Approaching Zero Trust Through Layered Security: MSPs And The Modern Security Landscape

By Chase Doelling, JumpCloud

Small and midsized enterprises (SMEs) face a significant security gap. Distributed teams using personal devices across unsecured networks present no shortage of security vulnerabilities. What’s running short, though, are plans to deal with cyberattacks. A recent CNBC survey found that 53% of small businesses say either their business doesn’t have a plan in place to deal with a cyberattack, or they’re not sure if they do. Yet, 43% of cyberattacks target small businesses. Several trends suggest this figure will only increase.

With cyber threats on the rise and remote workplace models here to stay, organizations of all sizes are looking for the best ways to lock down IT infrastructure. The trust nothing, verify everything approach of a zero-trust model is often seen as the key to meeting modern security challenges. Certainly many enterprise organizations, supported by enterprise-level budgets and IT staff, have adopted zero trust practices. But for organizations without similar resources, the threat landscape can look pretty scary.

Given the delta between security threats and the (in)ability of many SMEs to protect against them, it’s no wonder that organizations are seeking outside support for greater control. Managed service providers (MSPs) are increasingly serving as proxy internal IT security teams. With projections suggesting the MSP market will reach $355 billion by 2026, it’s clear that they’re doing it successfully.

As clients continue to transfer security responsibility to managed service providers, how can MSPs protect clients in an easy, cohesive way that delivers smaller organizations the same strong protections offered by the zero-trust principles deployed in Fortune 1000 companies? A layered approach provides a manageable framework.

Start With Identity

Zero trust requires a layered approach to security. At the core of each of these layers is establishing identity trust: who the user is and what that individual should have access to.

Historically, organizations have relied on a directory to serve as a single source of truth for identity, storing, and authenticating the various identities users need to log into devices, servers, files, applications, and more. Two common options include using Microsoft Active Directory (AD) or implementing OpenLDAP. But these options, which often require on-premise servers and networks, are best suited for large organizations, not for cloud-forward MSPs managing multiple clients.

Cloud directory services have rapidly gained traction with MSPs as an alternative for establishing identity, meeting the needs of remote work. and elimination of a physical office domain. This option allows for an integrated security approach that supports users, no matter where they’re logging in from or what type of device they’re using. IT teams can add conditions in which permissions can be given, revoked, and challenged—removing friction from the employee experience without adding unnecessary steps for the admins managing it. It also offers the flexibility to future proof employee status changes by integrating practices today that can serve a client for years.

Add Layers, Not Complications

The goal of zero trust can feel overwhelming. Implementing it with a layered approach can streamline the process.

Layer 1: Secure identity: Begin by establishing the identity at each access point. Username and password alone aren’t ideal, given that 61% of breaches involve credential compromise. Add multi-factor authentication (MFA), such as a phone app or a token. Consider federated identities across resources and single sign-on (SSO) for web applications to maintain security without complicating the user experience.

Layer 2: Secure devices: New remote workplaces introduced new security complexity in multiple forms: unsecured devices, bring your own device (BYOD) policies, and mixed devices environments distributed around the globe. The next layer for securing these should be establishing device trust. Mobile device management (MDM) solutions can offer visibility and control no matter the number or type of device.

Key questions for evaluating MDM options for clients include:

• Does it provide the type of data insights my clients need? Consider, for example, whether you need to know primarily where devices are, or more granular data like which devices haven’t enabled MFA, what each device’s current battery life is, or regular access patterns.
• Does it offer patch management (whether through automated updates or admin notification) to ensure employees are using up-to-date and secure tools?
• How does it map to clients’ general needs in terms of features like MFA, disk encryption, and BYOD features?
• Does it supply heterogeneous device support for multi-OS environments?

Layer 3: Secure applications: SSO can centralize user access to standard and commonly used productivity applications but adding conditional access policies adds a dynamic layer of security. Control access by several conditions deemed pertinent to each client. These may include geolocation, role, group, access history, and more, and can enforce based on least privileged access model.

Layer 4: Create a repeatable approach through multi-tenancy: MSP admins can easily and remotely manage their entire client base’s identity management needs—at every level—through a multi-tenant portal. Multi-tenancy allows simplified multi-client management of identity and access control, helping clients keep pace with digital innovation while maintaining security and compliance. It also gives admins an edge on maintaining the safety, security, and compliance status of their customers without any impact on operational efficiency.

The demand for MSP services will only grow as SMEs seek to outsource infrastructure security to better focus on their core competencies. To protect clients from rising cybersecurity threats, MSPs can put them on a path to zero trust by securing identity across applications, devices, and access.

About The Author

Chase Doelling is the Principal Strategist at cloud directory platform provider JumpCloud, where he leads the team in creating partnerships that enhance and secure digital identities. He has been working in venture-backed startups across security, integration, and DevOps for the last decade.