Details
Zero Trust and Third-Party Risk
Reduce the Blast Radius1. Aufl.
|
20,99 € |
|
| Verlag: | Wiley |
| Format: | EPUB |
| Veröffentl.: | 24.08.2023 |
| ISBN/EAN: | 9781394203154 |
| Sprache: | englisch |
| Anzahl Seiten: | 240 |
DRM-geschütztes eBook, Sie benötigen z.B. Adobe Digital Editions und eine Adobe ID zum Lesen.
Beschreibungen
<p><b>Dramatically lower the cyber risk posed by third-party software and vendors in your organization</b> <p>In <i>Zero Trust and Third-Party Risk</i>, veteran cybersecurity leader Gregory Rasner delivers an accessible and authoritative walkthrough of the fundamentals and finer points of the zero trust philosophy and its application to the mitigation of third-party cyber risk. In this book, you’ll explore how to build a zero trust program and nurture it to maturity. You will also learn how and why zero trust is so effective in reducing third-party cybersecurity risk. <p>The author uses the story of a fictional organization—KC Enterprises—to illustrate the real-world application of zero trust principles. He takes you through a full zero trust implementation cycle, from initial breach to cybersecurity program maintenance and upkeep. You’ll also find: <ul> <li>Explanations of the processes, controls, and programs that make up the zero trust doctrine</li> <li>Descriptions of the five pillars of implementing zero trust with third-party vendors</li> <li>Numerous examples, use-cases, and stories that highlight the real-world utility of zero trust</li></ul><p>An essential resource for board members, executives, managers, and other business leaders, <i>Zero Trust and Third-Party Risk</i> will also earn a place on the bookshelves of technical and cybersecurity practitioners, as well as compliance professionals seeking effective strategies to dramatically lower cyber risk.
<p>Foreword xiii</p> <p>INTRODUCTION: Reduce the Blast Radius xvii</p> <p><b>Part I Zero Trust and Third-Party Risk Explained 1</b></p> <p><b>Chapter 1 Overview of Zero Trust and Third-Party Risk 3</b></p> <p>Zero Trust 3</p> <p>What Is Zero Trust? 4</p> <p>The Importance of Strategy 5</p> <p>Concepts of Zero Trust 6</p> <p>1. Secure Resources 7</p> <p>2. Least Privilege and Access Control 8</p> <p>3. Ongoing Monitoring and Validation 11</p> <p>Zero Trust Concepts and Definitions 13</p> <p>Multifactor Authentication 13</p> <p>Microsegmentation 14</p> <p>Protect Surface 15</p> <p>Data, Applications, Assets, Services (DAAS) 15</p> <p>The Five Steps to Deploying Zero Trust 16</p> <p>Step 1: Define the Protect Surface 16</p> <p>Step 2: Map the Transaction Flows 17</p> <p>Step 3: Build the Zero Trust Architecture 17</p> <p>Step 4: Create the Zero Trust Policy 17</p> <p>Step 5: Monitor and Maintain the Network 19</p> <p>Zero Trust Frameworks and Guidance 20</p> <p>Zero Trust Enables Business 22</p> <p>Cybersecurity and Third-Party Risk 22</p> <p>What Is Cybersecurity and Third-Party Risk? 23</p> <p>Overview of How to Start or Mature a Program 25</p> <p>Start Here 25</p> <p>Intake, Questions, and Risk-Based Approach 27</p> <p>Remote Questionnaires 28</p> <p>Contract Controls 29</p> <p>Physical Validation 30</p> <p>Continuous Monitoring 31</p> <p>Disengagement and Cybersecurity 33</p> <p>Reporting and Analytics 34</p> <p>ZT with CTPR 35</p> <p>Why Zero Trust and Third-Party Risk? 35</p> <p>How to Approach Zero Trust and Third-Party Risk 37</p> <p>ZT/CTPR OSI Model 38</p> <p><b>Chapter 2 Zero Trust and Third-Party Risk Model 43</b></p> <p>Zero Trust and Third-Party Users 43</p> <p>Access Control Process 44</p> <p>Identity: Validate Third-Party Users with Strong Authentication 45</p> <p>Five Types of Strong Authentication 47</p> <p>Identity and Access Management 50</p> <p>Privileged Access Management 52</p> <p>Device/Workload: Verify Third-Party User Device Integrity 