This is the second part in a series on zero trust and microsegmentation. Be sure to check out Part 1 here.
Organizations are increasingly using a zero trust approach combined with microsegmentation to carefully balance the needs of security and access. Companies work with most vendors on a purely transactional basis — those vendors simply provide a product or service. But you may hire other vendors that provide a specialized service and expertise that involves a level of collaboration requiring network access.
This might be for a very short time and specific need, such as installing a new technology system. Other vendors may work closely with employees on a project or specific role in more of a contractor capacity. Both your employees and some vendors need access to your system, but you must consider the security aspects of granting that access as well.
What is Microsegmentation?
By starting with the zero trust security approach, your organization verifies all users and devices for access, starting with the assumption that they are not authorized. Next comes network microsegmentation. This creates clearly defined and separated segments for your networks, systems and apps. All users and devices have access only to the areas needed for their specific business purposes. With this combination approach, you reduce the likelihood of an attack and the extent of the damage incurred if an attack does happen.
Learn more on zero trust
How to Set Up Zero Trust and Microsegmentation
Using this approach for vendors requires a step-by-step approach to ensure both security and productivity.
No. 1: Determine the time frame of the vendor relationship. The length of the relationship often drives many access and security decisions. Find out if the vendor needs access for a few days or a few months. Ask questions to determine whether the relationship is likely to be ongoing or a one-time visit. This information helps you determine how to set up zero trust with regards to whether the vendor needs specialized ongoing access or if guest access is sufficient.
No. 2: Understand the business needs. Start by determining the business problem the vendor is solving. You can then establish the tasks they will be performing while working with your company. You also need to identify what unique skills or expertise the vendor brings to the table. Once you gather this information, you can start to build a picture of their role at the company. By using the business needs as the cornerstone, you can benchmark all access and security decisions on this requirement.
No. 3: Consider what your vendors and employees need to work together. Many vendors act as part of the team and collaborate closely, sometimes even sharing files. Think about the vendor’s role and their relationship to your employees. Will they be working together on a project? If so, are they delivering a separate piece that you can add into the project as a standalone, or will they be working together on the same deliverable?
For example, a marketing vendor delivering a white paper does not need the same access as a marketing vendor improving your website’s search engine optimization. Consider what apps, networks and systems they need access to while working for your company. If your company is currently working remotely, also think about their needs both during remote work as well as when your teams return to the office.
Putting Zero Trust in Place
To start choosing the right tech for your needs, identify microsegmentation parameters. Review your current microsegmentation structure while taking into account the vendor’s needs. Note what segments they need access to for business purposes. Determine which segments they need read/write access to, as well as those where the business need can be fulfilled by read-only access need. Consider if there are any new segments that need to be created.
Next, use multifactor authentication (MFA). As an underlying principle of zero trust, MFA provides a higher level of security for each access and significantly reduces the likelihood of a breach. Hopefully, you are using MFA for employees and only need to add the protection for vendors. If you aren’t using MFA for employees, you should add the protection for vendors with the plan to implement the process companywide in the near future.
Last, assign least privileged access. After you have reviewed the microsegmentation needs, the final step is integrating zero trust into your security model. Instead of simply assigning the access, start with the least privileged access the vendor needs. Also determine what devices can be used for access as well as any specific location for access.
Setting Up Vendors (And You) for Success With Zero Trust
With the extensive skills needed for growing a business, vendors often play a critical role in providing specialized products and services that allow your business to reach its goals. While it may be tempting to simply limit vendor access to avoid security risks, this approach often limits your business’s success as well. By combining microsegmentation with zero trust instead, you can leverage the benefits of vendors while also limiting your vulnerabilities.