This is the second part in a series on zero trust and microsegmentation. Be sure to check out Part 1 here.

Organizations are increasingly using a zero trust approach combined with microsegmentation to carefully balance the needs of security and access. Companies work with most vendors on a purely transactional basis — those vendors simply provide a product or service. But you may hire other vendors that provide a specialized service and expertise that involves a level of collaboration requiring network access.

This might be for a very short time and specific need, such as installing a new technology system. Other vendors may work closely with employees on a project or specific role in more of a contractor capacity. Both your employees and some vendors need access to your system, but you must consider the security aspects of granting that access as well.

What is Microsegmentation?

By starting with the zero trust security approach, your organization verifies all users and devices for access, starting with the assumption that they are not authorized. Next comes network microsegmentation. This creates clearly defined and separated segments for your networks, systems and apps. All users and devices have access only to the areas needed for their specific business purposes. With this combination approach, you reduce the likelihood of an attack and the extent of the damage incurred if an attack does happen.

Learn more on zero trust

How to Set Up Zero Trust and Microsegmentation

Using this approach for vendors requires a step-by-step approach to ensure both security and productivity.

No. 1: Determine the time frame of the vendor relationship. The length of the relationship often drives many access and security decisions. Find out if the vendor needs access for a few days or a few months. Ask questions to determine whether the relationship is likely to be ongoing or a one-time visit. This information helps you determine how to set up zero trust with regards to whether the vendor needs specialized ongoing access or if guest access is sufficient.

No. 2: Understand the business needs. Start by determining the business problem the vendor is solving. You can then establish the tasks they will be performing while working with your company. You also need to identify what unique skills or expertise the vendor brings to the table. Once you gather this information, you can start to build a picture of their role at the company. By using the business needs as the cornerstone, you can benchmark all access and security decisions on this requirement.

No. 3: Consider what your vendors and employees need to work together. Many vendors act as part of the team and collaborate closely, sometimes even sharing files. Think about the vendor’s role and their relationship to your employees. Will they be working together on a project? If so, are they delivering a separate piece that you can add into the project as a standalone, or will they be working together on the same deliverable?

For example, a marketing vendor delivering a white paper does not need the same access as a marketing vendor improving your website’s search engine optimization. Consider what apps, networks and systems they need access to while working for your company. If your company is currently working remotely, also think about their needs both during remote work as well as when your teams return to the office.

Putting Zero Trust in Place

To start choosing the right tech for your needs, identify microsegmentation parameters. Review your current microsegmentation structure while taking into account the vendor’s needs. Note what segments they need access to for business purposes. Determine which segments they need read/write access to, as well as those where the business need can be fulfilled by read-only access need. Consider if there are any new segments that need to be created.

Next, use multifactor authentication (MFA). As an underlying principle of zero trust, MFA provides a higher level of security for each access and significantly reduces the likelihood of a breach. Hopefully, you are using MFA for employees and only need to add the protection for vendors. If you aren’t using MFA for employees, you should add the protection for vendors with the plan to implement the process companywide in the near future.

Last, assign least privileged access. After you have reviewed the microsegmentation needs, the final step is integrating zero trust into your security model. Instead of simply assigning the access, start with the least privileged access the vendor needs. Also determine what devices can be used for access as well as any specific location for access.

Setting Up Vendors (And You) for Success With Zero Trust

With the extensive skills needed for growing a business, vendors often play a critical role in providing specialized products and services that allow your business to reach its goals. While it may be tempting to simply limit vendor access to avoid security risks, this approach often limits your business’s success as well. By combining microsegmentation with zero trust instead, you can leverage the benefits of vendors while also limiting your vulnerabilities.

More from Zero Trust

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

What to Know About the Pentagon’s New Push for Zero Trust

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations. But first, let’s review this zero trust business. What is Zero Trust? Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer. It’s not about whether a person or…

Effectively Enforce a Least Privilege Strategy

Every security officer wants to minimize their attack surface. One of the best ways to do this is by implementing a least privilege strategy. One report revealed that data breaches from insiders could cost as much as 20% of annual revenue. Also, at least one in three reported data breaches involve an insider. Over 78% of insider data breaches involve unintentional data loss or exposure. Least privilege protocols can help prevent these kinds of blunders. Clearly, proper management of access…

What CISOs Want to See From NIST’s Impending Zero Trust Guidelines

Cybersecurity at U.S. federal agencies has been running behind the times for years. It took an executive order by President Joe Biden to kickstart a fix across the agencies. The government initiative also serves as a wake-up call to enterprises lagging in getting zero trust up and running. Several organizations, including the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) responded to the president’s order with detailed…