Zero trust in the workplace is typically a bad thing, fostering a culture of distrust and snitching. However, for managed service providers (MSPs), it is a good thing, at least when it comes to cybersecurity.
Experts in the field say zero trust is best described as a mindset rather than a product. MSPs can help cultivate and nurture this mindset.
Behind every zero trust success is a smart MSP
“MSPs are a critical asset for their clients, but they don’t have to go at it alone. The most effective MSPs build a trusted network of partners to cover all aspects of security and compliance,” says Paige Hanson, co-founder and cybersafety expert at SecureLabs.
“We often work alongside the MSPs to handle the GRC side of the equation. So while the MSP is handling the technical side of the requirements, we are mapping controls, documenting policies, and prepping the company for audits,” Hanson states, noting that protection isn’t just about multi-factor authentication (MFA) and firewalls, “it’s also about proving your systems are secure.”
More than one vendor
Steve Tcherchian, CISO and chief product officer at XYPRO, agrees that zero trust is more than a single vendor can offer.
“It’s a methodology. You cannot simply go to a security vendor and say, “I want to purchase zero trust security.” Zero trust access methods are built on the principle of never assuming trust and always ensuring verification,” Tcherchian says, adding that this methodology eradicates any pre-existing trust in users, credentials, networks, and permissions.
“Instead, it consistently validates and authenticates all attempts to access data, applications, servers, resources, and more, ensuring that the entities seeking access are indeed who they claim to be,” Tcherchian, says, adding that even the U.S. Federal government has begun advocating for agencies to adopt this model, as seen in recent guidance from the Office of Management and Budget’s Cybersecurity and Infrastructure Security Agency.
“This year, both large and small organizations, federal agencies, and security providers are expected to strongly embrace zero trust strategies,” Tcherchian says.
Tcherchian’s process of authentication, central to zero trust, involves evaluating various parameters or attributes, including:
- Identity
- Credentials
- Device
- Firmware
- System Integrity
- Location
- Policies
- Permissions
- User Behavior
- Applications
“This ongoing validation and authentication are applied to each connection attempt, file access, data request, server entry, and issued command to confirm the authenticity of every user’s identity,” Tcherchian says.
The role of MSPs in creating a zero trust mindset
Vlad Cristescu, Head of Cybersecurity at ZeroBounce, says that implementing zero trust correctly can make or break an organization’s security stance.
“I’ve watched firsthand how big a role MSPs can play in delivering zero trust strategies to SMBs,” says Cristescu, who has seen the role MSPs play from his time as a vendor distributor.
“MSPs are often the first (and in some cases only) line of defense for smaller businesses. SMBs may not have the internal security talent to operationalize zero trust, so the MSP steps in as a kind of outsourced CISO and SOC all rolled into one,” Cristescu says, adding that the real opportunity for MSPs is to be positioned as trusted security partners, and not service providers.
“ That means helping clients define policy, enforcing least privilege, identity management, and, most importantly, monitoring and responding in real-time,” Cristescu says, noting that that is where SOC integration becomes so important – whether that’s building out their capabilities or partnering with vendors that offer SOC-as-a-service.
“I’ve seen MSPs build really slick offerings using tools from vendors, who have all made solid moves in supporting multi-tenant environments and MSP-specific platforms. These partnerships can really accelerate time to value for the MSP and their clients,” Cristescu says.
A continuous process and a strategic advantage for MSPs
Cristescu says zero trust in today’s landscape is absolutely foundational.
“The old ‘castle and moat’ model just doesn’t hold up when employees are working from coffee shops, accessing apps hosted in five different clouds, and cyberattacks are getting smarter by the day,” Cristescu says, commenting that zero trust shifts the mindset from ‘trust but verify’ to ‘verify everything, all the time.’
“For the MSP, which wants to deploy zero trust at the customer level, here’s some guidance that Cristescu offers:
Identity = foundation – start with access controls and MFA.
Don’t over-embellish – go for tactical wins. Secure core applications and functionalize high-value assets.
Don’t reinvent the wheel. Leverage existing vendor integrations – many vendors already possess policy engines, real-time threat protection, and context-based access.
“Make it a constant process – zero trust is not a product, it’s a process,” Cristescu says.
Zero trust isn’t a product you buy. It’s a mindset you build. For MSPs, that means becoming more than a service provider; it means being a trusted security partner. MSPs bring zero trust to life by guiding clients through policy enforcement, identity management, and real-time threat response, proving that in cybersecurity, trust begins with verifying everything.
Photo: 3rdtimeluckystudio / Shutterstock
This post originally appeared on Smarter MSP.