Ben's Book of the Month: Zero Trust and Third-Party Risk: Reduce the Blast Radius


Posted on by Ben Rothke

There’s an old corny joke about a shady company looking to hire an accountant. When they ask one candidate what two plus two is, he answers “Whatever you want it to be”. To which they reply, “You are hired!”. That sort of explains the somewhat amorphous nature of accounting.

Similarly, if you ask 50 information security professionals what zero trust security is, you’ll likely get a few divergent answers. Of which some will answer: Zero trust is whatever you want it to be. 

Zero trust (ZT) and zero trust network (ZTN) security means that no one is trusted by default from either inside or outside the network, and that verification is required from everyone trying to gain access to network resources. However, various vendors and governments have defined it in numerous ways.

NIST for example writes that ZT is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. And that a zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).

But for those looking to get insights into the often mess that is known as ZT, Zero Trust and Third-Party Risk: Reduce the Blast Radius (Wiley) by Gregory Rasner is a good high-level resource to use. Rasner is the author of Cybersecurity and Third-Party Risk: Third-Party Threat Hunting which I reviewed in 2022. And this book builds on a lot of the topics detailed there. 

Rasner gives the reader a high-level overview of the fundamentals of ZT & ZTN. He details how to start a ZT program from the ground up, with a focus on implementing zero trust with third-party vendors.

While at Forrester Research, John Kindervag created the zero trust model of cybersecurity. But since then, it has morphed into a lot of different things. To the degree that in 2017, Forrester did a ZT refresh and created Zero Trust Extended (ZTX). Much of it was centered around getting ZT more integrated into cloud computing. 

Rasner does a good job of having the reader ask a lot of questions to better see if they can potentially leverage ZT. If you or your vendors cant answer these core ZT questions, then you know you don’t understand ZT, and should not move forward on any ZT initiative. 

Too many firms consider ZT as vendors have been pushing it, and it has been a hot Gartner topic, but many don’t have a clue why they truly need ZT. But as the book shows, any such implementation is bound to fail. To which the book provides the reader with a good starting point in which to commence their ZT journey.

While ZT is all the rage, such that it was hard to walk more than 20 feet on the expo floor at RSA Conference 2023 without running into a vendor touting ZT; it still is a complex and evolving set of technologies, that is a serious endeavor to correctly implement.

But for those brave enough to attempt to tackle the topic of ZT, Zero Trust and Third-Party Risk is a good starting point. 


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

Technology Infrastructure & Operations Professional Development & Personnel Management

zero trust SASE / Zero Trust risk management supply chain Threat Hunting threat management

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs