zero-trustHow can we as an MSP community keep secure?

With disruptions from the COVID-19 pandemic, working from home and hybrid conditions. PLUS with the growing number of critical vulnerabilities (think zero-days) lingering on networks for too long, we need something to change.

As your team and clients seek to protect their systems and data, we need a better way forward.

As hackers prey on uncertainty and target the weakest links in your systems, we need a simple framework that we all can follow without added hassles and headaches of having to entirely redo or reshape how cybersecurity within our networks works and runs.

As you look to protect your MSP from the latest ransomware attacks, you should consider how your team’s mindset might be setting your security back.

We’ve relied on a perimeter to protect us. Firewalls, similar to the medieval fortified castle walls, can only go so far. Unless we get our teams, tools and technology trained to avoid relying on silver bullet security. Today our security demands far exceed—but still include—the simplicity of making sure the doors are locked.

We simply cannot rely on single point of failure security stances.

Enter a Zero Trust mindset.

Zero Trust considers everything on our networks—every single device—as a potential point of compromise. When you’re thinking about implementing zero trust throughout your network.

You need it to adapt—the original Zero Trust framework was meant to adapt and respond to changing times. Instead of constraining your team or network to a specific technology, Zero Trust should be thought as more of a mindset in how you and your team operate. There is no one tool that will get your organization to adhere to Zero Trust.

The goal of zero trust is to shift your mindset and the mindsets of your team in their approach to all devices as threats. I know some might object that it’s overkill to suspect everything as a threat.

Especially as your team and your clients continue to work remotely, it’s harder to completely know that devices are locked down and that even those remote environments have hardened firewalls (I recently audited a variety of remote computers at MSPs that assumed their team members had been using secure firewalls). In performing an audit of their remote team members, it was apparent that many were using default configurations on ISP-issued routers.

As your team moves from home to work to a coffee shop, how can you make sure they are secure? And even more, what about the clients you support? How “dirty” are their devices?

The perimeter-less new normal makes traditional security frameworks even harder to assess. That’s why I sold my MSP and set a goal to help MSPs protect their clients and why I sincerely think that all MSPs should be adhering to a Zero Trust mindset.

So how can you start implementing a Zero Trust framework that works for your MSP?

When we talk about Zero Trust, we refer to five areas of trust:

Trusting Applications—making sure your applications are not only approved (whitelisting), but also configured securely and updated regularly to avoid exploitation.

Trusting Our Data Is Secure—making sure your data is backed up, you have identified and understand where critical data lies on your network, that sensitive data is being protected and not vulnerable to exfiltration events.

Trusting Devices—making sure devices are not trusted on your network unless you are able to monitor them and have alerting to detect indications of compromise.

Trusting Moving Data— making sure that data you move within, to and from your organization from being compromised.

Trusting Users—trusting that your team (or users) are adhering to the Zero Trust framework. Your team is bought into adhering to security and understands why they’re doing things rather than simply following protocols and procedures.

Steps To Implementing Zero Trust

  1. Define the surfaces you need to protect. Protect all surfaces that your team identifies as being critical. This might include sensitive data, critical data or other assets that are critical in your company.
  2. Map traffic across your network. Understand how different resources interact, allowing you to see dependencies in the event you have an incident within your network. This will help your team start thinking about disaster response across various scenario sets.
  3. Build a Zero Trust customer solution—to really get your MSP on board with Zero Trust it needs to be part of your service delivery. Instead of simply giving lip service to the framework, find ways to implement it into your service offerings, or even make it a part of your unique sales proposition.
  4. Create policies focused on Zero Trust. Don’t just redefine your policies. Get your teams involved on helping with them and enforcing them organically.
  5. Monitor your network. Zero Trust is completely iterative. There is no single state of being in a Zero Trust environment. Your Zero Trust needs to be customized in the context of your business and that of your clients. It requires continual inspection, maintenance and revision based on what we know from cyber intelligence. One of the easiest ways to start getting visibility into the problem is through a cyber stack evaluation.

Bottom Line: as cyberattacks continue to increase in frequency and severity, simply relying on technology to solve your security problems will not be good enough. A new mindset and strategy will help you much more. Zero Trust is a good step towards security in 2021, as it goes beyond tradition concepts and empowers your teams to adhere, recognize and understand why security and cyber hygiene important.