The fundamentals of implementing a zero trust policy

By Patrick Beggs, CISO at ConnectWise.

  • 1 year ago Posted in

Zero Trust is a fresh, bold approach to cybersecurity that relies on continuous validation of transactions rather than implicit trust.

More and more clients are enquiring about zero trust security but MSPs don’t always have the answer to hand. Put simply, it is a comprehensive framework that guarantees that every user and device accessing corporate resources is who or what they claim to be. No-one can access a trusted environment without rigorous and continual validation.

In today’s enterprise IT landscape, the traditional security perimeter has practically ceased to exist, as data is distributed far and wide across countless devices, apps and individuals. Thus, zero trust works on the assumption that the network edge is irrelevant. Modern networks are local, or in the cloud or hybrid, while users and resources can be located anywhere. This means companies that employ a traditional perimeter security model are putting digital assets at risk.

Back to basics

So, how do we best enforce a zero trust security policy? Start with best practices, such as multi-factor authentication (MFA) to identify users accurately. Keep up with patch management and software updates so devices remain functional. And observe and gather useful network information to shape access control. At the same time, restrict user access to only the relevant data and assets, as opposed to the whole network.

Start at the very beginning

The first step in your journey is identifying the so-called ‘protect surface’ i.e. what are your most valuable data, applications, assets and services (DAAS). Rather than trying to defend the whole ‘attack surface’ or to focus simply on the perimeter, which is not effective, companies should concentrate resources on shielding what is truly important to the business. Moreover, this is easier because typically the protect surface is much smaller than either the attack surface or the perimeter.

Understand your vulnerabilities

Define in detail your network topology so you know where your assets are. This helps you understand who your users are, what devices they use and what services and data they access. Networked components require additional caution: any public or private network is regarded as hostile in a zero trust world. That means that some existing services that were not built for this stricter world may not be able to protect themselves.

Next, after mapping the network topology, we need to identify how your systems operate. To verify that a user or device meets the necessary access requirements for protected areas, you will have to identify the locations where access controls are required. By rolling out these restrictions, security administrators can also eliminate unauthorised user-to-application communications.

The zero trust approach enables you to solve common security issues, such as safeguarding remote workers, protecting hybrid cloud infrastructure and defending against costly and disruptive cyberthreats. It helps you put a protective bubble around valuable assets and data, enabling them to operate with confidence in a complex environment. It can also turbocharge a company’s digital transformation by providing the peace of mind that the important stuff is safe.

A helping hand

While different vendors might have different approaches to – even definitions of – zero trust, there are industry bodies that are providing clarity and standardisation. The Identity, Device, Network, Application Workload and Data Zero Trust Maturity Model has been developed by the Cybersecurity and Infrastructure Security Agency (CISA) with a view to accelerating an organisation's zero trust journey.

And, it is a journey that can potentially take years to fully implement and even then will require constant maintenance because networks are always evolving. If you understand the basics of the zero trust architecture now as an MSP, you are well equipped to help your clients as it becomes more of a priority for them. In all likelihood, many are already thinking about upgrading to zero trust, not least because research suggests it leads to 50 per cent fewer breaches and can save 40 per cent on IT spend. Now is the time, therefore, for MSPs to lead by example, make their own businesses more secure and resilient and light the path for clients to follow.

By David Mahdi, Chief Identity Officer at Transmit Security.
By Faye Ellis, Principal Training Architect at Pluralsight.
By Brett Raybould, EMEA Solutions Architect, Menlo Security.
By Ash Patel, General Manager, EMEA - Zimperium.
By Andy Swift, Cyber Security Assurance Technical Director at Six Degrees.
By Simon Godfrey, VP Sales Europe for Secureworks.
By Antonio Sanchez, Principal Cybersecurity Evangelist, Fortra.