“Supplier system failure” — these were the three words that a spokesperson from Toyota offered to the press in February, after news that one of their suppliers, Kojimo Industries Corp. suffered a cyberattack. Toyota was forced to halt the production of over 13,000 vehicles (about 5% of their monthly output) — a reminder of the sinister impact a breach has on the business. Kojimo Industries provides vital air-conditioning, steering wheel components, and other interior and exterior vehicle parts to the world’s largest car manufacturer.
While this latest example is the most recent, high-profile impact of a third party on a major business, we have seen several high-profile supply chain attacks in the last year. SolarWinds, Kaseya, Codecov, ua-parser-js, and Log4j are examples that prove how ransomware, stolen data, are on the rise.
Like Toyota, many companies rely on their business ecosystem of partners, suppliers, vendors, and even business-to-business customers for their success. Robust third-party relationships provide a disruptive advantage for companies — in many cases providing value far superior to anything a company could develop on its own.
Third parties provide geographical reach, more scale, and greater flexibility than a company can manage on their own — even global conglomerates — simply can’t replicate.
This vast interconnectedness between a company and its partners often requires connecting partners to company networks through technologies like VPN or VDI. If not careful, this is where the business ecosystem often introduces risk — and is the single largest contributor for why they’re quickly becoming a popular entry point for cybercriminals across the globe.
Exploiting the Business Through Its Ecosystem
Cybercriminals are slick. They know that these partners often have weaker security protocols in place, and that a supplier can have access to dozens, if not hundreds, of other company networks. Therefore, ecosystem partners are so heavily targeted. They’re the ultimate conduit to scale an attack.
IT teams must work to eliminate technologies that grant overprivileged access to partners — and the mindset of network access is a requirement for application access. It’s not true. Technologies like VPN and VDI that inherently trust a third-party user and place them directly to the corporate network. This only expands the attack surface and increases the probability of an attack.
Think about it. A vendor tasked with updating critical infrastructure on behalf of the customer connects through a VPN to gain access to the customers network to troubleshoot or make updates — suppliers who require access to inventory management apps to create or cancel orders connect over VPN. Business customers who need access to web portals to learn about new services must log in via a password or username — forcing the web app to be exposed to the internet. Not to mention the fact that managing the identity lifecycle of partners, who are constantly coming and going, is a security and logistical nightmare. Another entry point for a savvy threat actor.
Putting the Zero Trust in Partnerships
The irony is that zero trust is what’s best for the business. For third-party risk management to be effective, it must be based on the belief that even “trusted” systems and entities can pose a threat to an organization. As such, companies are turning to zero trust access technologies to address security issues related to third-party risk. One research group that tracks zero trust shows that adoption has steadily grown from 24% in 2019 to 46% in 2021, and it’s estimated to continue growing to 52% of companies by the end of 2022.
The goal of zero trust is to never implicitly trust any entity when accessing business resources.
Zero trust network access (ZTNA) solutions are often the first step in the zero trust journey. These are modern, often cloud-delivered, services used for securing access to private applications. ZTNA securely connects authorized users to specific applications based on identity and policies — without extending access to the corporate network, or requiring the application, or its underlying infrastructure, to be exposed to the Internet. They provide a sort of application-level segmentation, that allows network security teams to achieve a level of segmentation that’s virtually impossible with traditional solutions like internal firewalls. This minimizes lateral movement on the network and ensures that third parties can only access business data when authorized, and without access to anything else on the network.
Through integrations with technologies like IDP and endpoint security, the context in which a partner attempts to access an app is constant. This allows the IT team to set automatic triggers to revoke access and protect against attempted security attacks. Some ZTNA services also ensure that private traffic is inspected so IT can determine precisely what each partner accesses, the files they may have downloaded (to prevent data leakage), and even the commands they used.
In defining ZTNA, the National Institute of Standards and Technology (NIST) says it is designed to “eliminate the uncertainty in enforcing accurate access decisions in information systems and services.”
ZTNA provides simplified, least-privileged access from any device while mitigating malware vulnerabilities. As enterprises adopt zero trust by deploying ZTNA services for third-party users first, many quickly realize the benefits of extending its value to employees, as well.
In fact, Gartner expects that by 2023 60% of enterprises will replace the remote access VPN with a ZTNA solution. Further, 80% of new digital business applications made available to ecosystem partners will be accessed through ZTNA by the end of this year.
It’s inarguable that companies will continue to grapple with a steady increase in cyberattacks.
By utilizing ZTNA services, the first leg of the zero trust adventure, companies can protect networks and resources, repel cyberattackers, and in the end, enable the business ecosystem to thrive. It just requires a little help from zero trust.