This is the second part in a series on zero trust and microsegmentation. Be sure to check out Part 1 here.

Organizations are increasingly using a zero trust approach combined with microsegmentation to carefully balance the needs of security and access. Companies work with most vendors on a purely transactional basis — those vendors simply provide a product or service. But you may hire other vendors that provide a specialized service and expertise that involves a level of collaboration requiring network access.

This might be for a very short time and specific need, such as installing a new technology system. Other vendors may work closely with employees on a project or specific role in more of a contractor capacity. Both your employees and some vendors need access to your system, but you must consider the security aspects of granting that access as well.

What is Microsegmentation?

By starting with the zero trust security approach, your organization verifies all users and devices for access, starting with the assumption that they are not authorized. Next comes network microsegmentation. This creates clearly defined and separated segments for your networks, systems and apps. All users and devices have access only to the areas needed for their specific business purposes. With this combination approach, you reduce the likelihood of an attack and the extent of the damage incurred if an attack does happen.

Learn more on zero trust

How to Set Up Zero Trust and Microsegmentation

Using this approach for vendors requires a step-by-step approach to ensure both security and productivity.

No. 1: Determine the time frame of the vendor relationship. The length of the relationship often drives many access and security decisions. Find out if the vendor needs access for a few days or a few months. Ask questions to determine whether the relationship is likely to be ongoing or a one-time visit. This information helps you determine how to set up zero trust with regards to whether the vendor needs specialized ongoing access or if guest access is sufficient.

No. 2: Understand the business needs. Start by determining the business problem the vendor is solving. You can then establish the tasks they will be performing while working with your company. You also need to identify what unique skills or expertise the vendor brings to the table. Once you gather this information, you can start to build a picture of their role at the company. By using the business needs as the cornerstone, you can benchmark all access and security decisions on this requirement.

No. 3: Consider what your vendors and employees need to work together. Many vendors act as part of the team and collaborate closely, sometimes even sharing files. Think about the vendor’s role and their relationship to your employees. Will they be working together on a project? If so, are they delivering a separate piece that you can add into the project as a standalone, or will they be working together on the same deliverable?

For example, a marketing vendor delivering a white paper does not need the same access as a marketing vendor improving your website’s search engine optimization. Consider what apps, networks and systems they need access to while working for your company. If your company is currently working remotely, also think about their needs both during remote work as well as when your teams return to the office.

Putting Zero Trust in Place

To start choosing the right tech for your needs, identify microsegmentation parameters. Review your current microsegmentation structure while taking into account the vendor’s needs. Note what segments they need access to for business purposes. Determine which segments they need read/write access to, as well as those where the business need can be fulfilled by read-only access need. Consider if there are any new segments that need to be created.

Next, use multifactor authentication (MFA). As an underlying principle of zero trust, MFA provides a higher level of security for each access and significantly reduces the likelihood of a breach. Hopefully, you are using MFA for employees and only need to add the protection for vendors. If you aren’t using MFA for employees, you should add the protection for vendors with the plan to implement the process companywide in the near future.

Last, assign least privileged access. After you have reviewed the microsegmentation needs, the final step is integrating zero trust into your security model. Instead of simply assigning the access, start with the least privileged access the vendor needs. Also determine what devices can be used for access as well as any specific location for access.

Setting Up Vendors (And You) for Success With Zero Trust

With the extensive skills needed for growing a business, vendors often play a critical role in providing specialized products and services that allow your business to reach its goals. While it may be tempting to simply limit vendor access to avoid security risks, this approach often limits your business’s success as well. By combining microsegmentation with zero trust instead, you can leverage the benefits of vendors while also limiting your vulnerabilities.

More from Zero Trust

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Zero trust data security: It’s time to make the shift

4 min read - How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not. Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today