The way network security has tended to work is you have a set of people you trust like employees, who you usually let in via username and password. This approach worked great when everyone was inside the firewall, but we know that for many companies that is no longer the case.
The migration to the cloud over the past decade has changed the way we think about computing and security. With mobile devices, there is no longer a hard perimeter. As businesses shift from data center to cloud, the way you defend and secure the company has to change too.
What’s more, there are often a number of people who need access to your network, this includes contractors, customers, partners, consultants and even MSPs. None of these folks are employees, but need some level of access all the same.
The pandemic has driven this last point home. Even organizations that where all their employees were in the office and they still ran their own data centers, have been forced to reassess and move to the cloud much more quickly, just to keep things up and running with their employees working in a distributed fashion.
These macro trends were in motion long before 2020, and some organizations and security companies have begun to adopt the notion of zero trust security in response to these changes.
What is zero trust?
According to Gartner:
“No person/device/application in the enterprise network should be trusted by default, no matter if it’s in the internal or external network. The fundamental basis of the trust should be based on the refactored access control using the right authentication and authorization.”
Zero trust isn’t associated with any particular vendor’s approach to security. Think of it more as a broad philosophical idea on which a company can begin to change its security stance.
The idea is not to trust anyone, even if you know them because attacks can come from anywhere. While everyone needs to have a username and password, we know those kinds of credentials are much too easy to steal. Before you allow a person or device access to your network, they have to give you an additional strong second factor like a Yubikey.
What’s more, you need to look at other data, such as where the person or device is signing in from, the device they are using and what they are trying to do. Is it all consistent with the way the person usually works?
Zero trust is can be a useful response to the modern way of interacting in computing environments and it’s worth exploring further to see if it’s the right approach for your clients.
MSPs should incorporate a zero trust approach into their security service offerings to ensure their customers data, whether they are in the cloud or on-premises, and their employees can securely access corporate information from wherever they are working.
Photo: metamorworks / Shutterstock