Zero Trust and Third-Party Risk - Reduce the Blast Radius

Read more

Informationen zum Autor GREGORY C. RASNER is the author of the previous book Cybersecurity & Third-Party Risk: Third-Party Threat Hunting and the content creator of training and certification program "Third-Party Cyber Risk Assessor" (Third Party Risk Association, 2023). Greg is the co-chair for ISC2 Third-Party Risk Task Force and is an advisor to local colleges on technology and cybersecurity. Klappentext Dramatically lower the cyber risk posed by third-party software and vendors in your organizationIn Zero Trust and Third-Party Risk, veteran cybersecurity leader Gregory Rasner delivers an accessible and authoritative walkthrough of the fundamentals and finer points of the zero trust philosophy and its application to the mitigation of third-party cyber risk. In this book, you'll explore how to build a zero trust program and nurture it to maturity. You will also learn how and why zero trust is so effective in reducing third-party cybersecurity risk.The author uses the story of a fictional organization--KC Enterprises--to illustrate the real-world application of zero trust principles. He takes you through a full zero trust implementation cycle, from initial breach to cybersecurity program maintenance and upkeep. You'll also find:* Explanations of the processes, controls, and programs that make up the zero trust doctrine* Descriptions of the five pillars of implementing zero trust with third-party vendors* Numerous examples, use-cases, and stories that highlight the real-world utility of zero trustAn essential resource for board members, executives, managers, and other business leaders, Zero Trust and Third-Party Risk will also earn a place on the bookshelves of technical and cybersecurity practitioners, as well as compliance professionals seeking effective strategies to dramatically lower cyber risk. Zusammenfassung Dramatically lower the cyber risk posed by third-party software and vendors in your organizationIn Zero Trust and Third-Party Risk, veteran cybersecurity leader Gregory Rasner delivers an accessible and authoritative walkthrough of the fundamentals and finer points of the zero trust philosophy and its application to the mitigation of third-party cyber risk. In this book, you'll explore how to build a zero trust program and nurture it to maturity. You will also learn how and why zero trust is so effective in reducing third-party cybersecurity risk.The author uses the story of a fictional organization--KC Enterprises--to illustrate the real-world application of zero trust principles. He takes you through a full zero trust implementation cycle, from initial breach to cybersecurity program maintenance and upkeep. You'll also find:* Explanations of the processes, controls, and programs that make up the zero trust doctrine* Descriptions of the five pillars of implementing zero trust with third-party vendors* Numerous examples, use-cases, and stories that highlight the real-world utility of zero trustAn essential resource for board members, executives, managers, and other business leaders, Zero Trust and Third-Party Risk will also earn a place on the bookshelves of technical and cybersecurity practitioners, as well as compliance professionals seeking effective strategies to dramatically lower cyber risk. Inhaltsverzeichnis Foreword xiii INTRODUCTION: Reduce the Blast Radius xvii Part I Zero Trust and Third-Party Risk Explained 1 Chapter 1 Overview of Zero Trust and Third-Party Risk 3 Zero Trust 3 What Is Zero Trust? 4 The Importance of Strategy 5 Concepts of Zero Trust 6 1. Secure Resources 7 2. Least Privilege and Access Control 8 3. Ongoing Monitoring and Validation 11 Zero Trust Concepts and Definitions 13 Multifactor Authentication 13 Microsegmentation 14 Protect Surface 15 Data, Applications, Assets, Services (DAAS) 15<...

List of contents

Foreword xiii
 
INTRODUCTION: Reduce the Blast Radius xvii
 
Part I Zero Trust and Third-Party Risk Explained 1
 
Chapter 1 Overview of Zero Trust and Third-Party Risk 3
 
Zero Trust 3
 
What Is Zero Trust? 4
 
The Importance of Strategy 5
 
Concepts of Zero Trust 6
 
1. Secure Resources 7
 
2. Least Privilege and Access Control 8
 
3. Ongoing Monitoring and Validation 11
 
Zero Trust Concepts and Definitions 13
 
Multifactor Authentication 13
 
Microsegmentation 14
 
Protect Surface 15
 
Data, Applications, Assets, Services (DAAS) 15
 
The Five Steps to Deploying Zero Trust 16
 
Step 1: Define the Protect Surface 16
 
Step 2: Map the Transaction Flows 17
 
Step 3: Build the Zero Trust Architecture 17
 
Step 4: Create the Zero Trust Policy 17
 
Step 5: Monitor and Maintain the Network 19
 
Zero Trust Frameworks and Guidance 20
 
Zero Trust Enables Business 22
 
Cybersecurity and Third-Party Risk 22
 
What Is Cybersecurity and Third-Party Risk? 23
 
Overview of How to Start or Mature a Program 25
 
Start Here 25
 
Intake, Questions, and Risk-Based Approach 27
 
Remote Questionnaires 28
 
Contract Controls 29
 
Physical Validation 30
 
Continuous Monitoring 31
 
Disengagement and Cybersecurity 33
 
Reporting and Analytics 34
 
ZT with CTPR 35
 
Why Zero Trust and Third-Party Risk? 35
 
How to Approach Zero Trust and Third-Party Risk 37
 
ZT/CTPR OSI Model 38
 
Chapter 2 Zero Trust and Third-Party Risk Model 43
 
Zero Trust and Third-Party Users 43
 
Access Control Process 44
 
Identity: Validate Third-Party Users with Strong Authentication 45
 
Five Types of Strong Authentication 47
 
Identity and Access Management 50
 
Privileged Access Management 52
 
Device/Workload: Verify Third-Party User Device Integrity 54
 
Access: Enforce Least-Privilege Access for Third-Party Users to Data and Apps 57
 
Groups 57
 
Work Hours 58
 
Geo-Location 58
 
Device-Based Restrictions 58
 
Auditing 59
 
Transaction: Scan All Content for Third-Party
 
Malicious Activity 59
 
IDS/IPS 60
 
DLP 60
 
SIEM 61
 
UBAD 61
 
Governance 62
 
Zero Trust and Third-Party Users Summary 62
 
Zero Trust and Third-Party Applications 63
 
Identity: Validate Third-Party Developers, DevOps, and Admins with Strong Auth 64
 
Privileged User Groups 64
 
Multifactor Authentication 64
 
Just-in-Time Access 65
 
Privileged Access Management 65
 
Audit and Logging 66
 
Device/Workload: Verify Third-Party Workload Integrity 66
 
Access: Enforce Least-Privilege Access for Third-Party Workloads
 
Accessing Other Workloads 67
 
Transaction: Scan All Content for Third-Party Malicious Activity and Data Theft 68
 
Zero Trust and Third-Party Applications Summary 70
 
Zero Trust and Third-Party Infrastructure 70
 
Identity: Validate Third-Party Users with Access to Infrastructure 71
 
Device/Workload: Identify All Third-Party Devices (Including IoT) 72
 
Software-Defined Perimeter 74
 
Encryption 74
 
Updates 75
 
Enforce Strong Passwords 75
 
Vulnerability and Secure Development Management 75
 
Logging and Monitoring 76
 
Access: Enforce Least-Privilege Access Segmentation for Third-Party Infrastr