5 Questions About Zero Trust for MSPs and MSSPs
The Zero Trust approach has become increasingly popular in cybersecurity, especially for MSPs and MSSPs seeking to strengthen their clients’ security posture. As remote work becomes widespread, securing only the network perimeter is no longer enough. Today’s complex security landscape requires a broader, more adaptive approach to safeguarding assets wherever they are. The core of Zero Trust is the mantra “never trust, always verify,” highlighting continuous verification, limiting privilege, and operating under the assumption that a breach may occur any moment. For MSPs and MSSPs, incorporating zero trust not only fortifies client security but also differentiates their services, showing clients that they are at the forefront of cybersecurity best practices.
In a recent webinar, William Birchett, Founder of the vCISO Network and President of Logos Systems, and David Primor, CEO of Cynomi, explored why zero trust is essential for offering cybersecurity services and how MSPs and MSSPs can implement it to enhance client security. In this blog, we expand on their insights and provide additional context and practical details to help you put their advice into action.
Below are 5 questions covered on Zero Trust.
1. What advantages does Zero Trust offer over legacy security approaches?
In a traditional security model, systems operated like a castle with a moat and walls. The perimeter (moat) and firewall (walls) created a single line of defense, and once inside, everything was trusted. Security followed the principle of “trust but verify,” assuming that anything within the network was safe.
However, modern cyberattacks have exposed vulnerabilities in this approach. Threat actors who breach the perimeter can often move freely and undetected within the network, meaning even internal devices and systems may be compromised.
The Zero Trust approach revolutionizes this by eliminating inherent trust at all levels of access. Instead of assuming safety within the network, Zero Trust implements continuous verification for every user, device, and action. Think of it as a castle where each room has its own security checkpoint. Even after entering the castle, you must provide credentials and a valid purpose to access each room, with every room potentially requiring a different “passport” or credential.
This “never trust, always verify” approach ensures strict security controls at every access point, protecting the network from both external and internal threats. With Zero Trust, nothing is trusted by default—verification is constant and comprehensive. This granular, inside-out approach to security makes it far more effective at addressing modern threats like ransomware, phishing, and insider attacks, making it a superior choice for today’s complex cybersecurity landscape.
2. When Did the Zero Trust Philosophy First Emerge?
Zero Trust originated 10 to 15 years ago, pioneered by John Kindervag, a former analyst at Forrester. Kindervag introduced the term and concept of the Zero Trust model in his 2010 report, No More Chewy Centers: Introducing The Zero Trust Model Of Information Security, by examining how implicit trust within networks was frequently exploited in cyberattacks. Through extensive research and consultations with CISOs and industry leaders, he established the principles that have since become a cornerstone of modern cybersecurity.
As Will shares, in the past few years, zero trust has gained significant traction. As technology has advanced, the ability to verify identities has significantly improved. Previously, identity checks on firewall traffic were limited, perhaps only possible through VPN connections. But with today’s technology, identity verification and traffic security are now integrated, allowing components like routers, firewalls, and IDS/IPS systems to work seamlessly together.
This evolution has introduced new security frameworks, such as Secure Service Edge (SSE) and Software-Defined Perimeters (SDP), enabling the application of Zero Trust policies across systems. As a result, security measures have progressed well beyond traditional models, allowing for more sophisticated and adaptable protection.
3. How Does Zero Trust Work in Cybersecurity?
Zero Trust is not a single product; it’s a philosophy—a shift from traditional security models to a modern approach that redefines how the attack surface is protected. Rather than protecting just the perimeter, zero trust focuses on creating “protect surfaces” around every asset, whether it’s a web server, database, SaaS application, or API. Each asset is safeguarded individually, with security designed from the inside out rather than the outside in. By establishing these “protect surfaces”, Zero Trust minimizes exposure and limits potential attack vectors.
This inside-out strategy offers greater control and resilience. Even if an attacker breaches one area, they face stringent controls at every next step, reducing the likelihood of widespread compromise and improving overall security posture.
For MSPs and MSSPs, implementing Zero Trust not only strengthens client security but also sets their services apart, demonstrating a commitment to leading-edge cybersecurity practices.
Implementing zero trust as part of their cybersecurity services involves focusing on several core elements:
- Identity Verification – Rather than assuming that users within a network are trustworthy, zero trust requires ongoing identity verification. Techniques such as multi-factor authentication (MFA) and continuous behavior monitoring are essential.
- Network Segmentation – In a zero-trust model, the network is divided into smaller segments, with access controlled and limited to specific users and tasks. This prevents unauthorized lateral movement within the network, containing potential threats.
- Least Privilege Access – Access should be restricted to only what a user or device needs to fulfill its role. This reduces the risk of unauthorized access and helps prevent malicious insiders or compromised accounts from causing widespread damage.
- Continuous Monitoring and Logging – Zero trust relies on real-time monitoring of network activity. Anomalies can signal potential threats, allowing for immediate response. This proactive approach is essential for MSPs and MSSPs guiding their clients through modern cybersecurity challenges.
4. Is Zero Trust Meant Only for Access or Does it Apply to Everything?
Zero Trust is a comprehensive cybersecurity mindset that applies across all areas of cybersecurity – not just access. Over the past two decades, attacks have exploited various forms of implicit trust. Zero Trust is built on the principle of constant verification—trust is granted only when all security checks are thoroughly in place. For instance, an email that includes the recipient’s name might seem trustworthy and prompt a quick click, yet that trust is vulnerable to exploitation through phishing attacks, which rose by 58% in 2023. A recent example in February 2024 illustrates this risk: Pepco Group, a leading European retailer, suffered a €15.5 million loss in a sophisticated phishing attack where fraudsters mimicked legitimate employee emails to deceive finance staff into transferring funds.Zero trust eliminates the negative consequences of not being prepared by requiring continuous verification. It’s a philosophy that involves everyone in the organization—from the CISO or security provider strengthening the organization’s defenses to employees who must learn to question the trustworthiness of emails and other communications.. As William Birchett shares, even if someone claims to be from IT or an MSP, employees should verify their identity through other channels before trusting requests like credential resets.
The goal is to reduce risky trust relationships across the board, enhancing security at every level of interaction. By adopting a Zero Trust approach, you uphold the highest service standards, ensuring robust security for your clients.
5. How can MSPs and MSSPS Adjust Current Tools to Align with a Zero Trust Approach?
Network traffic is a good example of how MSPs and MSSPs can adjust current firewall tools to align with a zero trust approach. Traditionally, firewall rules were set up based on source and destination addresses and specific ports. Now, with a zero trust approach, service providers can adjust these rules to add checks on the user’s identity and the application being used.
Instead of just setting rules for IP addresses and ports, zero trust firewalls now include user validation. For instance, a firewall rule might only allow remote desktop access on a domain-joined machine if the user belongs to a specific group. This approach doesn’t only stop at port-based rules; it also checks user and application permissions, adding validation at higher layers and ensuring that access is tightly controlled.
As William shares, you can start small with zero trust—it doesn’t require a complete redesign. Begin by applying it to just one application to see the impact. An example of this could be when working with AI responses, adding an additional step to verify their accuracy. By implementing these additional verification layers, MSPs and MSSPs can use existing tools to enforce zero trust principles effectively.
As the zero-trust approach gains popularity, MSPs and MSSPs have a clear path to better secure their clients and offer advanced and reliable cybersecurity services. By guiding clients through incremental steps, such as starting with a single application or implementing identity checks on critical assets, service providers can help clients adopt zero trust with ease and confidence.