top of page
Search

TPRM Controls: It’s Not Just About the Third Party

  • May 16
  • 4 min read

Introduction  

In the modern business landscape, Third-Party Risk Management (TPRM) has become a focal point for organizations aiming to safeguard their operations. While much attention is given to assessing and managing the risks associated with third-party vendors using questionnaires, Boards of Directors are asking CISOs what the business is doing to protect the organization from third parties. Access Management in Complementary User Entity Controls (CUECs) is a crucial internal control often overlooked by TPRM when performing assessments. Additional access protections are available through the organization’s implementation of a Zero Trust strategy and utilizing Artificial Intelligence (AI) and Machine Learning (ML) applications. 

Access Management in Complementary User Entity Controls (CUECs) 

CUECs represent the controls that service providers expect you (as the customer) to implement to complement their own control environment. In the context of third-party management, these controls are crucial for maintaining a secure and effective relationship. Critical access management CUECs that organizations often overlook when managing third parties include the following: 

Access provisioning and deprovisioning controls:

According to a Black Kite study, 54% of all third-party breaches were due to unauthorized network access.(1)

Monitoring of third-party activities:

According to a Ponemon Institute study, only 34% of organizations effectively monitor third-party access to critical systems.(2) This creates significant blind spots in security posture.

Regular reassessment of third-party access needs:

A Wiz Research study indicates that 82% of companies unknowingly provide third-party vendors with highly privileged roles.(3)

Validation of CUEC controls:

Conventional CUEC validation, if performed, focuses only on control existence and design effectiveness but not control operation and operating effectiveness, creating a false sense of security.


Access Management in a Zero Trust Strategy 

Zero Trust is fundamentally about “never trust, always verify” – a principle that can significantly enhance the protection of an organization's network and systems when granting third-party access. The implementation of Zero Trust requires a shift away from the traditional security models that rely on perimeter defenses and instead focus on securing individual assets and data. Traditional models grant broad network access once a user is authenticated; however, Zero Trust gives only the minimum access needed for a task.(4) Zero Trust identity and access management controls are implemented using a risk-based approach and may include the following: 

Multi-factor authentication (MFA):

Third-party users are required to authenticate using at least two factors (something they know, have, or are). According to Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, MFA can stop 30% to 50% of account compromise attacks.(5) 

Just-in-time (JIT) access:

Third party users are provided temporary, time-limited access only when needed rather than persistent access. This minimizes the potential for attackers to exploit vulnerabilities and gain unauthorized access.

Privileged access management (PAM):

Session recording and monitoring is implemented for all third-party privileged access. According to Gartner, organizations that implement PAM can reduce the risk of privileged credential abuse by 75%.(6)

Micro-segmentation:

Third-party access is limited to only specific network segments or applications required for their function. By isolating critical systems and sensitive data, detecting and responding to threats becomes easier.

Device posture assessment:

The security posture of third-party devices is monitored before granting access. Third-party devices must meet minimum security requirements (patches, endpoint protection, etc.)


Leveraging Artificial Intelligence (AI) and Machine Learning (ML) in a Zero Trust Strategy 

Organizations using AI-powered security tools have an 85% success rate at predicting cyberattacks.(7) Examples of AI and ML applications used in a Zero Trust strategy include the following: 

Anomaly detection:

AI and ML algorithms can be trained to detect unusual patterns or behaviors within the organization’s network. Deviations from normal activity may indicate potential security threats, for example spikes in access requests from unfamiliar locations may trigger alerts for further investigation.(8)

Behavioral analysis:

ML models can analyze user behavior and establish a baseline of normal activities for each user. Any deviations from these patterns can raise flags for potential insider threats or compromised accounts.(8)

Threat intelligence integration:

By analyzing threat intelligence feeds alongside internal network data, organizations can make more informed decisions regarding access control and threat mitigation strategies. ML algorithms can prioritize and contextualize threat intelligence data, helping security teams focus on the most critical risks.(8)

