This article is the third in a series of three posts on Zero Trust for MSPs. Check out our first post on the benefits of Zero Trust, and our second post on getting client buy-in.
So, you’ve managed to get client buy-in on adopting a Zero-Trust framework. Now, the real fun begins: helping them convert their legacy system into an optimized Zero Trust model. This implementation guide is based on the Forrester white paper, “A Practical Guide to Zero Trust Implementation,” but has been adapted for use on behalf of your clients.
Initial Strategy and Development
Forrester recommends starting your Zero Trust implementation by taking stock of your current security system. For MSPs, this means performing a security assessment for your clients and formalizing their Zero Trust rollout strategy based on your findings.
Get your client’s feedback on what they think needs to change in their security strategy. Then, perform your assessment and review your suggestions with them. Questions to ask during the audit:
“Where do you feel the greatest weakness in your current security strategy is?”
Some options: Identities (lack of authentication), endpoints (lack of device visibility), Apps (lack of control and monitoring), Infrastructure (lack of access control, not using least privilege), Data (lack of cloud-based protection), Network (lack of threat detection or weak encryption)
“In order to start Zero Trust at your organization, what has to change?”
EX: Is there legacy software that needs to be upgraded? Do they have the capabilities to implement MFA, passwordless authentication, etc.?
“Will these necessary changes require a time investment, a training investment, a cost investment, or all three?”
Help them prioritize and plan these changes in a phased manner.
Work with your client to develop a feasible Zero Trust rollout strategy with milestone deadlines.
Look at the organization as a whole and try to align the Zero Trust adoption timeline with other large company-wide initiatives. For example, if the whole company is looking to move to cloud-based software, that’s the perfect opportunity to piggyback with Zero Trust, too.
Depending on resources, a typical adoption timeline typically takes 1-3 years.
Create the deadline for full adoption, then work backward to decide on smaller milestones and deadlines.
Step 3: Continue your Role as a Trusted Advisor
Throughout Zero Trust implementation, ensure you have a clear, easy way for your clients to communicate issues with you. Make sure your customer support team is trained on common Zero Trust tickets to help further build trust and authority, and remember: you’re dealing with a nontechnical audience.
Once you’ve formalized the Zero Trust rollout strategy with your clients, it’s time to begin implementation. Though each organization’s timeline will look slightly different, all rollouts should take place in three main stages.
Stage 1: Start with Users
Assuming Forresters’ recommended 3-stage Zero Trust adoption timeline, the first phase should focus on identities and people. There’s a few main reasons for this. First, it gives your clients a chance to focus on employee security buy-in. It is harder to form compliant, secure networks and devices if your users aren’t on board with Zero Trust, making it a logical place to begin.
Users are also the most likely to be compromised by cyberattacks (via stolen credentials or data breaches) and the easiest to protect (with additional authentication and a robust Zero Trust campaign).
Here’s three main things to ensure you include in the user section of your client’s Zero Trust rollout plan.
Invest in IAM solutions like MFA and SSO
MFA is one of the very best security measures you can take to protect your client’s identities, and its implementation represents a short-term win to build confidence right out of the gate. These security measures are quick to implement without adding significant inconvenience to users.
Note: equipping your clients to run IAM services may be as easy as turning on options in their current cloud native security software, or may mean selling them an add-on product or extension to their existing system. Make sure you’ve accounted for these changes in your rollout strategy.
Apply least privilege principles as soon as possible
Implementing least privilege will likely include a current access audit to ensure existing users have the appropriate level of access, and no more. It’s easier to do this through user groups rather than per individual user, but in a smaller company this distinction may not matter so much.
For example, you could create a batch of least privilege permissions for all interns that expires after 3 months and only provides “viewer” privileges. Or maybe you make an executive leadership group where all execs receive the same least-privilege access to major applications and data. If you start with batch creation as an established baseline, you can always go back and increase privileges on a case-by-case basis later.
Keep in mind that this will very likely reduce or even remove privileges that some end users currently have, and may feel entitled to maintain. Communication is paramount to ensure a successful roll out of least privilege principles, which means a steady pulse of emails, reminders, and training. Work with your champion to identify who across the organization may struggle with this transition the most, so you can spend additional time with them. That extra hand-holding at this phase will pay dividends over the years to come.
Get rid of passwords altogether (if you can)
If you haven’t heard of the passwordless movement sweeping large companies like Microsoft, Google, and Apple, this may seem a little out there. But many enterprises are moving toward a truly passwordless system of identity management.
The reasoning is clear: according to Forrester, “passwords are snoopable, crackable, and stuffable, representing a significant weakness”. Converting to passwordless authentication methods greatly increases security while providing a seamless user experience.
