So you want to start a zero-trust initiative at your organization but don’t know where to start.
First, kudos to you for making the decision to replace the outdated perimeter security approach with an innovative framework built on identity-based access and security controls. As for not knowing where to begin, take a deep breath and let us help you break down your journey to zero-trust network access (ZTNA) into three smaller and more manageable transitions based on user groups.
Here at Cyolo, our experience shows that a three-step process to implement ZTNA proves most effective for a majority of organizations.
Breaking down your zero-trust journey in this way not only makes it less intimidating, but it will also allow you to see meaningful results much more quickly.
Nearly every company hires third-party vendors and contractors to perform tasks that are too costly or complicated to handle in-house. When you bring in third-party users and services, you are often giving a boost to your business. However, you are also absorbing the entire attack surface of that third-party organization, thus increasing your own risk of a cyberattack or breach.
According to a 2021 Ponemon report, 51% of organizations suffered a data breach caused by a third-party, and 74% of those breaches were due to not enforcing least privilege access.
Along with third-party vendors, users (whether internal or external) who access critical systems and infrastructure also pose a higher than average level of risk. This is due to the fact that the systems they work on are both crucial to business operations and potentially also to human life and safety. As the 2021 incidents at the Colonial Pipeline and the water treatment facility in Oldsmar, Florida plainly demonstrated, attacks against critical infrastructure can cause not only financial damage but also very real physical and environmental consequences.
Third-party vendors and workers who access critical systems are likely a small subset of your overall user base, but they generally pose the greatest risk. The good news is that ensuring their ability to access applications securely will give your organization the biggest security boost. This is precisely why Cyolo recommends beginning your zero-trust journey by focusing on high risk users.
There’s no getting around the fact that most organizations simply must use third-party vendors and give them access to internal systems and applications. Even if your security controls are top-notch, bad hygiene on the vendor’s side can compromise your own security posture and can lead to breaches, as in the case of the 2022 Okta breach. This puts your organization in a security conundrum and can cause serious headaches for security and IT teams.
The logistics of forcing a third party to comply by your own security controls and processes are simply unmanageable. In addition, you most likely do not have the right to require vendors or contractors to install your security applications onto their devices instead of using the security measures they already have in place. Some organizations solve this scenario by sending managed corporate devices out to third-party users, but this is a costly and difficult solution. Many others depend on virtual private networks (VPNs), but these are inefficient and have serious security shortcomings that will be addressed in the next blog of this series.
So, how do you secure third-party users without forcing them to download apps, adopt behaviors, or use your devices? Keep in mind, it’s hard enough to get your own employees to follow your security protocols, much less third-party users.
This leaves you looking for an affordable secure access solution that can easily be implemented for third-party users and high risk internal employees.
Zero-trust access is the best way to enable secure connections for high risk users. By definition, ZTNA enforces least privilege access whether or not users are internal or external and whether or not they’re using managed or unmanaged devices. Simply put, every user is verified according to their identity and then granted access to only the necessary applications, with no access ever given to the network itself.
Still, it is important to recognize that many ZTNA providers require their applications to be downloaded on every device, which is problematic for third-party users. Cyolo avoids this issue with its agentless-first approach. Unlike other ZTNA products, the Cyolo platform can be easily accessed in the user’s web browser using on-prem, native, or cloud clients.
Cyolo also differs from other zero-trust access tools in that it provides supervisory controls that can be applied to specific high risk critical applications and third-party users. These capabilities include real-time monitoring and live session recording, which are essential for auditing purposes as well as many compliance mandates.
Another key feature offered by Cyolo is supervised access, which requires users to request access from an administrator before connecting to sensitive systems or applications. Once approval is granted, the admin can interact with that user’s session and terminate it immediately if unusual activity is suspected.
Migrating high risk users from VPNs and other traditional access solutions that provide full network access without any real-time monitoring will dramatically reduce an organization’s attack surface. Once these users are connecting via secure, identity-based zero-trust access, organizations can move on to step 2, securing access for remote users.
To learn more about the risks of third-party access and how to mitigate them with a security approach based on zero-trust access, read this white paper.
Author
Samuel is the Director of Product Marketing at Cyolo. Before cybersecurity, he spent 7 years working in the ER and loves to tell stories. He is the husband to one, father to four, lives in Bozeman, MT, and would rather be outside. He holds an M.A. in Strategic Leadership from Life Pacific University.