Zero Trust: Leading with example

Zero Trust is a fresh, bold approach to cybersecurity that relies on continuous validation of transactions rather than implicit trust – and Managed Service Providers (MSPs) are increasingly being approached by clients about how to set up and enforce it.

How can MSPs give partners the information they need about this fast-changing field of security, especially if they’re still learning about it themselves? Here, Patrick Beggs, CISO at ConnectWise, offers a quick primer on zero trust, outlining the basics.

More and more clients are enquiring about zero trust security but MSPs don’t always have the answer to hand. Put simply, it is a comprehensive framework that guarantees that every user and device accessing corporate resources is who or what they claim to be. No-one can access a trusted environment without rigorous and continual validation.

In today’s enterprise IT landscape, the traditional security perimeter has practically ceased to exist, as data is distributed far and wide across countless devices, apps and individuals. Thus, zero trust works on the assumption that the network edge is irrelevant. Modern networks are local, or in the cloud or hybrid, while users and resources can be located anywhere. This means companies that employ a traditional perimeter security model are putting digital assets at risk.

The zero trust basics

So, how do we best enforce a zero trust security policy? Start with best practices, such as multi-factor authentication (MFA) to identify users accurately. Keep up with patch management and software updates so devices remain functional. And observe and gather useful network information to shape access control. At the same time, restrict user access to only the relevant data and assets, as opposed to the whole network.

Beginning your zero trust journey

The first step in your journey is identifying the so-called ‘protect surface’ i.e. what are your most valuable data, applications, assets and services (DAAS). Rather than trying to defend the whole ‘attack surface’ or to focus simply on the perimeter, which is not effective, companies should concentrate resources on shielding what is truly important to the business. Moreover, this is easier because typically the protect surface is much smaller than either the attack surface or the perimeter

Expose every network vulnerability

Define in detail your network topology so you know where your assets are. This helps you understand who your users are, what devices they use and what services and data they access. Networked components require additional caution: any public or private network is regarded as hostile in a zero trust world. That means that some existing services that were not built for this stricter world may not be able to protect themselves.

Next, after mapping the network topology, we need to identify how your systems operate. To verify that a user or device meets the necessary access requirements for protected areas, you will have to identify the locations where access controls are required. By rolling out these restrictions, security administrators can also eliminate unauthorised user-to-application communications.

The zero trust approach enables you to solve common security issues, such as safeguarding remote workers, protecting hybrid cloud infrastructure and defending against costly and disruptive cyberthreats. It helps you put a protective bubble around valuable assets and data, enabling them to operate with confidence in a complex environment. It can also turbocharge a company’s digital transformation by providing the peace of mind that the important stuff is safe.

Clarifying zero trust

While different vendors might have different approaches to – even definitions of – zero trust, there are industry bodies that are providing clarity and standardisation. The Identity, Device, Network, Application Workload and Data Zero Trust Maturity Model has been developed by the Cybersecurity and Infrastructure Security Agency (CISA) with a view to accelerating an organisation’s zero trust journey.

And, it is a journey that can potentially take years to fully implement and even then will require constant maintenance because networks are always evolving. If you understand the basics of the zero trust architecture now as an MSP, you are well equipped to help your clients as it becomes more of a priority for them. In all likelihood, many are already thinking about upgrading to zero trust, not least because research suggests it leads to 50 per cent fewer breaches and can save 40 per cent on IT spend. Now is the time, therefore, for MSPs to lead by example, make their own businesses more secure and resilient and light the path for clients to follow.

About the Author

Patrick Beggs is CISO at ConnectWise. Born out of a single software solution designed to help MSPs gain control of their help desk and billing, ConnectWise has grown into a robust platform of software built for technology solutions providers (TSPs) to run their entire as-a-service business. With products aiding in business management, remote monitoring and management, remote control and access, quote and proposal automation, and cybersecurity risk assessments, integrations with hundreds of key vendors, plus the largest and most engaged community in the industry, ConnectWise has built a platform for The IT Nation.

Featured image: ©Alex