A guide to zero trust for MSPs

Even by the hyped standards of the cybersecurity industry, the rise and rise of zero trust (ZT) is a phenomenon that’s hard to miss. But what does zero trust mean for managed service providers (MSPs)?

If you’d run a Google search of the term in 2021 it would have returned 645 million hits. Three years later, that number is at nearly 3 billion and rising. Nobody in cybersecurity can ignore this level of interest, least of all, managed service providers (MSPs). After all, the MSP's job is to match customer interests with their own.

Now, while Zero trust’s rise sounds dramatic, remember: the term itself goes back over a decade. Many of the technologies associated with zero trust — identity management, access control, and authentication — are also not new.

So, what's changed? Mainly, the type, frequency, and consequences of cyber threats. Organizations now feel an urgency to apply zero trust principles.

What is zero trust, exactly?

Explaining zero trust in broad terms is deceptively easy.

But first, let's talk about what it isn't. Zero trust goes against the traditional perimeter security model. Networks using the traditional perimeter security model are based on the idea of high trust permission. All that the device, user, or application must do is present a credential, such as a username and a password, to gain access to any number of resources within that network until it disconnects.

As NIST makes clear, zero trust turns trust on its head. Any connection to the network is automatically suspicious.

So, it's key to use extra layers of authentication beyond passwords to verify the connection. And even after the device, user or application gains access, the admin tightly controls any privileges, in line with least privilege principles. A zero trust security strategy never completely trusts access, because it always assumes it can turn malicious at any moment.

Think of zero trust as enlightened paranoia. A state of vigilance nirvana. Proponents argue it's now necessary to cope with the inevitability of compromise.

What's the payback? An organization that successfully implements zero trust will suffer fewer compromises, and any that do occur will be less severe. This makes any cybersecurity strategy based on zero trust easier to justify to employees, shareholders, regulators, and customers.

The implementation challenge

Unfortunately, the very thing that makes zero trust so compelling — it’s a set of principles rather than a product — is what makes it tricky for anyone selling expertise and services such as MSPs. Zero trust describes what to do but not precisely how to achieve it.

What counts as zero trust depends on the network, application, and users in question. Naturally, that varies by context and organization. Implementing zero trust presents numerous challenges.

The challenge for MSPs to distill an abstract methodology in terms that communicate value for the customer. Otherwise, it's easy for them to misunderstand zero trust or see it as a sleek sales ploy. And that's a shame. Because, if correctly understood and carefully implemented, zero trust has concrete value to offer organizations of every size, especially SMBs who turn to managed IT services to solve their security puzzle.

How, then, should MSPs communicate the value of zero trust to clients and prospects?

Understand customer drivers

Several factors explain the rise of zero trust. The biggest of all? Simply a collapse in faith in traditional security technology, such as firewalls, anti-virus, and password-based access control. A lot of these date back to an earlier and less challenging era of cyber vigilance.

The need to move beyond the traditional security model only solidified with the rise in remote work, which brought home the limitations of perimeter security. Organizations were forced to rely on endpoint security and VPNs, retrofitting authentication where possible. With budgets stretched, blind spots multiplied — especially on cloud services that don’t transit the corporate data center — elevating the issue of visibility and trust.

Of course, another key driver is cyber insurance requirements. They now demand better assurance and external testing, and want to minimize risk measured against industry cybersecurity frameworks such as NIST. And, as the surge in cyber attacks pushes the cost of policies ever higher, customers are increasingly motivated by anything that might reduce premiums.

Zero trust improves management

People often present zero trust as a way to stop things from happening. For example, blocking unauthorized clients. That misses the point.

One not-so-hidden appeal of zero trust is the possibility to improve how IT manages network resources, users, and data in ways that lower costs and make technology adoption easier.

This is especially important to SMBs, where technology overload and expense are real issues. In that sense, zero trust mirrors what is driving more organizations to use managed services in the first place: it simplifies security and makes it more financially predictable.

It follows, that solutions sold to support zero trust implementation must meet these demands head-on. But be careful: what products can’t do is increase management overhead, or this will lower MSP margins and customer satisfaction alike.

Zero trust offers competitive advantages

Cyberattacks today often have severe consequences, some of which we would have seen as unusual even a handful of years ago. This changes how we see cybersecurity risks, and elevates frameworks that allow organizations to get to grips with their long-term infrastructure security investments.

This casts principles like zero trust not simply as best practice or “good to have,” but as an essential part of business.

Organizations are also getting savvy to the business case for a coherent cybersecurity strategy as a competitive advantage. A solid security strategy, through partnerships with service providers, gives them an edge that can help them win against competitors.

This goes far beyond cybersecurity as a requirement for compliance and regulation, which operate on longer timescales. In some cases, cybersecurity might even now be a matter of survival.

What zero trust implementation implies

Zero trust depends on being able to see everything. That means, not only the security state of systems, but users and data, too. And it’s imperative to know the status of all of the above at all times — something organizations already struggle with at a time when shadow IT and undisciplined use of the cloud are often hard to track.

Zero trust assumes:

• Full activity logs: Fully logging all activity, the further back in time the better to enable quality forensic analysis.

• Control at file level: Strict control at the file level along with the users accessing these resources.

• Device security: Control of all devices, not only PCs and servers, including ones that don’t run security agents such as IoT and industrial control systems.

• Real-time tracking: The ability to view and track any changes to data or systems in real time.

• Contextual controls: User management must implement zero trust in a way that allows contextual controls over and above multi-factor authentication and single sign-on.

• Granular controls: Zero trust implementations must offer granularity, for example contextual restrictions such as time, location, IP address, department, session type, or machine.

Zero trust encourages a stronger client relationship

Zero trust is already having a major influence on the types of products and services your clients buy. But the implementation stage will take years, which implies long-term sales potential and the possibility of developing a stronger relationship with the client over time.

This is especially true for the SMB sector, where managed services have a natural fit. Increasingly, MSPs must address how their services dovetail with zero-trust cybersecurity. The benefit to MSPs from zero trust is that it implies a long-term relationship with customers that goes beyond the traditional sales cycle in which MSPs are contacted after something has gone wrong.