Go Passwordless in 3 Easy Steps:
- Ban easy-to-guess login credentials. Start with a list of banned passwords users aren’t able to set as login credentials, such as 1234, Password1, etc. This is a great starting step to increase security while you work on a larger passwordless strategy.
- Upgrade your stack. Going passwordless is, admittedly, a lot easier if your clients are already running cloud-based software. These modern products easily lend themselves to extensions with passwordless authentication options like biometric scanners and MFA.
- Weed out all old school authentication methods. If your clients are still using any products or applications with legacy login (simple username and password) that cannot support MFA, they need to go for a truly passwordless environment. For clients running many on-prem systems, this step may take a while and represent a significant cost. For those clients already working from the cloud, this should be a quicker fix.
Note: Going entirely passwordless won’t work for all clients. Due to government regulations and compliance laws, users in certain positions or in certain industries are required to maintain a username/password login interface. However, moving toward passwordless authentication for other employees will still significantly increase your clients’ security posture.
Stage 2: Apply User Principles to Devices
Once your client has adopted their Zero Trust user policies, move on to the next biggest vulnerability: devices.
Remote-first work happened so suddenly amidst the pandemic that many organizations weren’t properly prepared. Today, they may still have weak bring your own device (BYOD) policies, or may still be relying on outdated machine and device rules. For Zero Trust to be successful on the device level, your clients have to be able to track, secure, control, and decommission seamlessly. Here’s a couple of steps for rolling out Zero Trust to devices.
Revise the current, or develop a formalized, BYOD policy
If your client has a BYOD policy, take a closer look at it. If they don’t have one but allow it, help them formalize it. There are both pros and cons to allowing BYOD and many companies are turning to BYOD as the default in the new hybrid environment.
Should your client choose to allow BYOD, you’ll need to help them create a clear policy that protects both users and company assets. For example, personal devices often have less stringent security requirements, anti-malware, and patches, leaving them more vulnerable to being compromised than the average managed device.
One solution is to utilize software that conducts “device health checks” prior to allowing an employee-owned device to connect to company networks or applications. You can then apply software-defined network (SDN) solutions to these devices to ensure continual security. Another option is to secure company access and data by using a security solution that offers containerization of company assets. Containerization keeps company assets from intermingling with personal information, and makes offboarding secure and swift if a user leaves the organization.
- Ensure least privilege and Zero Trust principles are active for devices. This means creating safeguards and policies that require constant verification of devices–not just during login activity.
- Suggest a cloud-native security solution like JumpCloud. The ease of managing devices in a single pane is one of the biggest selling points of upgrading to cloud native security software. For your MSP, the multi-tenant portal is indispensable for simplifying your customer care.
It can be challenging for teams to keep track of all their devices at once–especially if they are juggling both managed and personal devices. Cloud native software can streamline this approach by giving IT admins (or you, as the MSP) a single platform where you can view all devices, commission and decommission remotely, manage patches, and change privileges and permissions. If your client isn’t currently using cloud software, this is a great opportunity to show them the benefits.
Once stage 2 is complete, your client should be fully entrenched in a Zero Trust culture. Applying these principles to users and devices already provides a much more robust security strategy that you–and your clients–can be proud of.
Stage 3: Apply User and Device Principles to Networks
The final stage of Zero Trust implementation is taking the principles used in user and device management and applying them to your clients’ broader networks. These networks have changed since the pandemic, but contrary to popular belief, they haven’t disappeared entirely.
“The perimeter did not disappear: our perception of the network perimeter has just evolved,” said Forrester. Network perimeters used to be physical, like a building or a geographic location. Now, that location still exists, but it lives in the cloud.
In some ways, digital perimeters are more secure; cybercriminals can no longer walk into a building and wreak havoc on a company’s networks. But they have grown in sophistication since 2020 too, and the cloud network still must be protected. Help your customers understand the importance of controlling their network perimeters, and offer software solutions to help make the process as painless as possible.
One way to secure this digital network with Zero Trust is by using a segmentation policy to “redraw” your clients’ security perimeter. For example, segmenting standard vs. admin users offers admins the access they need to perform their daily tasks without giving standard users the same privileges. A more barrier-focused solution for in-office networks may be something like virtual local area networks (VLAN) separation, where certain protocols are limited to specific enterprise network segments.
Another argument for the cloud: cloud security platforms allow IT admins to manage network permissions all from one place, making network Zero Trust a much easier process.
Continue Growing Your Zero Trust Knowledge
To accompany this article series, we’ve recently released a free whitepaper, Zero Trust for MSPs. This roadmap explains what Zero Trust is (and isn’t), the key benefits of using the framework, how to package and sell it to clients, and the three critical steps to implementation. The resource also includes suggestions for further reading, and free downloadable templates for use in your business. Download the whitepaper today.