54</p> <p>Access: Enforce Least-Privilege Access for Third-Party Users to Data and Apps 57</p> <p>Groups 57</p> <p>Work Hours 58</p> <p>Geo-Location 58</p> <p>Device-Based Restrictions 58</p> <p>Auditing 59</p> <p>Transaction: Scan All Content for Third-Party</p> <p>Malicious Activity 59</p> <p>IDS/IPS 60</p> <p>DLP 60</p> <p>SIEM 61</p> <p>UBAD 61</p> <p>Governance 62</p> <p>Zero Trust and Third-Party Users Summary 62</p> <p>Zero Trust and Third-Party Applications 63</p> <p>Identity: Validate Third-Party Developers, DevOps, and Admins with Strong Auth 64</p> <p>Privileged User Groups 64</p> <p>Multifactor Authentication 64</p> <p>Just-in-Time Access 65</p> <p>Privileged Access Management 65</p> <p>Audit and Logging 66</p> <p>Device/Workload: Verify Third-Party Workload Integrity 66</p> <p>Access: Enforce Least-Privilege Access for Third-Party Workloads</p> <p>Accessing Other Workloads 67</p> <p>Transaction: Scan All Content for Third-Party Malicious Activity and Data Theft 68</p> <p>Zero Trust and Third-Party Applications Summary 70</p> <p>Zero Trust and Third-Party Infrastructure 70</p> <p>Identity: Validate Third-Party Users with Access to Infrastructure 71</p> <p>Device/Workload: Identify All Third-Party Devices (Including IoT) 72</p> <p>Software-Defined Perimeter 74</p> <p>Encryption 74</p> <p>Updates 75</p> <p>Enforce Strong Passwords 75</p> <p>Vulnerability and Secure Development Management 75</p> <p>Logging and Monitoring 76</p> <p>Access: Enforce Least-Privilege Access Segmentation for Third-Party Infrastructure 76</p> <p>Transaction: Scan All Content Within the Infra for Third-Party Malicious Activity and Data Theft 77</p> <p>Zero Trust and Third-Party Infrastructure Summary 78</p> <p><b>Chapter 3 Zero Trust and Fourth-Party Cloud (SaaS) 79</b></p> <p>Cloud Service Providers and Zero Trust 80</p> <p>Zero Trust in Amazon Web Services 81</p> <p>Zero Trust in Azure 83</p> <p>Zero Trust in Azure Storage 85</p> <p>Zero Trust on Azure Virtual Machines 87</p> <p>Zero Trust on an Azure Spoke VNet 87</p> <p>Zero Trust on an Azure Hub VNet 88</p> <p>Zero Trust in Azure Summary 88</p> <p>Zero Trust in Google Cloud 88</p> <p>Identity-Aware Proxy 89</p> <p>Access Context Manager 90</p> <p>Zero Trust in Google Cloud Summary 91</p> <p>Vendors and Zero Trust Strategy 91</p> <p>Zero Trust at Third Parties as a Requirement 91</p> <p>A Starter Zero Trust Security Assessment 92</p> <p>A Zero Trust Maturity Assessment 95</p> <p>Pillar 1: Identity 98</p> <p>Pillar 2: Device 101</p> <p>Pillar 3: Network/Environment 104</p> <p>Pillar 4: Application/Workload 107</p> <p>Pillar 5: Data 110</p> <p>Cross-cutting Capabilities 113</p> <p>Zero Trust Maturity Assessment for Critical Vendors 115</p> <p>Part I: Zero Trust and Third-Party Risk</p> <p>Explained Summary 119</p> <p><b>Part II Apply the Lessons from Part I 121</b></p> <p><b>Chapter 4 KC Enterprises: Lessons Learned in ZT and CTPR 123</b></p> <p>Kristina Conglomerate Enterprises 124</p> <p>KC Enterprises’ Cyber Third-Party Risk Program 127</p> <p>KC Enterprises’ Cybersecurity Policy 127</p> <p>Scope 127</p> <p>Policy Statement and Objectives 128</p> <p>Cybersecurity Program 128</p> <p>Classification of Information Assets 129</p> <p>A Really Bad Day 130</p> <p>Then the Other Shoe Dropped 133</p> <p><b>Chapter 5 Plan for a Plan 139</b></p> <p>KC's ZT and CTPR Journey 139</p> <p>Define the Protect Surface 143</p> <p>Map Transaction Flows 146</p> <p>Architecture Environment 148</p> <p>Deploy Zero Trust Policies 159</p> <p>Logical Policies and Environmental Changes 159</p> <p>Zero Trust for Third-Party Users at KC Enterprises 161</p> <p>Third-Party User and Device Integrity 161</p> <p>Third-Party Least-Privileged Access 163</p> <p>Third-Party User and Device Scanning 165</p> <p>Zero Trust for Third-Party Applications at KC Enterprises 