Blogpost

4 Best Practices For Zero Trust in TPRM

Most humans want to go into interactions assuming the other party is trustworthy. For many of us, our impulse is to believe the best in people. But in the world we live in today, trust can’t be assumed. The risks are too high. 

That’s true for individuals, but it’s arguably even more important for organizations. The risks of trust are compounded as the number of people and organizations you work with grows. 60% of organizations now work with over 1,000 third parties, and that number is only expected to grow. Each one of those relationships introduces risk. 

When you go one step further and consider the number of third parties each of the organizations you work with has relationships with, the reality of how many points of risk your organization faces is staggering. In this context, hoping you can depend on trust starts to look foolish. 

That explains why 78% of organizations in a recent Forrester survey said they plan to enhance Zero Trust programs to increase security.

 

What is Zero Trust?

Zero Trust is an approach to security that emphasizes the concept “never trust, always verify.” In practice, that means limiting who has access to internal systems and information to only those who need it. It also means putting processes in place to confirm those people are who they say they are each time they access sensitive information, and regularly reviewing whether they still need that level of access.  

Someone that needed access to a database of sensitive information two years ago shouldn’t just have easy, automatic access moving forward from any device they feel like using. A Zero Trust policy means taking a more thoughtful, critical look at all the individuals and organizations you work with, determining what level of access they need to do their jobs, and confirming they’re trustworthy enough to earn that access. 

Zero Trust isn’t easy to implement or stay on top of, but the work involved pays off in much tighter security. 

 

Why Zero Trust is Valuable

In the past, many organizations saw the main threat to their business as coming from outside the organization. The thinking was that as long as you implemented strong security measures to keep bad actors out of your internal systems—building a strong perimeter—you’d be safe. That doesn’t work so well now for a number of reasons.

To start, building a strong perimeter means a lot less if the natural course of business requires letting hundreds or thousands of people and organizations into the perimeter. That’s now the norm for most organizations. In a recent Ponemon study, 51% of organizations said they’d experienced a data breach caused by a third party. 74% of them noted that it was caused by giving the third party too much privileged access. A strong perimeter won’t help you if the security risk has already been invited inside. 

In addition, when the thousands of people with access also increasingly work from multiple devices and locations, keeping control over your perimeter becomes that much harder. Remote work became even more of a norm and expectation during the pandemic, and that’s not likely to change even when coronavirus risks wane. In Forrester’s survey, 70% of organizations said they struggled to transition to remote work without increasing the risk exposure of employees and their devices. 

However you may want to feel about your employees and third-party vendors, hoping that trust is good enough is a sure path to trouble. Switching to Zero Trust is just smart. It protects the organization and everyone who depends on it. 

 

How to Implement a Zero Trust Strategy at Your Organization

Recognizing the value of Zero Trust is easy. Actually implementing it is a lot harder. At most organizations, you have to figure out how to completely change “an existing business environment that relies on a myriad of users and computers on the network, and the need to move data internally and externally to its partners day-to-day to achieve its goals,” as Nasser Fattah, Senior Advisor at Shared Assessments describes it. 

That’s no small challenge. But he has a few suggestions for increasing your odds of success. 

  1. Identify and address primary challenges.

Start by understanding what you’re up against. “Zero trust is not a product that we implement to address a security gap,” Fattah explains. “It is more about change in security philosophy.”

Onboarding a new product can be difficult enough, but Zero Trust is much bigger than that. It involves implementing processes across the organization that will cause individuals and the companies they work with more work and inconvenience on the path to improving security for everyone. A realistic reckoning of the challenges a Zero Trust project will face in implementation will help you create a more successful plan for making it happen.

 

  1. Aim for broad buy-in (not just IT).

“Too often, security strategies are seen as an IT exercise,” says Fattah. “When often it is more of a business activity so that security experts can best protect those assets that are most critical to the business.”

Convincing the IT team to care about security is the easy job. Getting everyone else in the organization to care and understand how important security initiatives are is much more challenging. But for Zero Trust to be successful, you need buy-in from more than just the IT department. Getting executives and managers from departments throughout the organization to commit to Zero Trust is key for success. 

 

  1. Create an inventory of IT assets.

In order to implement Zero Trust, you need to understand who has access to what now, and who needs access to what in order to do their jobs. “Zero trust requires a complete and thorough evaluation of a business’ IT assets,” says Fattah.

That includes “networks, applications, systems, and data, the type of data classification and running processes taking place on such assets, as well as who accesses these assets and for what reasons” he explains. You need a clear inventory of all that information in order to create an implementation strategy that ensures people are still able to access what they need, but no more than that. 

 

  1. Create a plan and deploy in stages.

Zero Trust isn’t a one-time project, and it won’t happen overnight. It’s a strategy that requires an involved implementation process to get into place, and ongoing work to maintain over time. The only way toh achieve all that is by taking it step by step.

Put together a step-by-step plan for Zero Trust with a realistic timeline. Deploy the plan in stages, tracking appropriate metrics as you go to measure success. Then use what you learn at each stage to improve your efforts moving forward. 

 

Zero Trust is Good for TPRM

Zero Trust may be a hard sell at first, but it can go a long way toward improving your third-party risk management (TPRM). When fewer people have access to sensitive networks and data, you reduce the risk points and decrease the likelihood of a data breach or ransomware attack. That’s well worth the hard work it can take to get to that point.