Zero Trust: It's Okay to be Paranoid!

Those of us in the tech world, or that pay any attention at all to cybersecurity, have gotten a little paranoid…and that’s perfectly appropriate. It’s the reason why the zero-trust exists–and why it’s so effective.

Zero-trust says trust nobody and nothing. Verify everyone and everything. Assume a breach is coming at all times. Microsoft says, “Zero-trust is the essential security strategy for today’s reality.”

Where most security focuses on IP addresses, zero-trust demands that you make sure that the people and devices that are trying to access your network are who they say they are. It’s a much more secure way of operating for customers. It’s also a substantial project for MSPs and MSSPs, because it incorporates IAM, MFA, NAC, endpoint protection, least-privilege access, micro-segmentation and more.

Sounds Like a Lot…

That’s because it is, and that’s good news. It means more revenue opportunities and more secure clients, so other than the learning curve, there isn’t really a downside. (And you’ve always got the Tech Data Cyber Range to help with the education piece.)

A quick tour through all the things your customer will want you to do once you’ve convinced them that zero-trust is the best way to stay secure:

Continuous Monitoring, Continuous Validation

The zero-trust philosophy means you’re always assuming there are cybercriminals crawling all over your network – no machine, no endpoint, nothing can be automatically trusted. Every user attempting to access the network must prove their identity and their allowed privileges. The same goes for the device they’re using.

And if you thought maybe we were going easy on users, fear not. Logged in connections time out every now and then so users have to re-authenticate.

Multi-Factor Authentication

More and more networks, including many that we all use daily, are sending you a code on your mobile when you try to log in. You must enter the code to gain access. It combines something you know (your password) with something you have (your mobile) to stop un-authorized access wherever it’s used.

Least Privilege Access

One of the least secure environments we’ve found are networks where everybody has full access privileges to files. Why? Because it was the easy way to get them set up! Holes like that can last a long time. Eventually, a bad actor will find them and exploit them.

Using role-based access control (RBAC) will make things easier, but you do really need to make sure that every user gets access to only the minimum number of assets they need to do their work. The more you generalize, the more you expose. Assign everyone to appropriate groups and then manage permissions for the groups!

Network Access Control (NAC)

Just when you thought we were lightening up on you, your device will need to authenticate itself, too. Zero-trust wants to know if its authorized, properly secured, and hasn’t been compromised, all to keep your network’s attack surface as small as possible.

Microsegmentation

With microsegmentation, you break up security perimeters into smaller pieces or zones. Even if assets and users are in the same data center, they are likely not in the same microzone. It’s another layer of authentication.

Have you been quietly tallying up all these projects your customer will need you to do to make all this happen? And we haven’t even gotten to the behavioral monitoring and other AI-based components you can weave into a zero-trust solution. Taking it further, zero-trust is also an excellent component of Secure Access Service Edge (SASE) solutions for highly distributed networks.

Zero-trust requires that you truly elevate your customer’s security posture with stronger governance. In return, it makes policy enforcement significantly simpler. Tech providers are right to be paranoid. Zero-trust is the mindset we should all be approaching our security strategies with. Not only will it help keep clients safer, but it raises new revenue opportunities, too.?