zero-trustI know that Zero Trust has become the new buzz word within the MSP community. There are a lot of vendors pushing Zero Trust and their products as a solution to initiating a zero-trust framework. The problem is that there is no easy button to simply transform into a Zero Trust-focused organization.

To step back for a moment for those of us catching up, what is exactly is Zero Trust?

A Zero Trust framework takes the approach that nothing can be trusted. No device or application can be trusted—and especially the people that are operating those apps and machines. You’ve got to do due diligence to ensure that those devices can be trusted (you can’t inherently trust anything).

There are some products that do a good job at promoting Zero Trust as part of their motivation for their products, but when the rubber hits the road, there is no one silver bullet that will transform your MSP or network into a Zero Trust -focused company.

If you want to change the way your team understands and handles its security risk, you’ve got to drive those changes with culture. If you buy shiny new tools (and many of these are extremely helpful), but have not gotten your team(s) on board with implementing Zero Trust, you’re probably wasting your time and money. Your team is probably smart enough to find workarounds for the security you’re investing in.

Here is a prioritized list of how I recommend going about tackling Zero Trust

1. Start with your people— human beings are the weakest link in security. We are the ones that add all of the fuzzy grey areas that we might have hoped were simply black and white.

Falling victim to phishing attacks, making mistakes, misconfiguring, or by-passing security and poor password management are just a couple of examples of where we’ve seen MSP employees impede Zero Trust. The problem is that many MSPs haven’t made a priority of explaining to their teams the why’s behind security policies. In my experience, team members won’t simply follow guidelines—especially policies that make their work life harder—without really understanding why they’re committing to changes.

In order to get your team to embody Zero Trust, they need to be interested in changing. What we’ve found creates substantial cultural change within MSP team culture is through Security Operations calls (SecOps). As your team is exposed to relevant and timely issues and are given missions to improve organization-wide security stances, they empower themselves and start to own lapsed security initiatives.

2. Zero Trust your workloads— your security workload is the next part of making sure you are systematizing your security work, rather than piling up tasks.

Start getting your team to think about what they’re doing and figure out what they can modify to make security part of your standard processes. If you are able to start getting your teams to see security problems within your processes and improve operations with a security mindset rather than stacking on additional rework, you will be better off (this is where SecOps really helps MSPs).

3. Understand what you permit on your network— many of us adhere to allowing only company-issued devices on our networks, but how does this work with remote team members? How are you ensuring that work-issued devices within remote environments are sanitized? As you start to tackle this issue, have your team research and come up with preliminary solutions. As I mentioned in point #1, you’ve got to tackle the human side of security before doing anything else.

4. Segment your network—the smaller the segments within your network, the less lateral movement (and risk) you will see if you had an incident. Instead of simply stacking layer upon layer of security, consider isolating key assets. Identify where critical data is located and make sure that your network’s design allows for limited access to those parts of your network where appropriate.

5. Protecting critical data—understand what exactly is critical or sensitive on your network is an extremely important part of getting security right within your network. It’s critical to understand the risks your data face and how to best mitigate data-related incidents. As you build your Zero Trust strategy, consider the following:

How does data flow within your critical business processes?
Who uses the data and what is its purpose?
Where is the data collected and stored?
What are the consequences for that data being compromised or losing its integrity?

Bottom line: Zero Trust is much more than a product. It requires consistent evaluation and team buy-in. Unless you are inspecting what you’re expecting, you’re likely falling short on expectations.