Why your Zero Trust strategy needs a third-party privileged access component
Zero Trust isn’t a buzzword. But to do it right, you need to lock down privileged access. Yes, even for third parties.
So, folks, I’m here to sound an alarm again. The good news, if you can call it that, is you know this already – the attack surface keeps expanding, and we all need to get better at securing our organizations.
And that includes a focus on third-party access management, a type of privileged access management (PAM) that extends to vendor and other-third party users.
Here’s the reality:
- 51% of organizations suffered a data breach over the past year due to poor third-party security
- 61% of breaches are attributed to leveraged credentials
- Ransomware has become the most common attack method of third-party attacks, responsible for 27% of breach initiations
“When business outsources services by sharing data and network access, it inherits the cyber risk from its vendors across their people, processes technolog[y], and that vendor’s third parties,” Saket Modi wrote in his recent TechCrunch article, “To better manage cybersecurity risk, extend zero-trust principles to third parties.”
It’s hard enough to secure your own organization, let alone be responsible for the security of others’, right?
Zero Trust, privileged access management, and third parties
I’ve talked (and written) a lot about how Zero Trust is not a buzzword – it’s an imperative. And for good reason. A Zero Trust security strategy isn’t focused on securing the perimeter – it’s rooted in securing the identity. That’s why digital identity management is so crucial.
A comprehensive Zero Trust strategy, anchored in a digital identity framework, includes many things: single sign-on, multifactor authentication, identity governance, and, yes, PAM. But PAM must include a third-party component. Why? The statistics above speak for themselves.
And I agree with Modi: “The current outside-in approach to managing third-party risk is inadequate… Businesses should establish zero-trust principles for all vendors, assess risk across external and internal assets with inside-out assessments and measure cyber risk in real time.”
Vendor PAM, in practice
If you’re not securing vendor access, then – frankly – you’re not securing access. Period. You’re obsessively closing and locking your doors, but accidentally leaving one wide open.
There’s a better way, folks, I promise.
Imprivata recently acquired SecureLink, the leading third-party privileged access management provider. That means that, not only can you secure privileged accounts for internal users, but external users as well. Now from one trusted partner.
Focusing on a comprehensive Zero Trust strategy is, no doubt, your way forward. But as you make headway, just make sure you’re keeping in mind every type of access you need to account for.
Remember to close that open door. And keep it locked. And, VPNs are bad. Don’t give access to the entire house via that door, when all they need is the bathroom!