Adaptive access controls:

ML-driven access control mechanisms can dynamically adjust permissions based on real-time risk assessments. By continuously evaluating factors such as user behavior, device health, and network conditions, these systems can grant or revoke access privileges dynamically.(8)


Case Studies 

Case Study 1: Implementing Complementary User Entity Controls in a Retail Environment 

A leading retail company implemented Complementary User Entity Controls to enhance its third-party risk management. This involved establishing strict access controls and clear usage policies for third-party vendors accessing its systems. By doing so, the company improved its ability to detect and respond to unauthorized access attempts, significantly reducing the risk of data breaches. The implementation of these controls also led to better accountability and adherence to security protocols among third-party vendors. 

 

Case Study 2: Adopting Zero Trust Controls in a Technology Firm 

A technology firm adopted a Zero Trust strategy to manage third-party access to its network and critical systems. The approach required verification of every access request, regardless of the source, and continuous monitoring of user activities. By using multi-factor authentication and least-privilege access principles, the firm ensured that only authorized users could access sensitive data. This strategy not only prevented unauthorized access but also provided granular visibility into third-party activities, enabling proactive threat detection and response. 


Conclusion 

While third-party assessments remain a cornerstone of TPRM, it is essential to recognize and implement broader access controls that contribute to a more comprehensive risk management strategy. By validating both the design and operating effectiveness of critical access management CUECs and implementing Zero Trust access controls, organizations can enhance their resilience and better protect themselves against the myriad risks associated with third-party relationships. AI and ML applications can also play a crucial role to ensure access controls remain robust and responsive to evolving threats. TPRM is not just about the third party; it is about creating a holistic approach to risk management that safeguards the organization from within and beyond. 

 

References: 

  1. Black Kite, “Third-Party Breach Report” Vol.5, 2024. [Online]. Available: https://blackkite.com/wp-content/uploads/2024/03/third-party-breach-report-2024.pdf. 

  2. Imprivata, “Imprivata Study Finds Nearly Half of Organizations Suffered a Third-Party Security Incident in Past Year,” February 13, 2025. [Online]. Available: https://www.imprivata.com/company/press/imprivata-study-finds-nearly-half-organizations-suffered-third-party-security.  

  3. Security Magazine, “82% of companies give third parties access to all cloud data,” January 26, 2021. [Online]. Available: https://www.securitymagazine.com/articles/94435-of-companies-give-third-parties-access-to-all-cloud-data.  

  4. Cipher, Alex, “Zero Trust: Redefining Cybersecurity,” 2024 

  5. Cybercrime Magazine, “Mult-Factor Authentication is (Not) 99 Percent Effective,” February 23, 2023. [Online]. Available: https://cybersecurityventures.com/multi-factor-authentication-is-not-99-percent-effective/

  6. CTO (Core Team One), “Did you know? 74% of data breaches start with the abuse of privileged credentials,” Wednesday, 12 June 2024. [Online]. Available: https://www.bing.com/search?pglt=297&q=74%25+of+data+breaches+start+with+the+abuse+of+privileged+credentials&cvid=5411e708f64447b8b8e91782242cba48&gs_lcrp=EgRlZGdlKgYIABBFGDkyBggAEEUYOTIGCAEQRRg80gEKMTYxMzY2ajBqMagCALACAA&FORM=ANNTA1&adppc=EDGEBRV&PC=EDGEBRV. 

  7. Furness, Dylan, Emerj, November 9, 2024. [Online]. Available: https://emerj.com/an-ai-cybersecurity-system-may-detect-attacks-with-85-percent-accuracy/#:~:text=An%20AI%20Cybersecurity%20System%20May,Accuracy%20%7C%20Emerj%20Artificial%20Intelligence%20Research. 

  8. Goraga, Zemelak, Dr., “AI and ML Applications for Decision-Making in Zero Trust Cyber Security,” Volume 1, SkyLimit Publishing, 2024, p. 2-3 

bottom of page