The following article is associated with a JumpCloud webinar on Zero Trust security for MSPs. The presentation features Dennis Moore, Owner & Senior Cybersecurity Professional at Coefficient Technologies; Jason Eberhardt, Global Vice President, Cloud & MSP at Proofpoint; Zach Boewer, Former VP of IT & Current JumpCloud Solution Engineer; and is hosted by Katie Clouse, Head of MSP Sales at JumpCloud. Watch the full webinar here.
To be a top-performing managed service provider (MSP), you need to constantly deliver new value and efficiency to your clients. Whether they’re small, medium, or large enterprises, they rely on you to provide the resources and security necessary to run their business. If you want to give them the best security framework possible, you need to implement Zero Trust (ZT).
Zero Trust has become a popular buzzword in the SaaS space over the past few years, and it’s no surprise. The framework lends itself well to remote environments, and creates an airtight security strategy. But don’t take our word for it.
JumpCloud’s own Katie Clouse, Head of MSP Sales, recently sat down with Dennis Moore, Owner & Senior Cybersecurity Professional at Coefficient Technologies; Jason Eberhardt, Global Vice President, Cloud & MSP at Proofpoint; and Zach Boewer, Former VP of IT & Current JumpCloud Solution Engineer to discuss what Zero Trust is, and how to sell it to your clients.
What Is Zero Trust?
Before you can get ZT buy-in from your clients, you need to understand the concept yourself. And while you’ve likely heard the term before, it can mean different things to different people.
Eberhardt takes a universal view of the definition. “Everything in your life is Zero Trust,” he said. “If you lock your front door, if you have a security system, if you have a camera, if you make sure that you know who’s in your house and who’s not, that’s Zero Trust. Your passwords to access your bank accounts, that’s Zero Trust. You need to have some kind of security in place to keep out the bad guys. And that’s what Zero Trust is.”
Essentially, Zero Trust is the concept of “trust nothing; verify everything.” It isn’t a product; it’s a method of approaching security, a framework. The concept centers around the idea that employees should have the lowest level of security and identity clearances necessary to do their jobs — and no more.
“You need to have some kind of security in place to keep out the bad guys. And that’s what Zero Trust is.”-Jason Eberhardt
While the concept of Zero Trust has been around for years, it’s seen a boost in popularity since the pandemic, because it works so well in distributed workplaces.
“Back when things were simple, your email server was on-prem and you controlled ingress through a password, and you had a firewall, and everything was easy,” Boewer said. “But now, we have cloud. How do we achieve security in this new wild world of no borders? Zero Trust is the next level of knowing the device, knowing the person, and having controlled, secure ingress into those systems.”
How to Sell and Implement Zero Trust
The Zero Trust framework is all about increasing security — especially in remote environments — without interfering with productivity. As the tech expert in the MSP-client relationship, you may be onboard with Zero Trust and understand its benefits. But selling Zero Trust to a non-technical audience may require a different tack. Our panelists shared their opinions on getting client buy-in.
Start with Security Awareness Training
Zero Trust only works if all users are compliant, and the best way to get them onboard is to ensure they understand why it’s important. All three panelists were huge proponents of MSPs promoting security training for their clients’ businesses to give employees context and understanding.
“The key is to make the people in your organization part of the solution, not the problem,” Eberhardt said. “Security awareness training makes them part of the solution. We want them to be engaged and we want them to understand security because [in a remote environment] security is everyone’s problem.”
Security awareness training not only gets user buy-in; it also protects your organization from user error.
“At Proofpoint, we like to say there’s three different types of users: malicious, compromised, and negligent,” Eberhardt said. While malicious users are those truly intending to do the company harm, like cybercriminals, compromised and negligent users are more common and just as dangerous. Compromised identities are those where the user reuses passwords for multiple accounts, some of which may not be as secure as others. Negligent are those users who aren’t careful enough with things like regular password changes and firewall updates.
