Why Using the Zero Trust Security Model Will Make You a Better MSP
Cybersecurity has undergone constant changes, but I believe the greatest changes have come in the last few years. The rapid, widespread adoption of new cloud and IoT technologies have created many new attack surfaces. Security practices are only now catching up to these threats.
At the front of a new wave of security thinking is the Zero Trust Security (ZTS) model. I think that applying the principles of this model to secure networks is the best way for MSPs to serve their customers going forward.
Attacks are on the rise
IBM’s 2019 Cost of a Data Breach report clearly shows that attackers have the edge right now. In 2019 for the first time, a majority of all data breaches—51 percent—resulted from malicious or criminal attacks. This is a 3 percent increase from 2018 and an overall 21 percent increase since IBM first tracked this statistic in 2014. They note that nearly three-quarters of attacks succeeded by exploiting privileged credentials or identities.
Not only are more breaches than ever caused by directed attacks, but the attacks are going undetected for longer. Breach lifecycles—the time between when a breach occurs and when it is contained—jumped noticeably between 2018 and 2019. Average breach identification time in 2019 was 206 days, and the average time to contain a breach was 73 days. That is 279 days in total.
The 2018 average was 266 days, which means we saw a 4.9 percent increase in the average breach lifecycle in just one year. Clearly, traditional network security practices aren’t working, and attackers know it.
Why is this happening?
Network security has stuck to some principles from the early days of the Internet for too long. From the beginning, openness was encouraged in network design. This was a good way to enable collaboration and sharing, but it also enabled bad actors.
In the past, security has been strongest at network perimeters. Once users or processes were on a network, the default was trust. In the world of 2020, when remote users, overlapping multi-cloud environments, and the Internet of Things deepen the reach of networks, there are now functionally no more network perimeters—only assets that we need to protect individually. We need a new approach.
What is Zero Trust security?
ZTS shifts the focus away from where you are (on the network or at the perimeter) to who you are (your identity or individual device). This makes network-based interactions much easier to monitor and manage. As the name “Zero Trust” implies, every interaction with those resources must be challenged and authenticated.
A combination of technology and policy is needed to deploy a ZTS model effectively. Multi-factor authentication is one of the primary tools used to ensure legitimate access. Access management tools, encryption, network monitoring, file system permissions, and network micro-segmentation are also key tools.
As for policy, under ZTS user provisioning, access requests should be governed by the principle of least privilege. This can help prevent compromises from occurring and minimize the amount of damage done when they occur.
What are the challenges of deploying ZTS?
Because a very particular set of modern security tools are used, applying ZTS to legacy infrastructure can be challenging. Trying to retrofit existing systems and practices can sometimes be overly disruptive to customers for limited security gains.
In those cases, I believe the best approach is to make ZTS part of a security strategy looking forward. For example, businesses can incorporate ZTS principles as legacy systems are retired in favor of cloud resources. This is an area where partners familiar with ZTS can step in to deliver real value for customers.
How to implement Zero Trust security
The exact process will be different depending on each customer’s network resources, but there is a general strategy to follow.
1. Audit their network to evaluate attack targets: You can’t protect it if you don’t know it is there. Start by performing a top-to-bottom assessment of every application, device, and endpoint that might be a target for attack. This will help you understand what is most valuable to the business and help you drive a more strategic conversation around security.
2. Use Multi-Factor Authentication on the most sensitive assets: Any resources that control roles and identities need the highest level of security under a ZTS model. Directory services, domain controllers on local networks, and related management systems all should be secured with multi-step authentication.
3. Authenticate Privileged Accounts and Associated Applications: If an attacker can compromise a privileged account, then they become indistinguishable from a trusted user. That means in addition to improving account authentication on privileged accounts, you also need to restrict the applications of accounts that can access your customers’ networks.
4. Monitor Privileged Activity: You shouldn’t treat account authentication as “the new perimeter,” though. Work from the assumption that privileged accounts will be compromised eventually, which means all activity still needs to be monitored. Monitor the health of all endpoint devices that privileged accounts can access to ensure that applications are updated.
Changes in account or application behavior can be a sign of a compromise. This means having good network visibility helps prevent both attackers and internal bad actors from expanding the scope of their attack.
On top of all this, make sure you do constant reviews of all profiles, policies and permissions. Office Protect is a great product to try out that simplifies the security management for Microsoft 365.
You can move customers toward better network security
After an assessment, you’ll realize that no network is 100% secure. This is why deploying a Zero Trust Security model is now the best way to ensure that your customers’ multi and hybrid cloud networks stay secure. Since this model ensures that every individual asset is secured through authentication and authorization controls, we can rest assured that we are doing a better job of securing what modern cybercriminals are targeting, rather than the main targets of yesteryear.