Recent mass cyberattacks that exploited vulnerabilities in software such as MOVEit, Log4j and SolarWinds Orion have served as prime examples of why companies must extend their zero-trust policies to third-party users, devices and infrastructure. But more work needs to be done, especially around identity and access management, for organizations to reach the level of zero-trust maturity they need to securely collaborate with third parties, said Greg Rasner, author and speaker at InfoSec World 2023 in Orlando, Florida.
Click for more special coverage
“The identity and access piece is the one that has the largest barrier; it’s the one that folks are struggling with,” said Rasner in an interview with SC Media prior to his conference presentation on this very topic. Rasner penned the instructional books “Cybersecurity & Third-Party Risk” and “Zero Trust and Third-Party Risk,” and he also serves as SVP, cybersecurity third party risk at bank holding company Truist Financial — though he was not presenting in the latter capacity.
IAM “is a core component of any zero-trust deployment, because if you don’t know who’s on your network or what’s on your network, then you’re over-trusting,” Rasner continued. For that reason, a major hurdle on one’s zero-trust journey is the “inability to understand what’s on your network or who’s on your network through robust identity and access policies.”
Moreover, “If you look at… phishing and ransomware attacks, they’re focusing in on the identity pieces,” Rasner added. “They’re getting folks to click on links and [reveal their] credentials.”
According to Rasner, another area where organizations sometimes fall short or under-invest is logging and monitoring via tools such as SIEM solutions, which can help organizations become more “context-aware” and “make fairly quick decisions about whether a user or a product should be on the network, or shouldn’t.”
Asked which categories of third-party partners currently represent especially at-risk groups, Rasner cited SaaS providers due to the risk of software bug exploitation.
“Software is made my humans, humans make mistakes,” said Rasner. And yet, “We don’t ask vendors enough about things like [their] software development lifecycle, how are they monitoring and managing that cloud infrastructure — because it’s sort of a black box, particularly for folks in the third-party practitioner space.”
For more details on Rasner’s InfoSec World presentation, watch the full video interview embedded within this article.