TRUST has always been a dangerous commodity in IT. In the era of cloud computing and work from anywhere, in which attacks grow continually more sophisticated and defensible perimeters no longer exist, it’s a luxury that neither channel pros nor their customers can afford. Businesses today need a new approach to protecting information and assets that many experts call “”zero-trust security.””
At a recent SMB Forum event, ChannelPro asked three experienced providers of cybersecurity services to explain exactly what that term means and how to put it into practice with end users. Here are their thoughts on three fundamental questions about a critical concept.
1. What is zero-trust security?
More than a specific technology, or even a set of them, zero-trust security is a mindset in which no person, process, application, or endpoint—inside or outside the network—is considered implicitly trustworthy, and every attempt to access any resource must prove that it comes from a legitimate source with appropriate privileges.
“”I think about it in terms of authentication,”” says Michael O’Hara, principal consultant at MEDSEC Privacy Consulting, a healthcare industry cybersecurity service provider. “”What you’re really looking at is who’s trying to access the data, who or what has the ability and the rights to access the data, and how is that being monitored so that at any given time a person trying to access a workload, whether it’s in the cloud or on-prem, is authenticated and validated.””
That, in turn, is fundamentally an exercise in defining, setting, and enforcing sound policies, according to Bruce McCully, chief security officer at Nashville, Tenn.-based Galactic Networks, a managed security services provider. “”What we’re doing with our partners and other MSPs to help them protect themselves is really help them get to a point where they’re managing these different policies and basically monitoring them for changes and abuse, rather than just throwing on more and more agents and hoping that the next anti-virus is going to protect them,”” he says.
O’Hara stresses the particular importance of policies that give people everything they need to do their job—but nothing more—by assigning access rights on a “”least privilege necessary”” basis. The same logic should apply to applications, hardware, and everything else, he adds.
“”When we think about traditional least privilege, it’s for users,”” O’Hara notes. “”We don’t really think about that when we’re talking about our workloads or our network equipment or our servers.””
2. What are some core elements of a zero-trust security architecture?
There are several technologies commonly found in well-designed zero-trust environments, including identity and access management systems and whitelisting software. One that pretty much every zero-trust architecture should include, however, is disk encryption, which is available to most end users at no added cost via the BitLocker feature of Windows 10 Pro.
“”It’s a low-cost, high-yield solution that’s going to really help secure you,”” O’Hara observes.
It can also frighten some channel pros who worry about lost decryption keys and inaccessible data, observes Paco Lebron, CEO of ProdigyTeks, an MSP in Chicago. “”Well, it’s either that or more work for you … if someone has stolen data, or a laptop’s stolen, and you’re trying to figure out how to track it down,”” he notes. “”You’d rather have that peace of mind in that case.””
McCully calls multifactor authentication another no-brainer for zero-trust environments. Indeed, according to Microsoft, organizations protected by MFA are 99.9% less likely to be compromised by cyberattacks.
Microsegmenting the network can be highly effective as well, McCully adds, citing an MSP that hosts its RMM and PSA applications locally as an example. “”Instead of just having a subnet where they’re up there sitting, and all of your workstations are sitting on the same wire and all of this other stuff, you create a vLAN for your workstations, a vLAN for your RMM, and a vLAN for your PSA, and you only let through the things that should be moving through the LAN inside of your firewall.””
Implementing secure access service edge (SASE) solutions, which fuse security functionality with network connectivity and then deliver it via the cloud, extends the same logic to every device that connects to corporate resources, McCully notes. “”Basically, you’re moving the segmentation to the endpoint itself.””
3. How do you get end users to accept the cost and inconvenience of zero-trust security?
As most channel pros know only too well, persuading clients that the safety conferred by MFA justifies the hassle isn’t easy. Convincing them to invest money in a zero-trust architecture is usually just as hard, Lebron notes.
“”A lot of them are in that space of, ‘Let me throw up an anti-virus and I’ll be okay,'”” he says. Walking customers through the risks you’re concerned about and how each one of the technologies you’re proposing plays an indispensable role in mitigating those risks is the key to overcoming that false confidence.
“”It’s really up to us as the managed service provider to provide good talking points that are not going to go over their head and that are specific to their business,”” Lebron says.
McCully has had success with a related tactic: making the danger of inaction tangible by running a penetration test of the customer’s environment. “”It’s just really, really effective as an MSP to show them what the attackers will get into if somebody on their team clicks a malicious link or something,”” he says.
Have a better technique? Use it. The important thing is having zero tolerance for anything more than zero trust.
Image: iStock