166</p> <p>Third-Party Application Development and Workload Integrity 166</p> <p>Third-Party Application Least-Privileged Access Workload to Workload 168</p> <p>Third-Party Application Scanning 168</p> <p>Zero Trust for Third-Party Infrastructure at KC Enterprises 169</p> <p>Third-Party User Access to Infrastructure 169</p> <p>Third-Party Device Integrity 170</p> <p>Third-Party Infrastructure Segmentation 170</p> <p>Third-Party Infrastructure Scanning 171</p> <p>Written Policy Changes 172</p> <p>Identity and Access Management Program 172</p> <p>Vulnerability Management Program 173</p> <p>Cybersecurity Incident Management Program 174</p> <p>Cybersecurity Program 175</p> <p>Cybersecurity Third-Party Risk Program 175</p> <p>Third-Party Security Standard 177</p> <p>Information Security Addendum 181</p> <p>Assessment Alignment and Due Diligence 198</p> <p>Third-Party Risk Management Program 202</p> <p>Legal Policies 203</p> <p>Monitor and Maintain 205</p> <p><b>Part II: Apply the Lessons from Summary 206</b></p> <p>Acknowledgments 209</p> <p>About the Author 211</p> <p>About the Technical Editor 211</p> <p>Index 213</p>
<p><b>GREGORY C. RASNER</b> is the author of the previous book <i>Cybersecurity & Third-Party Risk: Third-Party Threat Hunting</i> and the content creator of training and certification program "Third-Party Cyber Risk Assessor" (Third Party Risk Association, 2023). Greg is the co-chair for ISC<sup>2</sup> Third-Party Risk Task Force and is an advisor to local colleges on technology and cybersecurity.</p>
<p><b>Praise for ZERO TRUST</b> AND <b>THIRD-PARTY RISK</b></p> <p>"What I appreciate the most about this book is Greg's description of zero trust as a strategy (not a technology) and a journey that organizations must continually work towards. This book is a must read for anyone wanting to further enhance their Third Party Risk Management programs."<br />—<b>Julie Gaiaschi, </b>CISM, CISA, Chief Executive Officer & Co-Founder, Third Party Risk Association</p> <p>"Choose your own adventure: Whether it's the Solar Winds attack or the fictional KC Enterprises, Greg's anecdotes are a welcomed ice-bucket challenge to the cybersecurity and third-party risk management communities. This book offers a practical approach to effectively guide both cyber AND business leaders toward the intersection of cyber third-party risk and zero trust, with a goal of increasing security for all."<br />—<b>Clar Rosso, </b>CC, CEO, ISC<sup>2</sup>, Inc.</p> <p>"Rasner's <i>Zero Trust and Third-Party Risk</i> is essential reading for third-party risk analysts and security architects alike. At a strategic level, he raises the reality that zero-trust strategies and architectures are required to minimize vendor breach events and their impacts. At a tactical level, he lays out the zero-trust control requirements that should be foundational requirements for every high-risk vendor engagement."<br />—<b>Kelly White,</b> Founder and former CEO, Risk Recon</p> <p>"A breach of your third and fourth parties is mathematically inevitable. This first line of the book is perhaps one of the most important for CISO's and those who work with them to understand and come to grips with. If it's inevitable, the question then becomes, what are you going to do about it? This book is a fantastic bridge between the world of compliance-heavy third party risk management activities and practitioner-focused zero trust frameworks. CISO's should take this book, bring it to their teams, use it as a foundation for building an integrated security model across their organizations."<br />—<b>Robert Wood,</b> CISO, Centers for Medicare & Medicaid Services</p>
Diese Produkte könnten Sie auch interessieren:
Advanced Analytics and Deep Learning Models
von: Archana Mire, Shaveta Malik, Amit Kumar Tyagi
173,99 €
