Information technology enables businesses to grow rapidly and accomplish their goals. As a result, IT professionals should balance enablement and productivity with security.
This balance led to the development of perimeter-based security and defenses. If something was located on a corporate network, it was assumed to be trusted (for the most part). For decades, this was an acceptable level of risk for businesses. It made sense that if someone was in the building and using a corporate-owned device, they were likely a safe actor.
However, as business goals changed, security needed to change with it. The rise of personal mobile devices, growing investments in cloud services (and the sheer number of them proliferating), and the increasing number of ways hackers can compromise a business has shown a weakness for perimeter-based security. In short, the goalposts for security and technical enablement have moved.
In place of this old castle-and-moat style of security came the zero-trust model. Zero-trust models assume that devices and users cannot be trusted until proven. Essentially, it treats all users and devices as though they were coming from the internet (and therefore may not be entirely safe). To top it off, you’ll have to shift your thinking from the perimeter to the application level. Today, we’ll talk about how to apply this model as an MSP.
The Components of Zero-Trust
Initially, customers may balk at the idea of putting up hurdles against their productivity. However, these hurdles don’t need to be extreme and can often provide more flexibility for the customers. One of the first steps involves matching authentication levels to the risk presented by an application. You should always turn on MFA for your personal banking applications and should do the same for sensitive business applications. You should understand what applications are in use, which present the most risk, and who should have access. This is where the complexity comes into place.
While zero-trust models were developed for enterprise networks and can get extremely complex—requiring multiple tools acting in concert—you don’t need to have all the tools in place to make a major difference in reducing risk at customer sites.
Here are some important rules to keep in mind:
- Network segmentation
It’s common for SMBs to have only one network for everything. However, this can open those businesses to considerable risks. If someone compromises that one network, they could damage productivity, spread malware across the network, steal proprietary information or data and resell it, or simply sit on the network gathering information for a larger attack. When you work with clients, try to segment their networks into multiple zones. At a minimum, try to set up a corporate network with higher security standards and a guest network for people visiting the office or for employees’ mobile devices. This way if someone brings a device that’s not completely secure, they won’t risk exposing the main internal network to security threats. You can also add additional network segments to help protect them with a next-generation firewall to prevent lateral movement within an organization.
- Identity and access management
To help keep systems safe, you should maintain strong practices around managing user access. Adhere as best you can to the principle of least privilege—keep all information and system access on a need-to-use, need-to-know basis. Additionally, you should have strong onboarding and offboarding practices. When employees leave, shut their accounts down immediately and collect all equipment. Periodically audit user access levels and accounts as well. If someone changes departments, for example, you don’t want them maintaining access to old systems. Minimizing privileges like this allows you to minimize damage in the event of an insider attack or if an external threat actor hijacks someone’s account.
Multifactor authentication (MFA) is an absolute must. You should verify accounts from several sources to help ensure that access request come from a truly trusted source. This includes access to even offsite, cloud applications. For some particularly critical users or risky assets, you may want to increase the number of hoops they have to jump through to gain access. For example, they may need to use MFA and use an encrypted VPN when outside of the building to gain key access—and they may need additional monitoring on their accounts.
Once a device or user has been given the green light, you still should remain a little suspicious. In other words, you should have good monitoring in place to make sure authenticated users don’t start performing destructive actions like copying large numbers of files to a device (indicating potential data theft) or deleting data in bulk. A good security information and event management (SIEM) tool can help you monitor for potential network threats. However, if this is out of your comfort zone, then (at a minimum) try setting up checks for common threats or suspicious behavior in your remote monitoring and management tool. Additionally, a good endpoint protection solution can help round out your capabilities without requiring a ton of in-depth security knowledge. An AI-driven solution can help monitor for suspicious behavior at the endpoint level and alert you when something comes up.
Trust Must Be Earned
Businesses face threats from more angles than ever before. As businesses continue embracing hybrid IT, MSPs need to be more vigilant than ever in protecting their customers from attack at multiple angles. This means you’ll need to design your network and services to remain suspicious of requests before granting access.
When it comes to enacting zero-trust security, access management is paramount. A robust password management solution can play a major role in policing access. SolarWinds® Passportal helps you control access to services among your MSP team by allowing you to quickly grant and revoke access to services and accounts as needed, all while allowing technicians to create strong passwords and giving them one-click access to services. Additionally, SolarWinds Passportal Site™ allows you to sell password-management-as-a-service to your customers so they can also maintain strong security internally. Learn more by visiting the site today.
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.