Recent events have made third party and supply chain risk a top of mind security concern for many organizations. However, managing these risks can be difficult without the proper tools. By deploying SASE and SDP security solutions, an organization can implement and enforce a zero trust strategy that dramatically reduces exposure to third party risk.
The Many Sources of Third Party Risk
Third party risk is any risk that originates from trusted sources outside of an organization. However, this is a pretty wide definition. A number of different sources of third party risk exist, including:
- Third Party Applications: Every organization uses applications that are developed by another organization, and these applications are trusted because their developer is a reputable and trusted organization. However, software vulnerabilities or a compromise of the developer’s systems can turn these trusted applications into a potential attack vector for cybercriminals.
- Trusted External Users: Many organizations have suppliers, partners, and vendors that have authorized access to their environments and systems. However, if these third party user accounts are compromised, an attacker can use them to gain access to an organization’s environment.
- Open Source Code: Many organizations have applications that are built using third party code and libraries. Often, these organizations lack visibility into these dependencies, meaning that they may include unknown vulnerabilities or built-in backdoors.
In all of these cases, an organization trusts an external party to be secure. When this trust is exploited, it undermines the security of the business.
Recent Attacks Underscore the Impacts of Third Party Risk
The end of 2020 and the first few months of 2021 were a case study in third party risk. A number of high-profile exploits of third party trust relationships were exploited by attackers, including:
- SolarWinds: Attackers gained access to SolarWinds’ development environment and embedded backdoor malware into its Orion network monitoring product, providing access to the networks of tens of thousands of SolarWinds’ customers.
- Accellion: A vulnerability in a legacy file transfer app – used to transfer files that couldn’t be attached to an email – allowed attackers to access and download all of the sensitive data that an organization sent via the app.
- Microsoft Exchange: A set of vulnerabilities in Microsoft Exchange servers led to multiple malware campaigns that used the vulnerabilities for information theft and to deliver ransomware.
Any of these cybersecurity incidents would be a major event in and of themselves. The fact that three were discovered in a matter of months underscore the importance and impact of third party risk to an organization.
Zero Trust Security is Essential to Third Party Risk Management
The major impacts of third party risk originate from the fact that many organizations are still using a legacy security model. Under a perimeter-based security model, the focus is on defending the network boundary. By deploying security solutions there, the organization attempts to detect and block most threats before they enter the corporate network and its systems.
This model is based on the assumption that all cybersecurity risk and threats originate from outside the network. While this may be generally true, the assumption that the organization monitors and defends all access points to the network (another core assumption of the model) is obviously false, as demonstrated by recent breaches like the SolarWinds hack.
Effective third party risk management requires acknowledging that even “trusted” systems and entities can pose a threat to an organization, meaning that an organization should not implicitly trust anything. This is the basis for the zero trust security model, and implementing and enforcing zero trust security is essential to minimizing the probability and impact of cybersecurity incidents exploiting third party risk.
Implementing Zero Trust Security Both Inside and Out
Adopting a zero trust security model is relatively simple. Actually implementing and enforcing it is more difficult. Zero trust enforcement requires implementing and enforcing access controls consistently throughout an organization’s entire IT infrastructure.
At the network level, zero trust needs to be enforced on both north-south and east-west traffic flows. Secure access service edge (SASE) provides the ability to do both:
- North-South: SASE implements software-defined perimeter (SDP), which is also called zero trust network access (ZTNA). SDP/ZTNA imposes zero trust access controls on requests to applications and other resources from external users. This limits external access to applications that could contain exploitable vulnerabilities.
- East-West: SASE implements the corporate WAN and integrates a full security stack into each SASE point of presence (PoP). This means that east-west traffic can be inspected by SASE PoPs and have access controls applied based on zero trust principles.
Third party risk management can be complex, and implementing zero trust security is an essential part of accomplishing it. Using the right tools for the job – like SASE – is critical to consistently and effectively enforcing zero trust throughout the organization.