Foreword xiiiINTRODUCTION: Reduce the Blast Radius xviiPart I Zero Trust and Third-Party Risk Explained 1Chapter 1 Overview of Zero Trust and Third-Party Risk 3Zero Trust 3What Is Zero Trust? 4The Importance of Strategy 5Concepts of Zero Trust 61. Secure Resources 72. Least Privilege and Access Control 83. Ongoing Monitoring and Validation 11Zero Trust Concepts and Definitions 13Multifactor Authentication 13Microsegmentation 14Protect Surface 15Data, Applications, Assets, Services (DAAS) 15The Five Steps to Deploying Zero Trust 16Step 1: Define the Protect Surface 16Step 2: Map the Transaction Flows 17Step 3: Build the Zero Trust Architecture 17Step 4: Create the Zero Trust Policy 17Step 5: Monitor and Maintain the Network 19Zero Trust Frameworks and Guidance 20Zero Trust Enables Business 22Cybersecurity and Third-Party Risk 22What Is Cybersecurity and Third-Party Risk? 23Overview of How to Start or Mature a Program 25Start Here 25Intake, Questions, and Risk-Based Approach 27Remote Questionnaires 28Contract Controls 29Physical Validation 30Continuous Monitoring 31Disengagement and Cybersecurity 33Reporting and Analytics 34ZT with CTPR 35Why Zero Trust and Third-Party Risk? 35How to Approach Zero Trust and Third-Party Risk 37ZT/CTPR OSI Model 38Chapter 2 Zero Trust and Third-Party Risk Model 43Zero Trust and Third-Party Users 43Access Control Process 44Identity: Validate Third-Party Users with Strong Authentication 45Five Types of Strong Authentication 47Identity and Access Management 50Privileged Access Management 52Device/Workload: Verify Third-Party User Device Integrity 54Access: Enforce Least-Privilege Access for Third-Party Users to Data and Apps 57Groups 57Work Hours 58Geo-Location 58Device-Based Restrictions 58Auditing 59Transaction: Scan All Content for Third-PartyMalicious Activity 59IDS/IPS 60DLP 60SIEM 61UBAD 61Governance 62Zero Trust and Third-Party Users Summary 62Zero Trust and Third-Party Applications 63Identity: Validate Third-Party Developers, DevOps, and Admins with Strong Auth 64Privileged User Groups 64Multifactor Authentication 64Just-in-Time Access 65Privileged Access Management 65Audit and Logging 66Device/Workload: Verify Third-Party Workload Integrity 66Access: Enforce Least-Privilege Access for Third-Party WorkloadsAccessing Other Workloads 67Transaction: Scan All Content for Third-Party Malicious Activity and Data Theft 68Zero Trust and Third-Party Applications Summary 70Zero Trust and Third-Party Infrastructure 70Identity: Validate Third-Party Users with Access to Infrastructure 71Device/Workload: Identify All Third-Party Devices (Including IoT) 72Software-Defined Perimeter 74Encryption 74Updates 75Enforce Strong Passwords 75Vulnerability and Secure Development Management 75Logging and Monitoring 76Access: Enforce Least-Privilege Access Segmentation for Third-Party Infrastructure 76Transaction: Scan All Content Within the Infra for Third-Party Malicious Activity and Data Theft 77Zero Trust and Third-Party Infrastructure Summary 78Chapter 3 Zero Trust and Fourth-Party Cloud (SaaS) 79Cloud Service Providers and Zero Trust 80Zero Trust in Amazon Web Services 81Zero Trust in Azure 83Zero Trust in Azure Storage 85Zero Trust on Azure Virtual Machines 87Zero Trust on an Azure Spoke VNet 87Zero Trust on an Azure Hub VNet 88Zero Trust in Azure Summary 88Zero Trust in Google Cloud 88Identity-Aware Proxy 89Access Context Manager 90Zero Trust in Google Cloud Summary 91Vendors and Zero Trust Strategy 91Zero Trust at Third Parties as a Requirement 91A Starter Zero Trust Security Assessment 92A Zero Trust Maturity Assessment 95Pillar 1: Identity 98Pillar 2: Device 101Pillar 3: Network/Environment 104Pillar 4: Application/Workload 107Pillar 5: Data 110Cross-cutting Capabilities 113Zero Trust Maturity Assessment for Critical Vendors 115Part I: Zero Trust and Third-Party RiskExplained Summary 119Part II Apply the Lessons from Part I 121Chapter 4 KC Enterprises: Lessons Learned in ZT and CTPR 123Kristina Conglomerate Enterprises 124KC Enterprises' Cyber Third-Party Risk Program 127KC Enterprises' Cybersecurity Policy 127Scope 127Policy Statement and Objectives 128Cybersecurity Program 128Classification of Information Assets 129A Really Bad Day 130Then the Other Shoe Dropped 133Chapter 5 Plan for a Plan 139KC's ZT and CTPR Journey 139Define the Protect Surface 143Map Transaction Flows 146Architecture Environment 148Deploy Zero Trust Policies 159Logical Policies and Environmental Changes 159Zero Trust for Third-Party Users at KC Enterprises 161Third-Party User and Device Integrity 161Third-Party Least-Privileged Access 163Third-Party User and Device Scanning 165Zero Trust for Third-Party Applications at KC Enterprises 166Third-Party Application Development and Workload Integrity 166Third-Party Application Least-Privileged Access Workload to Workload 168Third-Party Application Scanning 168Zero Trust for Third-Party Infrastructure at KC Enterprises 169Third-Party User Access to Infrastructure 169Third-Party Device Integrity 170Third-Party Infrastructure Segmentation 170Third-Party Infrastructure Scanning 171Written Policy Changes 172Identity and Access Management Program 172Vulnerability Management Program 173Cybersecurity Incident Management Program 174Cybersecurity Program 175Cybersecurity Third-Party Risk Program 175Third-Party Security Standard 177Information Security Addendum 181Assessment Alignment and Due Diligence 198Third-Party Risk Management Program 202Legal Policies 203Monitor and Maintain 205Part II: Apply the Lessons from Summary 206Acknowledgments 209About the Author 211About the Technical Editor 211Index 213

GREGORY C. RASNER is the author of the previous book Cybersecurity & Third-Party Risk: Third-Party Threat Hunting and the content creator of training and certification program "Third-Party Cyber Risk Assessor" (Third Party Risk Association, 2023). Greg is the co-chair for ISC² Third-Party Risk Task Force and is an advisor to local colleges on technology and cybersecurity.