The zero trust (ZT) and third-party risk (TPR) OSI model (Open Systems Interconnection) has been designed to break down complex concepts into simpler understandable “chunks” for organizations to consume easier. Each row and column intersection requires a bit of detail to provide enough material to take action on them. As this chapter goes through each of these intersections, you'll learn more about how they can be successfully navigated as a step along the ZT journey in the TPR space.

Zero Trust and Third-Party Users

The first area in ZT and TPR to focus on is users. In this case, a user refers to any resource that is classified as such. This should be focused on an actual person, while the other two resource categories deal with applications and infrastructure. Much of the work in ZT focuses on the identity and access management (IAM) domain, and starting with users is often the easiest (given the risk). When starting off on this exercise, be sure to differentiate between your internal native users and third parties. This sounds obvious, but there could be vendors with an internal login native to your domain. For instance, the third-party user may work for the vendor, but their login is not listed as their vendor's name, rather it is your own organization's name. The vendors with external logins that contain their vendor domain name are easiest to identify, but often access is granted using the native organization's access management ...