Demystifying Zero Trust: Understanding the Zero Trust Security Model

In the previous blog post we looked at why it’s important for MSPs to get to grips with Zero Trust and Zero Trust Network Access, as well as how to explain the benefits to customers. In this post we’re going to take a deeper dive into some of the philosophy and principles behind Zero Trust.

The Zero Trust Philosophy

You may already be aware of this but it’s important to stress as a starting point that Zero Trust is a mindset and not a product, and centers on the philosophy of: “Never Trust, Always Verify.” Having said that, a key impact of this philosophy will be the replacement of some old solutions—particularly solution like VPN—and the integration of new products in order to support the implementation of a Zero Trust strategy across the length and breadth of a company’s IT infrastructure; from users and devices, to networks, applications, and data.

Within Zero Trust, the VPN server comes under strong scrutiny because it embodies the “castle and moat” security model, in which a protective perimeter is drawn around your network assets, but users are overpermissioned once inside. This means that users, data, and attackers can move freely inside the trusted core.

In contrast, the ­Zero Trust Security Model eliminates any implicit trust, adhering to the principle of “never trust, always verify”. So, for example, an employee accessing a file server could be subject to multi-factor authentication (MFA) control, and have their access continuously re-evaluated so that permissions may adjust dynamically, denying access based on changes in their security posture, such as an attempt to access the fileserver out of hours.

“Zero Trust may be a relatively new concept in the security market,” says Marc Barry, Co-Founder and Chief Product Officer at Enclave, “but there are a growing number of tools and products coming onto the market that are built to support this model. So much so, it can sometime be tricky for MSPs to sift through this expanding toolset to see what’s relevant to them. With this in mind, we created a vendor directory to help them get a bit more perspective on things. This can be accessed at https://zerotrustnetworkaccess.info/.”

Understanding the principles of Zero Trust

“Drilling down past the general philosophy, we can understand Zero Trust as a composition of security principles. Many of which pre-date the popularisation of the Zero Trust principle, but a principle is just that­­—a principle,” Marc explains. “In order to implement principles we need technology, but it can be surprisingly difficult to know which technologies correctly implement which principles, and at this intersection frameworks and marketing terms aim to offer guidance, clarity, and direction.”

• Continuous verification: Device and user security posture is not static, nor is the threat environment that your business operates in, both need to be constantly re-evaluated across all devices and users, and access revoked where necessary, to ensure all resources are trusted, secure, and compliant.
• Verify explicitly: Users should always be authenticated and authorized based on all available data points, such as identity, location, device health, and other contextual factors. The objective here is to remove any implicit trust, even if a user is inside the enterprise network.
• Least privilege access: User access should be restricted to “just-in-time” and “just-enough” access, so as to limit users to just what is needed for as long as is necessary. This is to limit potential for unauthorized access or damage if credentials are compromised.
• Micro-segmentation: Here the security perimeter is broken into discrete smaller zones that are isolated from each other. This helps to restrict lateral movement by containing over-permissioned access and reduce the attack surface.
• Prevent lateral movement: Although similar to the above, one feeds the other. This about ensuring strategies and controls are in place to stop attackers from moving around inside the network once they have gained access.
• Assume breach: Similar to the “when-not-if” philosophy, you should always assume breaches have occurred, or will occur, and should continually evaluate the systems and processes in place to contain a breach as quickly and effectively as possible.
• Automate security actions: Automated responses are far quicker that manual interventions, so by automating as much as possible you’re improving reaction times and consistency when responding to threats and policy violations.
• End-to-end encryption: To protect data integrity and confidentiality at all stages, it should be encrypted not only in transit, but also at rest.

Delivering on Zero Trust Principles

“There are a number of different frameworks that can help us understand how to apply technology consistently across a business to deliver and apply the principles of Zero Trust,” adds Marc. “However, some of these are either heavily prescriptive and designed to focus on delivering guidance to Federal or Government agencies, or a very theoretical and don’t talk about implementation.”

