameworks and Guidance 20

Zero Trust Enables Business 22

Cybersecurity and Third-Party Risk 22

What Is Cybersecurity and Third-Party Risk? 23

Overview of How to Start or Mature a Program 25

Start Here 25

Intake, Questions, and Risk-Based Approach 27

Remote Questionnaires 28

Contract Controls 29

Physical Validation 30

Continuous Monitoring 31

Disengagement and Cybersecurity 33

Reporting and Analytics 34

ZT with CTPR 35

Why Zero Trust and Third-Party Risk? 35

How to Approach Zero Trust and Third-Party Risk 37

ZT/CTPR OSI Model 38

Chapter 2 Zero Trust and Third-Party Risk Model 43

Zero Trust and Third-Party Users 43

Access Control Process 44

Identity: Validate Third-Party Users with Strong Authentication 45

Five Types of Strong Authentication 47

Identity and Access Management 50

Privileged Access Management 52

Device/Workload: Verify Third-Party User Device Integrity 54

Access: Enforce Least-Privilege Access for Third-Party Users to Data and Apps 57

Groups 57

Work Hours 58

Geo-Location 58

Device-Based Restrictions 58

Auditing 59

Transaction: Scan All Content for Third-Party

Malicious Activity 59

IDS/IPS 60

DLP 60

SIEM 61

UBAD 61

Governance 62

Zero Trust and Third-Party Users Summary 62

Zero Trust and Third-Party Applications 63

Identity: Validate Third-Party Developers, DevOps, and Admins with Strong Auth 64

Privileged User Groups 64

Multifactor Authentication 64

Just-in-Time Access 65

Privileged Access Management 65

Audit and Logging 66

Device/Workload: Verify Third-Party Workload Integrity 66

Access: Enforce Least-Privilege Access for Third-Party Workloads

Accessing Other Workloads 67

Transaction: Scan All Content for Third-Party Malicious Activity and Data Theft 68

Zero Trust and Third-Party Applications Summary 70

Zero Trust and Third-Party Infrastructure 70

Identity: Validate Third-Party Users with Access to Infrastructure 71

Device/Workload: Identify All Third-Party Devices (Including IoT) 72

Software-Defined Perimeter 74

Encryption 74

Updates 75

Enforce Strong Passwords 75

Vulnerability and Secure Development Management 75

Logging and Monitoring 76

Access: Enforce Least-Privilege Access Segmentation for Third-Party Infrastructure 76

Transaction: Scan All Content Within the Infra for Third-Party Malicious Activity and Data Theft 77

Zero Trust and Third-Party Infrastructure Summary 78

Chapter 3 Zero Trust and Fourth-Party Cloud (SaaS) 79

Cloud Service Providers and Zero Trust 80

Zero Trust in Amazon Web Services 81

Zero Trust in Azure 83

Zero Trust in Azure Storage 85

Zero Trust on Azure Virtual Machines 87

Zero Trust on an Azure Spoke VNet 87

Zero Trust on an Azure Hub VNet 88

Zero Trust in Azure Summary 88

Zero Trust in Google Cloud 88

Identity-Aware Proxy 89

Access Context Manager 90

Zero Trust in Google Cloud Summary 91

Vendors and Zero Trust Strategy 91

Zero Trust at Third Parties as a Requirement 91

A Starter Zero Trust Security Assessment 92

A Zero Trust Maturity Assessment 95

Pillar 1: Identity 98

Pillar 2: Device 101

Pillar 3: Network/Environment 104

Pillar 4: Application/Workload 107

Pillar 5: Data 110

Cross-cutting Capabilities 113

Zero Trust Maturity Assessment for Critical Vendors 115

Part I: Zero Trust and Third-Party Risk

Explained Summary 119

Part II Apply the Lessons from Part I 121

Chapter 4 KC Enterprises: Lessons Learned in ZT and CTPR 123

Kristina Conglomerate Enterprises 124

KC Enterprises’ Cyber Third-Party Risk Program 127

KC Enterprises’ Cybersecurity Policy 127

Scope 127

Policy Statement and Objectives 128

Cybersecurity Program 128

Classification of Information Assets 129

A Really Bad Day 130

Then the Other Shoe Dropped 133

Chapter 5 Plan for a Plan 139

KC's ZT and CTPR Journey 139

Define the Protect Surface 143

Map Transaction Flows 146

Architecture Environment 148

Deploy Zero Trust Policies 159

Logical Policies and Environmental Changes 159

Zero Trust for Third-Party Users at KC Enterprises 161

Third-Party User and Device Integrity 161

Third-Party Least-Privileged Access 163

Third-Party User and Device Scanning 165

Zero Trust for Third-Party Applications at KC Enterprises 166

Third-Party Application Development and Workload Integrity 166

Third-Party Application Least-Privileged Access Workload to Workload 168

Third-Party Application Scanning 168

Zero Trust for Third-Party Infrastructure at KC Enterprises 169

Third-Party User Access to Infrastructure 169

Third-Party Device Integrity 170

Third-Party Infrastructure Segmentation 170

Third-Party Infrastructure Scanning 171

Written Policy Changes 172

Identity and Access Management Program 172

Vulnerability Management Program 173

Cybersecurity Incident Management Program 174

Cybersecurity Program 175

Cybersecurity Third-Party Risk Program 175

Third-Party Security Standard 177

Information Security Addendum 181

Assessment Alignment and Due Diligence 198

Third-Party Risk Management Program 202

Legal Policies 203

Monitor and Maintain 205

Part II: Apply the Lessons from Summary 206

Acknowledgments 209

About the Author 211

About the Technical Editor 211

Index 213

Authors

Gregory C. Rasner ISC2 Third-Party Risk Task Force.