Zero Trust and Third–Party Risk – Reduce the Blast Radius

GREGORY C. RASNER is the author of the previous book Cybersecurity & Third-Party Risk: Third-Party Threat Hunting and the content creator of training and certification program "Third-Party Cyber Risk Assessor" (Third Party Risk Association, 2023). Greg is the co-chair for ISC² Third-Party Risk Task Force and is an advisor to local colleges on technology and cybersecurity.

Foreword xiii INTRODUCTION: Reduce the Blast Radius xvii Part I Zero Trust and Third-Party Risk Explained 1 Chapter 1 Overview of Zero Trust and Third-Party Risk 3 Zero Trust 3 What Is Zero Trust? 4 The Importance of Strategy 5 Concepts of Zero Trust 6 1. Secure Resources 7 2. Least Privilege and Access Control 8 3. Ongoing Monitoring and Validation 11 Zero Trust Concepts and Definitions 13 Multifactor Authentication 13 Microsegmentation 14 Protect Surface 15 Data, Applications, Assets, Services (DAAS) 15 The Five Steps to Deploying Zero Trust 16 Step 1: Define the Protect Surface 16 Step 2: Map the Transaction Flows 17 Step 3: Build the Zero Trust Architecture 17 Step 4: Create the Zero Trust Policy 17 Step 5: Monitor and Maintain the Network 19 Zero Trust Frameworks and Guidance 20 Zero Trust Enables Business 22 Cybersecurity and Third-Party Risk 22 What Is Cybersecurity and Third-Party Risk? 23 Overview of How to Start or Mature a Program 25 Start Here 25 Intake, Questions, and Risk-Based Approach 27 Remote Questionnaires 28 Contract Controls 29 Physical Validation 30 Continuous Monitoring 31 Disengagement and Cybersecurity 33 Reporting and Analytics 34 ZT with CTPR 35 Why Zero Trust and Third-Party Risk? 35 How to Approach Zero Trust and Third-Party Risk 37 ZT/CTPR OSI Model 38 Chapter 2 Zero Trust and Third-Party Risk Model 43 Zero Trust and Third-Party Users 43 Access Control Process 44 Identity: Validate Third-Party Users with Strong Authentication 45 Five Types of Strong Authentication 47 Identity and Access Management 50 Privileged Access Management 52 Device/Workload: Verify Third-Party User Device Integrity 54 Access: Enforce Least-Privilege Access for Third-Party Users to Data and Apps 57 Groups 57 Work Hours 58 Geo-Location 58 Device-Based Restrictions 58 Auditing 59 Transaction: Scan All Content for Third-Party Malicious Activity 59 IDS/IPS 60 DLP 60 SIEM 61 UBAD 61 Governance 62 Zero Trust and Third-Party Users Summary 62 Zero Trust and Third-Party Applications 63 Identity: Validate Third-Party Developers, DevOps, and Admins with Strong Auth 64 Privileged User Groups 64 Multifactor Authentication 64 Just-in-Time Access 65 Privileged Access Management 65 Audit and Logging 66 Device/Workload: Verify Third-Party Workload Integrity 66 Access: Enforce Least-Privilege Access for Third-Party Workloads Accessing Other Workloads 67 Transaction: Scan All Content for Third-Party Malicious Activity and Data Theft 68 Zero Trust and Third-Party Applications Summary 70 Zero Trust and Third-Party Infrastructure 70 Identity: Validate Third-Party Users with Access to Infrastructure 71 Device/Workload: Identify All Third-Party Devices (Including IoT) 72 Software-Defined Perimeter 74 Encryption 74 Updates 75 Enforce Strong Passwords 75 Vulnerability and Secure Development Management 75 Logging and Monitoring 76 Access: Enforce Least-Privilege Access Segmentation for Third-Party Infrastructure 76 Transaction: Scan All Content Within the Infra for Third-Party Malicious Activity and Data Theft 77 Zero Trust and Third-Party Infrastructure Summary 78 Chapter 3 Zero Trust and Fourth-Party Cloud (SaaS) 79 Cloud Service Providers and Zero Trust 80 Zero Trust in Amazon Web Services 81 Zero Trust in Azure 83 Zero Trust in Azure Storage 85 Zero Trust on Azure Virtual Machines 87 Zero Trust on an Azure Spoke VNet 87 Zero Trust on an Azure Hub VNet 88 Zero Trust in Azure Summary 88 Zero Trust in Google Cloud 88 Identity-Aware Proxy 89 Access Context Manager 90 Zero Trust in Google Cloud Summary 91 Vendors and Zero Trust Strategy 91 Zero Trust at Third Parties as a Requirement 91 A Starter Zero Trust Security Assessment 92 A Zero Trust Maturity Assessment 95 Pillar 1: Identity 98 Pillar 2: Device 101 Pillar 3: Network/Environment 104 Pillar 4: Application/Workload 107 Pillar 5: Data 110 Cross-cutting Capabilities 113 Zero Trust Maturity Assessment for Critical Vendors 115 Part I: Zero Trust and Third-Party Risk Explained Summary 119 Part II Apply the Lessons from Part I 121 Chapter 4 KC Enterprises: Lessons Learned in ZT and CTPR 123 Kristina Conglomerate Enterprises 124 KC Enterprises' Cyber Third-Party Risk Program 127 KC Enterprises' Cybersecurity Policy 127 Scope 127 Policy Statement and Objectives 128 Cybersecurity Program 128 Classification of Information Assets 129 A Really Bad Day 130 Then the Other Shoe Dropped 133 Chapter 5 Plan for a Plan 139 KC's ZT and CTPR Journey 139 Define the Protect Surface 143 Map Transaction Flows 146 Architecture Environment 148 Deploy Zero Trust Policies 159 Logical Policies and Environmental Changes 159 Zero Trust for Third-Party Users at KC Enterprises 161 Third-Party User and Device Integrity 161 Third-Party Least-Privileged Access 163 Third-Party User and Device Scanning 165 Zero Trust for Third-Party Applications at KC Enterprises 166 Third-Party Application Development and Workload Integrity 166 Third-Party Application Least-Privileged Access Workload to Workload 168 Third-Party Application Scanning 168 Zero Trust for Third-Party Infrastructure at KC Enterprises 169 Third-Party User Access to Infrastructure 169 Third-Party Device Integrity 170 Third-Party Infrastructure Segmentation 170 Third-Party Infrastructure Scanning 171 Written Policy Changes 172 Identity and Access Management Program 172 Vulnerability Management Program 173 Cybersecurity Incident Management Program 174 Cybersecurity Program 175 Cybersecurity Third-Party Risk Program 175 Third-Party Security Standard 177 Information Security Addendum 181 Assessment Alignment and Due Diligence 198 Third-Party Risk Management Program 202 Legal Policies 203 Monitor and Maintain 205 Part II: Apply the Lessons from Summary 206 Acknowledgments 209 About the Author 211 About the Technical Editor 211 Index 213