Some of the most widely recognised frameworks today are:

• National Institute of Standards and Technology (NIST) — SP 800-207, Zero Trust Architecture
• National Cyber Security Centre (NCSC) — Zero Trust Architecture Design Principles
• Department of Defense (DoD) — Zero Trust Reference Architecture
• Cybersecurity and Infrastructure Security Agency (CISA) — Zero Trust Maturity Model

When it comes to applying Zero Trust, one of the key hurdles MSPs need to overcome is that they must ‘right-size’ their provision—if they don’t do this they run the risk of diminishing returns and excessive overspend on security products that don’t add value. “We’ve found that our partners and customers often find the CISA model strikes the right balance here because it recognises the need to approach Zero Trust as a journey,” says Marc. “This matters to MSPs because they can use it as a yard-stick to right-size and tailor each Zero Trust solution they deliver to each customer against recognised, US government sponsored guidance. This guidance lets them measure their customers’ existing level of maturity and plot a sensible path forwards, which doesn’t put them at risk of over-cooking the implementation for the customer. Essentially it gives them a yellow brick road to follow.”

Image Source: « Zero Trust Maturity Model V2 »
Cybersecurity & Infrastructure Security Agency (CISA), April 2023, Page 8, Source

 The real value of the CISA model is the emphasis its authors place on the strategic approach of making incremental, but tangible advancements mapped out and aligned to recognised, industry-wide security best practices.

CISA’s model maps out the maturity journey across five key pillars: identity, devices, networks, applications, and data.

Each pillar can advance independently at its own pace, allowing for ongoing optimization. For instance, you might begin by ensuring all user identities are verified against strong authentication standards, then move to secure devices with up-to-date defences.

This approach ensures that improvements in security are both manageable for the customer and impactful to the business, giving you an evidence-based maturity roadmap to use to build a healthy and collaborative partner-customer relationship.

“As an MSP, one of the first things to grasp is that every journey to Zero Trust maturity will be different, and not all customers and businesses will be able to move at the same speed, says Marc. “While the CISA model defines a maturity journey, and the pillars help an organization think about where they should be looking, it’s really hard to say ‘this is the way forward for everyone’. It’s a sliding scale. I think one of the biggest challenges that we’ve seen with the emergence and adoption of Zero Trust, is that there isn’t really a ‘one size fits all’ formula.”

Zero Trust is a composition of lots of different security ideas. Some of which have been with us for a long time, but are now all stitched together under the umbrella philosophy of “never trust, always verify”.

Marc believes this makes setting out a definitive recipe for Zero Trust extremely difficult. “Should it include endpoint detection and response? Absolutely. Should it include managed detection and response? Well, potentially, but whether it should do for you and your customer is not cut and dried,” he explains. “Of course principles like least privilege and micro segmentation are essential components of the Zero Trust philosophy, but I don’t think it’s fair to say you’re not doing an effective job if you haven’t automated all security actions, got risk analytics or visibility of behaviour and usage patterns for anomaly detection. It’s got to be a sliding scale.”

For your customer, Zero Trust is an opportunity to build cyber-resilience into their businesses, but for you, it’s opportunity. An opportunity to deepen existing customer relationships and make new ones, to build trust and credibility, and to expand revenue streams by delivering real security value. 

“The days of enabling the built-in VPN server on the firewall and leaving it to languish are over, but at the same time it’s very hard to draw up a Zero Trust strategy that fits all of an MSPs customers without some tailoring.”

“MSPs need to be taking into account customer context, existing technologies, current working practices, threat models, budgets, board-level risk-awareness etc; but that’s also the opportunity for a Zero Trust service offering.,” Marc concludes. “Forward-thinking MSPs are already looking at the CISA model and realising everything they need to get started is in there. They’re inviting customers to measure their capabilities and using the CISA guidance show them why, when and how they’re going to mature.”

In the next blog we’ll take the Zero Trust conversation a step further by focusing on the concept Zero Trust Network Access (ZTNA), what it actually means, and how it replaces VPN.

Enclave has developed and maintains integrations with N‑sight and N‑central, via close collaboration with N‑able’s Technology Alliance Program. You can find out more about TAP by visting www.n-able.com/partnerships/technology-alliance-program.  To see all the industry-leading integrations provided by our TAP Partners visit www.n-able.com/integrations