Even by the hyped standards of the cybersecurity industry, the rise and rise of zero trust (ZT) is a phenomenon that’s become hard to miss. Nobody in cybersecurity can ignore this level of interest, least of all managed service providers (MSPs), whose job is to match customer interests with their own.
Zero trust’s ascent might sound dramatic, but the term itself goes back over a decade. What seems to have changed for customers is the urgency in applying them and the motivation to do so.
What is Zero Trust?
Explaining zero trust in broad terms is deceptively easy. Networks using the traditional perimeter security model are based on the idea of high trust permission. All that the device, user or application must do is present a credential, such as a username and a password, to gain access to numerous resources within that network until it disconnects.
As NIST makes clear, zero trust turns trust on its head. Anything connecting to the same network is automatically suspicious. It must therefore use extra layers of authentication beyond passwords to verify itself, after which its privileges remain tightly controlled. Even then, it is never completely trusted because it is always assumed it could turn malicious at any moment.
Seeing Zero Trust as a Sales Ploy is a Tragedy
Unfortunately, the very thing that makes zero trust so compelling – it’s a set of principles rather than a product – is what makes it tricky for anyone selling expertise and services such as MSPs. Zero trust describes what to do but not precisely how this should be achieved. What counts as zero trust depends on the network, application and users in question, something which will vary by context and organization. Implementing it presents numerous challenges.
The danger is that something this abstract is misunderstood by the customer or seen as a sales ploy in a way that breeds skepticism. This would be a tragedy because, if correctly understood and carefully implemented, zero trust has a huge amount to offer organizations of every size, especially small-medium businesses (SMBs) that have decided to invest in services to solve their security puzzle.
How, Then, Should MSPs Communicate the Value of Zero Trust?
1) Understand Customer Drivers
Several factors explain the rise of zero trust, the biggest of which is simply a collapse in faith in traditional security technology, a lot of which (firewalls, anti-virus, password-based access control) date back to an earlier and less challenging era.
This feeling only solidified with the recent rise in remote work, which brought home the limitations of perimeter security. Organizations were forced to rely on endpoint security and VPNs, retrofitting authentication where possible. As budgets were stretched, blind spots multiplied – especially of cloud services that don’t transit the corporate datacentre – elevating the issue of visibility and trust to the front of mind.
Customers are also influenced by cyber insurance policies that now demand better assurance and external testing and want to minimize risk measured against industry cybersecurity frameworks such as NIST. With the surge in cyber-attacks pushing the cost of policies ever higher, customers are increasingly motivated by anything that might reduce premiums.
2) Zero Trust Is About Risk Reduction
Zero trust is sometimes presented as a way of stopping things from happening, for example blocking unauthorized clients. That misses the point. A hidden appeal of zero trust is that it offers the possibility of improving the management of network resources, users and data in ways that also lower cost and make technology adoption easier.
This is especially important in the SMB sector, where technology overload and expense is a real issue. In that sense, zero trust mirrors what is driving more organizations to use managed services in the first place: it makes life simpler and more financially predictable.
3) Zero Trust Offers Competitive Advantages
Increasingly, organizations understand that a coherent cybersecurity strategy formed through partnerships with service providers gives them a competitive market advantage over rival organizations that lag. This goes far beyond received ideas of compliance and regulation, which operate on longer timescales. In some cases, cybersecurity might even now be a matter of survival.
The Benefit to MSPs from Zero Trust is a Long-Term Relationship
Zero trust is already having a major influence on the types of products and services purchased by clients. Yet, the implementation stage will take years, which implies long-term sales potential and the possibility of developing a stronger relationship with the client over time.
This is especially true for the SMB sector for which managed services have a natural fit. Increasingly, MSPs must address how their services dovetail with zero trust cybersecurity. MSPs benefit from zero trust because it implies a long-term relationship with customers that goes beyond the traditional sales cycle in which MSPs are contacted after something has gone wrong.