Guest Column | May 27, 2021

5 Zero Trust Questions MSPs Must Prepare To Answer

By Alexandre Cagnoni, WatchGuard Technologies

5-Questions-iStock-1131095992

Zero Trust is a major topic of discussion today among security and IT leadership at companies of all sizes, and it’s obvious why. The COVID-19 pandemic has accelerated the Future of Work far faster than anyone anticipated. According to Upwork, one in four Americans are working from home in 2021, and by 2025, remote work levels will have increased 87% over pre-crisis levels. This dramatic shift has produced a wide range of business challenges and opportunities when it comes to productivity, collaboration, and IT management, but especially cybersecurity.

The overnight dawn of the remote work era left many organizations scrambling to equip employees with the resources and support necessary to maintain business operations from home. Such abrupt transitions often mean security best practices become an afterthought. So, it makes sense that Zero Trust – a methodology for user-centric security that is both flexible and rigorous enough to accommodate growing remote workforces – is taking center stage in 2021. In fact, Microsoft recently reported that more than half of business leaders are fast-tracking their Zero Trust deployments.

Contrary to most legacy approaches to corporate security, Zero Trust assumes that every device and user – on-network or off – represents a security risk until verified otherwise. Simply put, this is a “never trust, always verify” approach that uses multiple layers of defense to prevent threats, block lateral movement and enforce in-depth access controls.

When thinking about Zero Trust strategies, many customers have questions about cloud migrations, eliminating the traditional network, the right policies to establish trust, and more. And while these concepts are certainly a part of the process, there are many common misconceptions and hidden pitfalls you must be prepared to address as a trusted MSP. Let’s examine several common Zero Trust customer questions you might encounter this year and how best to address them:

Aren’t Users and Devices Inside My Network Inherently Trusted? – Companies of all sizes often fall victim to the old-school idea that they don’t need extensive, layered security protections to secure users and data within the network. Zero Trust methodologies exist entirely because, in today’s technology landscape, organizations must assume by default that all users, devices, and connections are untrustworthy, regardless of their location. All it takes is one lost or stolen corporate credential for an attacker to compromise an entire network. This is why multi-factor authentication with risk-based policies such as location verification and more is crucial to Zero Trust security.

Is Strong Authentication Enough to Establish a Zero Trust Security Posture? – Zero Trust networks ensure that users and computers establish legitimacy before accessing company resources. Customers must validate their users with strong multi-factor authentication, as well as the devices themselves using protections such as endpoint antivirus and threat detection and response. Without both ends of this equation, they might end up allowing access to a legitimate, trusted employee who is operating on a shared and untrusted machine. On the flip side, they might accidentally grant access to a bad actor taking advantage of an unattended corporate laptop while an employee is on a coffee break. In the age of remote work, where businesses have less IT visibility and oversight, Zero Trust networks can prevent these risks by default.

Aren’t Remote Workers’ Home Networks Relatively Safe? – Some customers might fall into the trap of believing that employees’ home networks are safer than shared public environments. Any company thinking about building a Zero Trust security posture needs to reject this idea completely. The truth is users’ home networks aren’t intrinsically safer or less risky than coffee shops, airports, or other remote work locations. There are many potential concerns, including routers with insecure default configurations, open Wi-Fi connections, external guests, and visitors, and more. Under a Zero Trust approach, businesses should treat home offices as untrusted environments and implement risk-based protections, as well as remote employee education and training.

Do I Need to Transition 100% to the Cloud? – Some end customers might believe they need to move all services to the cloud, as well as eliminate the local network and the need for remote access or VPN. This is a common misconception because most companies will likely still maintain domain, application, and file servers with fast access for local users, and sometimes even their home-developed services, tools, and confidential research data. Organizations shouldn’t assume a Zero Trust approach means moving absolutely everything to the cloud. As long as businesses have an office, they’ll likely maintain critical legacy applications and shared file servers on-premises that users can only access through VPN. Even with a Zero Trust strategy, customers should consider the core network part of a broader infrastructure of business applications, and implement security controls to ensure secure remote access, such as UTMs with filtering and protection capabilities, as well as support for modern VPN protocols, such as IKEv2 with MFA.

Can I Enable Auto-Logins for User-Friendly Cloud App Access? – Many cloud applications allow employees to log in using social media accounts such as Facebook, Twitter, and more. Allowing users to sign in once with those types of credentials to access all cloud applications is certainly a time-saver, and customers might believe these social-based auto-logins are the answer to improving user experiences. Unfortunately, this isn’t secure and falls well outside of Zero Trust principles, which are all about managing risk. Customers that allow auto-logins or single sign-on for cloud services should use company-controlled credential management, such as Identity Providers, and trust relationships with cloud applications using protocols, such as SAML. Doing so with user-controlled credentials essentially delegates credential management to employees and exposes the customer to credential stuffing attacks and many other security risks.

Zero Trust security strategies will become more critical and widespread as the remote work era continues, and there’s a tremendous amount of opportunity for MSPs to help customers get it right. This approach can help verify who, what, when, where, and how sensitive resources and applications are being accessed and arm you and your customers with the information required to effectively manage risk and limit exposure to security incidents. Most MSP customers have undoubtedly brought up the subject on more than one occasion over the past several months, and if yours haven’t yet, they will soon. Consider the above topics of discussion as a starting point and be sure your team is prepared to begin guiding your customers through their Zero Trust journey.

AlexandreAbout The Author

Alexandre Cagnoni is Director of Authentication for WatchGuard Technologies.