“Make the people in your organization part of the solution, not the problem. Security awareness training makes them part of the solution.”-Jason Eberhardt
Thankfully, compromised and negligent users can easily be remedied with the appropriate security awareness training, to give them context for why security is so essential. Once your clients and their employees understand the dangers of a weakened security posture, they should be much more receptive to a Zero Trust solution.
Focus on Efficiencies
Zero Trust doesn’t just increase clients’ security tenfold; it brings in new efficiencies to improve their user experience, too. Even the most stringent anti-change employees will usually be more receptive to a new strategy if it saves them time.
“Security needs to ensure that whatever controls you put in place don’t adversely affect the users from doing their day-to-day jobs.”-Dennis Moore
Moore emphasized the user experience, too. “Security needs to ensure that whatever controls you put in place don’t adversely affect the users from doing their day-to-day jobs,” he said. “If it’s increasing their inconvenience, users will find a way to work around those systems.”
One place Zero Trust can save your clients time is with onboarding and offboarding. When working with complex organizations, how do your clients onboard employees? Is an IT admin having to touch every new employee device? If so, Zero Trust can offer a streamlined approach by taking administrative management to the cloud, where onboarding and offboarding can become a touchless automation.
The single-pane efficiency Zero Trust supports also frees up your IT admins.
“I can remember being a one-man band in IT and wanting to go ride dirt bikes and be in an area where there was no cell phone signal, but having anxiety because the company may not be able to reach me if something goes wrong,” Boewer said. “Zero Touch helps organizations get away from that by having a core foundation for security that you build on, that addresses these things in a programmatic way.”
For Zero Trust to really shine in the efficiency department, you need to pair it with a cloud-native security solution like JumpCloud. These platforms give you seamless user lifecycle oversight, while ensuring every employee gets the access they need to be productive.
“Zero Trust helps organizations get away from [the one-man IT band] by having a core foundation for security that you [can] build on.”-Zach Boewer
“That’s one of the main reasons why we partner with JumpCloud,” Moore said. “What JumpCloud does is like four or five separate products combined into one. And that makes it easier to administer and to provide that user experience for your end users or your customers.”
Connect Zero Trust to Increased Work from Home Security
Work from home is new to a lot of employees, and home networks are often much more lax on security than corporate networks. Zero Trust gives you a path to a better remote security strategy.
At home, there’s much less delineation between work and casual web surfing, according to Eberhardt. “At home, employees are more likely to be logging into bank accounts or checking social media, which leaves them vulnerable,” he said.
Boewer agrees. “Home is probably the worst place now because it’s trusted, people just assume they’re secure at home. But what are your children doing? Did they download a public repo of Minecraft that is basically rooted and you got a hacker sitting on your network, the same network in which you’re now connecting and you’re going to put your work laptop on a VPN and funnel traffic? That’s a problem.”
Eberhardt uses the analogy of a house to explain how easy it is for hackers to infiltrate your private home network.
“Think of your house. How many access points does it take to get in? Just one. A door, a window, a garage, thieves just need one vulnerability to get in, right? Now, associate that with an IP address. All an attacker needs is one little sliver of access to get in, and to compromise you.”
Using the same analogy, Zero Trust can be thought of as a highly sensitive home security system that protects the weak points in your home.
“Zero Trust security locks everything down and gives you full visibility, even in remote environments,” Eberhardt said. It’s the first line of defense, and also offers additional failsafes if a cybercriminal breaches the initial barrier.
Continue to Deepen Your Zero Trust Knowledge
While this recap gives you some of the highlights of the webinar, it’s not comprehensive. To get the full story and hear more from our panelists, check out the full webinar here.
If you want even more info on Zero Trust, we have tons of resources available. To help your clients streamline their security initiatives, JumpCloud has a library of curated resources designed to simplify security concepts and offer practical guidance in real-life environments. Search the Resource Library for “zero trust” to continue building your security knowledge.