There’s a lot of hype surrounding zero-trust IT as a buzzword, but at the most fundamental level it’s all about ensuring security based on a known identity of an end user, application, or device. Forrester Research analyst John Kindervag is credited with popularizing the term in 2010, but as most managed service providers (MSPs) know, the concept itself can be traced back as far as 2004.
As defined by the National Institute of Standards and Technology (NIST), zero-trust IT describes an “evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” In other words, there is no implicit trust granted to assets or users based solely on their physical or network location or asset ownership.
Relying on passwords increases risk
Just as critical, zero-trust IT also by definition means organizations need to move away from relying on passwords to grant access. Although still widely used, if the last few years has taught organizations anything about cybersecurity, it’s how easily passwords can be compromised by phishing attacks.
The challenge organizations are facing after relying on passwords for decades, is that it’s not so easy to leave them behind. A global survey of 500 DevOps and security professionals conducted by the market research firm Schlesinger Group on behalf of Teleport, a provider of a platform for securing access to IT infrastructure environments, finds that while 87 percent report their organization is actively moving toward some type of “passwordless” approach to managing access, while a full 80 percent still use passwords.
More than half (57 percent) of respondents also said their organization implemented new security methods that failed to be adopted by employees. A full 62 percent of respondents specifically noted privacy concerns as their biggest challenge when adopting biometrics.
Zero-trust IT boosts resiliency
The issue organizations are encountering is that zero-trust isn’t something that can be acquired. Rather, it describes an approach to managing cybersecurity in a way that improves the overall resiliency of an organization. That doesn’t mean there will never be a cybersecurity breach, but it should ultimately reduce the number of cybersecurity incidents that an organization needs to respond to in addition to limiting the blast radius if there is a breach.
Naturally, that inability to buy a turnkey zero-trust IT environment creates a major opportunity for MSPs. Zero-trust IT requires a layered approach to managing cybersecurity that spans everything from the endpoint to the cloud. Most organizations will not have the internal resources required to implement and manage a zero-trust IT environment on their own. A decision to transition to a zero-trust IT environment will, by definition, necessitate consuming cybersecurity as a service.
Savvy MSPs will, of course, align their marketing and sales efforts around enabling zero-trust IT. Exactly what zero-trust IT may mean is still in the eye of the beholder, but it’s certain that just about every organization recognizes that their historic approach to cybersecurity is not as effective as required in the current era of IT. No two customers will begin that journey from precisely the same place, but over time they are now all moving in the same general direction.
Photo: ranjith ravindran / Shutterstock
