Is your perimeter going to keep you safe? Why you might want to consider Zero trust instead.
We all are familiar with traditional perimeter-based security controls. The concept that your team, applications and systems are all operating within a trusted zone inside of a firewall. Is everything secure inside that firewall?
Let’s think about this for a second.
First off, we’ve seen zero-day vulnerabilities in a variety of firewalls within the past year. Exploits that were making it easy for hackers to enter your network with little to no effort.
Second, with your teams and clients still working from home, how sure can you be that they all have properly configured advanced firewall threat detection enabled? In our analysis of well over 500 MSPs in the past year, we are seeing most from home workers without even basic firewall protections (many even using basic ISP-issued routers WITH default passwords!).
How can you trust your perimeter to stop EVERYTHING malicious from coming in and out? How can you maintain a clean network simply relying on tools that even occasionally fail? (I’m not just picking on firewalls here)…
Enter Zero Trust.
The perimeter security paradigm has long since fled the coop. We need something more robust. We need something that will make vigilance more the norm than simply nice—especially as the trustees of valuable data.
Zero Trust is based on the premise that every request, every action from within or outside of your network cannot be trusted. It emphasizes that we all need to think before acting. Nothing can inherently be trusted without validation.
What does a Zero Trust mentality give you?
Heightened account visibility—your processes to control access to your network and your data. You will maintain access for your team, vendors, and clients on a need to access basis.
Get granular on how you control your network—instead of relying on tools to detect or manage your network, you enable your team with specific policies to determine what may be permitted on your network.
Better understand your risk—have acute visibility on your users, your tools, and behaviors to better grasp where your network risks lie.
Here are 5 considerations when planning out your Zero Trust:
Zero Trust is more than just technology—in order for you to be successful implementing zero trust, you and your team need to own it. What I mean by this is you can’t just install something or plug in a new shiny toy and expect zero trust to work. It doesn’t really work that way (if people are selling you zero trust and guaranteeing it working by simply using their software or hardware, they’re selling you a black box that won’t get you the results you’re looking for). Zero Trust needs to be engrained in your culture. If your team isn’t talking about security events and isn’t looking at ways to make your client experience more secure, all the money in the world will do little to keep your environment and that of your clients secure.
Zero Trust Requires a change in mindset—I completely get that change is hard, but if you let your team stick to the status quo on security, you’re making your security less safe. Explain to your team why they need to continually tweak processes and make changes. By telling stories and opening up a dialogue around why things are done a certain way, you will help facilitate a change in mindset from within your organization.
Visibility is key to Zero Trust—you can’t protect what you can’t see. That means unless you’re overturning the rocks within your organization (at least occasionally), you’re probably nowhere near a Zero Trust environment. One of the easiest ways MSPs and their clients have visibility and accountability on securing their systems is by continually monitoring their security posture and cyber stack.
Verify everything— in order to get to zero trust, you will have to verify what you think is happening in your environment. Overview or overwatch what is going on in order to know that security is working the way you expect it to.
Zero Trust requires your entire network—some folks may suggest that zero trust only needs to be applied to the endpoint layer of your security. But deep down, everything needs to adhere to the framework. It’s not either-or. Zero trust requires the entirety of your security, from policies, processes, all the way out to your perimeter.
Bottom line: The more your team thinks in a Zero Trust capacity the safer they will be.
