Zero Trust and Third Parties

While Okta’s breach seems to be contained (pending further information), clearly Cloudflare is taking extra steps to limit any further damage. I imagine the companies that Okta identified as may have been exposed during the breach are also taking steps to audit their own systems right now.

This event highlights the need to examine your own zero trust posture with a very critical question:

How exposed are you if the third-party systems you rely upon is breached?

The topic at hand focuses on how third-party tools and services can inadvertently act as a security gap if your infrastructure doesn’t correctly apply zero trust, and definitely highlights a need for not concentrating your MFA with your IdP.

I’m kicking this discussion off with a few head nods to the expansion of information boundary, but we should collate a nice list of third-party tools that are commonly used but should also be viewed as security gaps if those third-parties suffer a compromise.

For example:

  • Identity providers like Okta
  • Identity and Access Management Systems, such as AWS’s
  • Reverse Proxies such as Cloudflare Access and Google IAP

Not an exhaustive list by any means, but all of the above tools are trusted with ferrying data or granted permissions into modern digital infrastructure that can expose an organization’s infrastructure to unnecessary security gaps. What are some good methods for organizations to self-assess their posture, and how can they address them, ideally without making too much of a shift?

Is it too idealistic to address third-party security exposure without making a cumbersome internal shift in infrastructure?