As if managing a constantly changing mix of remote and office workers wasn't messy enough, third-party risk is among the biggest security issues boardrooms are facing following high-profile supply chain failures like the 2020 SolarWinds cyberattack, which showed how a small, isolated risk can cascade into a systemic risk threatening the bigger supply chain ecosystem.
Companies have a lot riding on third-party ecosystems. They can shake up your supply chain and tap into potentially huge pools of value by landing new customers, improving operations by reducing production and delivery times, and delighting your customers with a great experience. As business ecosystems become more complex and geographically dispersed, IT leaders are expected to provide expertise to boards of directors regarding the digital risks posed by third-party relationships. So, how concerned should you be about third-party digital risk? In short—very concerned.
Third-party risks in the digital world
Gartner research shows that more than eight out of ten companies discover third-party risks after conducting due diligence, with over 31 percent of those risks having a material impact on the business.
Broadly speaking, a third party is an external entity that your company does business with. This can include service providers, suppliers, vendors, contract manufacturers, distributors, resellers, and auditors, to name a few.
It has been a core function of IT to protect company operations and keep the bad guys out of internal networks with firewalls and virtual private networks (VPNs). With the acceleration of digital transformation, however, it is often necessary to give third-party users access to the organization's most sensitive data. This means making B2B applications and services available to their external supply chain and customers over the internet. A whopping 82 percent of companies give third parties access to all of their cloud-based data. The problem is that you have little insight into your partner's security protocols or the devices they use to connect to your IT and industrial networks.
Misplaced trust in third parties creates security headaches for the board and IT
VPN is one of the traditional methods of connecting third parties to backend systems. A VPN places users directly on the network with full network IP access, allowing them to explore and discover (and potentially snoop on) your private applications and data.
This approach has two problems. Let's start with the user experience.
VPN entails forcing the user into a single entry point only to backhaul them somewhere else to be inspected, like a centralized data center or public cloud provider. In other words, you are sending the user over a circuitous route to conduct a traffic security check and thereby slowing down their internet connection.
The expanded attack surface is the other challenge. VPNs are built with an inbound VPN gateway that sits at the edge of the network and listens for inbound pings to confirm reachability. Clustering and load balancing these stacks across multiple ingress points is also necessary to guarantee high availability. If you have this kind of architecture, not only do you have to deal with the listening port on the network, but you also have to deal with the attack surfaces of everything the third-party user can touch and potentially expose to attackers.
Managing third-party security risks to create and protect value
Third-party users are often unaware of the implications and dangers of having over-privileged access, which can put your entire system and operations at risk. It's time to replace this traditional method of connecting third parties with the network since it no longer works in a world where data and apps are distributed. With a continuous, iterative approach that embodies the principles of zero trust, you can effectively manage your third-party risks:
- Secure application connectivity without network access. Never place third-party users directly on your network. Eliminate over-privileged access to critical applications, data, and systems.
- Minimize the external and internal attack surface. Assess your attackable surface with our internet attack surface analysis tool. Minimize risk with application microsegmentation. Enable policy-based access no matter where the user is going or coming from. Create a zero trust, segment-of-one connection between the partner and the resource they need to get to.
- Monitor suspicious activity. Assume no user or device is trustworthy and will be breached. Keep track of every resource a user touches. Continuously verify they are who they say they are and they are doing only what is necessary for their role.
Four questions you should ask about third-party risk
By overcoming the pandemic-induced stress tests on business operations, IT leaders stepped onto a much bigger stage, extending their influence and role within their companies. With this comes the opportunity to speed up digital transformation for your business ecosystem and add lasting value. So, how can you ensure partners stay productive while staying vigilant against attacks on your company?
Here are four questions you should be asking your teams to assess your third-party risks:
- How quickly can a vendor or partner get access to our systems today?
- Who are the third-party users that need access to our data, applications, and other sensitive info, and what would happen if they were compromised?
- What is our approach to granting access to our systems during the different phases of the third-party lifecycle: pre-contract due diligence, contracting, onboarding, monitoring, and termination?
- Is third-party access to the network really necessary?
Zero trust makes collaborating with partners simple and safe
The Zscaler Zero Trust Exchange is a modern approach that enables fast, secure connections and allows your partners to collaborate with you from anywhere. Based on the zero trust principle of least-privileged access, it provides comprehensive security using context-based identity and policy enforcement.
Zscaler has one big advantage in solving the problem of secure third-party access. Our Zero Trust Exchange runs across 150 data centers worldwide, ensuring that the service is close to your external users, co-located with the cloud providers and applications they are accessing. It guarantees the shortest path between your users and their destinations, providing them with an amazing user experience. With Zscaler, you can reduce costs by eliminating expensive VPNs, reduce risks by eliminating attack vectors targeted by bad actors, and empower your business to collaborate productively with external partners.
It’s time to take your business ecosystem to the next level by managing third-party risk with zero trust network access for your private apps. Let us help you take the next steps on your transformation journey.