By François Amigorena, IS Decisions
Zero trust is sometimes presented as a way of stopping things from happening, for example blocking unauthorized clients. That misses the point. A hidden appeal of zero trust is that it offers the possibility of improving the management of network resources, users, and data in ways that also lower costs and make technology adoption easier.
This is especially important in the SMB sector, where technology overload and expense is a real issue. In that sense, zero trust mirrors what is driving more organizations to use managed services in the first place: it makes life simpler and more financially predictable.
What Is Zero Trust?
Zero trust’s ascent might sound dramatic, but the term itself goes back over a decade. Many of the technologies associated with it – identity management, access control, and authentication – are also not new. What seems to have changed for customers is the urgency in applying them and the motivation to do so.
Explaining zero trust in broad terms is deceptively easy. Networks using the traditional perimeter security model are based on the idea of high trust permission. All that the device, user, or application must do is present a credential, such as a username and password, to gain access to numerous resources within that network until it disconnects.
As NIST makes clear, zero trust turns trust on its head. Anything connecting to the same network is automatically suspicious. It must therefore use extra layers of authentication beyond passwords to verify itself, after which its privileges remain tightly controlled. Even then, it is never completely trusted because it is always assumed it could turn malicious at any moment.
Zero trust is akin to enlightened paranoia, a vigilance its proponents argue is now necessary to cope with the inevitability of compromise. The payback is that an organization that successfully implements zero trust will suffer fewer compromises, and any that do occur will be less severe. This will make any cybersecurity strategy based on zero trust easier to justify to employees, shareholders, regulators, and customers.
The Implementation Challenge
Unfortunately, the very thing that makes zero trust so compelling – it’s a set of principles rather than a product – is what makes it tricky for anyone selling expertise and services such as MSPs. Zero trust describes what to do but not precisely how this should be achieved. What counts as zero trust depends on the network, application, and users in question, something which will vary by context and organization. Implementing it presents numerous challenges.
The danger is that something this abstract is misunderstood by the customer or seen as a sales ploy in a way that breeds scepticism. This would be a tragedy, because, if correctly understood and carefully implemented, zero trust has a huge amount to offer organizations of every size, especially SMBs that have decided to invest in services to solve their security puzzle.
How, then, should MSPs communicate the value of zero trust to clients and prospects?
Understand Customer Drivers
The rise of zero trust is explained by several factors, the biggest of which is simply a collapse in faith in traditional security technology, a lot of which (firewalls, antivirus, password-based access control) date back to an earlier and less challenging era.
This feeling only solidified with the recent rise in remote work, which brought home the limitations of perimeter security. Organizations were forced to rely on endpoint security and VPNs, retrofitting authentication where possible. As budgets were stretched, blind spots multiplied – especially of cloud services that don’t transit the corporate datacentre – elevating the issue of visibility and trust to front of mind.
Customers are also influenced by cyber-insurance policies that now demand better assurance and external testing and want to minimize risk measured against industry cybersecurity frameworks such as NIST. With the surge in cyberattacks pushing the cost of policies ever higher, customers are increasingly motivated by anything that might reduce premiums.
Zero Trust Offers Competitive Advantages
Cyberattacks today can have severe consequences, some of which would have been considered unusual even a handful of years ago. This has changed the perception of cybersecurity risk, elevating frameworks that allow organizations to get to grips with their long-term investment in the area. This casts ideas such as zero trust not simply as best practice or “good to have” but as an essential part of business.
Increasingly, organizations understand that a coherent cybersecurity strategy formed through partnerships with service providers gives them a competitive market advantage over rival organizations that lag. This goes far beyond received ideas of compliance and regulation, which operate on longer timescales. In some cases, cybersecurity might even now be a matter of survival.
Getting Zero Trust Right
Zero trust depends on being able to see everything. Not only the ‘security state’ of systems but users and data, too. And it’s imperative to know the status of all of the above at all times – something organizations already struggle with at a time when shadow IT and undisciplined use of the cloud are often hard to track. Zero trust assumes:
- All activities will be fully logged, the further back in time the better to enable quality forensic analysis.
- Data access will be strictly controlled at file level along with the users accessing these resources.
- Every device will be secured, not only PCs and servers, including ones that don’t run security agents such as IoT and industrial control systems.
- Any changes to data or systems will be tracked in real time.
- User management must implement zero trust in a way that allows contextual controls over and above multi-factor authentication and single sign on.
- Zero trust implementations must offer granularity, for example, contextual restrictions such as time, location, IP address, department, session type, or machine.
The Benefit To MSPs From Zero Trust
Zero trust is already having a major influence on the types of products and services purchased by clients. But the implementation stage will take years, which implies long-term sales potential and the possibility of developing a stronger relationship with the client over time.
This is especially true for the SMB sector for which managed services have a natural fit. Increasingly, MSPs must address how their services dovetail with zero trust cybersecurity. The benefit to MSPs from zero trust is that it implies a long-term relationship with customers that goes beyond the traditional sales cycle in which MSPs are contacted after something has gone wrong.
About The Author
François Amigorena is the founder and CEO of IS Decisions, a global software company specializing in access management and MFA for Microsoft Windows and Active Directory environments. A former IBM executive, François is also a member of CLUSIF (Club de la Sécurité de l'Information Français), a nonprofit organization dedicated to information security.