kras99 - stock.adobe.com
IT services providers are assembling zero-trust offerings, aiming to guide clients through the arduous task of adopting a security framework that fits their needs.
The zero-trust security model, while not a new concept, remains a bit mysterious. Customers may harbor ill-conceived or unrealistic notions of what the security approach involves. This challenges service providers to meet clients at their current state of understanding, address misconceptions and create a path to zero trust. That's a path few organizations have tread, with Gartner noting fewer than 1% of large enterprises with mature and measurable programs.
The specifics of how security-oriented MSPs offer zero-trust services differ, but the broad outlines are similar. A core component of most offerings is some form of zero-trust assessment. The assessment paves the way for subsequent zero-trust phases in which organizations layer increasingly advanced security functions -- while keeping user productivity in mind.
Starting with a zero-trust assessment
Given the confusion that often surrounds zero trust, service providers typically lead with a service that clarifies the approach and where the customer stands in the adoption cycle.
"Every customer is at a different stage," said Arun Shrestha, CEO and co-founder of BeyondID, a managed identity services provider based in San Francisco. "We start the journey with a zero-trust assessment, understanding the current state of where they are."
Most customers start from a fragmented baseline state when it comes to zero-trust maturity, Shrestha said. Customers, for example, may have deployed a multitude of legacy security systems -- all of which exist in siloes. In such cases, BeyondID works with customers to develop a zero-trust strategy and roadmap.
Arun ShresthaCEO and co-founder, BeyondID
Leidos, a technology, engineering, and science solutions and services provider, also begins with an evaluation, which the company packages within its Zero Trust Readiness Level tool suite. Leidos, which works primarily with federal government agencies, uses the tool set to assess a customer's existing architecture, missions and application. It then recommends a roadmap for zero-trust adoption.
David Chou, director of cloud capabilities at the Reston, Va., company, said the assessment helps uncover the major security gaps that organizations must address immediately and proposes milestones for guiding a multiyear effort.
The approach offers suggestions, as opposed to dictating every step along the zero-trust path.
"They can see all the different options that they have along the way," Chou noted. "It's not, 'Hey, we're doing this.'"
At GreenPages, an MSP with headquarters in Portsmouth, N.H., the company assesses clients and helps them build a cybersecurity program baseline. Jay Martin, security practice lead at GreenPages, said customers can use NIST Special Publication 800-171, NIST Special Publication 800-53 or the NIST Cybersecurity Framework to create the baseline. He said companies with a more global reach should consider using ISO 27001/27002.
With a baseline, an understanding of security gaps and a prioritized roadmap, organizations can use NIST Special Publication 800-207 as guidance for implementing a zero-trust architecture, Martin noted. He also recommended mapping any zero-trust architecture against the eight control pillars described in the Cybersecurity and Infrastructure Security Agency's Zero Trust Maturity Model (ZTMM).
"We are doing this with our customers today and seeing tangible outcomes," Martin said.
Creating a foundation for zero-trust deployment
With a roadmap and strategy in place, service providers work with customers to build a solid base for deploying zero trust. BeyondID creates a zero-trust foundation that consists of best-in-class security platforms, Shrestha said. At this stage, organizations begin implementing the basic functions of one or more of the ZTMM's zero-trust pillars -- identity, devices and networks, among others. Those essential functions include automating attribute assignment, configuring lifecycles and enforcing policies, according to Shrestha.
The technology foundation should also account for hybrid environments, in which customers continue to use perimeter-based security as they adopt zero-trust components.
"All of our customers' zero-trust programs are hybrid in nature and apply multiple technologies," Martin said. Those include security service edge, managed detection and response services, mobile device management and multi-factor authentication, among others. He pointed out that NIST SP 800-207 specifically addresses hybrid deployments.
Martin urged customers to not skip over the core controls in the CISA's ZTMM, citing the importance of a strong cybersecurity governance, risk and compliance program.
Improving user experience
Building a foundation to boost security is critical, but a zero-trust initiative should also improve users' work environments.
"We want to make sure the experience is delightful and not disrupted," Shrestha said.
Organizations can engage with a wide set of business stakeholders to ensure user experience remains front and center. In the healthcare vertical, for example, the zero-trust team can work with the chief medical officer who represents the patient and clinician experience, Shrestha said. In other industries, a CIO/CISO could work with a CMO or CDO for a different perspective on user experience and customer retention strategies.
At Leidos, Chou supports the same philosophy: "The real crux around zero trust, for our customers, is not only to meet the mandates, but improve the connectivity and user experience."
Tailoring offerings for customers
Assessments can also help service providers package services to suit specific clients. West Computers, an MSP and ASCII Group member based in Laurel, Miss., provides a range of cybersecurity services, including zero trust. The best package would include all of its services, but West Computers works with many mom-and-pop shops that can't afford its entire scope of offerings, company president Jack West said.
"We have to evaluate each client on their needs, their risk tolerance and affordability," he noted.
West Computers offers three tiers of security services. The progression begins with the bare minimum, an extended detection and response (XDR) service. From there, the midtier offers a higher level of security that includes a zero-trust platform. The top tier includes XDR, zero trust and an advanced security information and event management service.
The tiered options "gives customers the mindset of "'I don't want the lowest, but maybe not the highest,'" West said. "It gives them a better value thought process."
With the tiering system, the company periodically tweaks its offerings to stay on top of security trends and service costs, West added. West Computers doesn't label its service tiers based on specific vendor products. That way, it can more easily replace a product with a better option if it starts falling behind its rivals.
MSP expands security offerings
For West Computers, zero trust has created an opportunity to provide a wider range of security offerings.
The framework opens clients' minds to a more secure stance, West explained.
"We can offer other services such as third-party penetration tests, Microsoft 365 backups, SIEM monitoring, vulnerability scans and other services," he said. "Where before, most clients thought just an antivirus solution was enough."
West Computers has also built zero trust into MSP account management. The company uses CyberQP for user verification and zero-trust help desk support. This technology provides greater security when setting up new accounts, because an MSP no longer has to send temporary passwords to customers over email, West said.
"Clients see that we are diligent in keeping them as secure as possible and become more open to services," he added.
Adding advanced capabilities
Other service providers also take a layered, or phased, approach to the zero-trust journey.
BeyondID builds on its foundational security stage with an advanced security layer. Here, the company takes a broader look at security, linking a customer's HR system to its identity management and VPN systems, for example. This approach helps customers provide appropriate access and authorization to users who have been newly onboarded or promoted into new roles. A third tier, unified dynamic risk-based security, offers additional integration while also balancing security with agility and user experience, Shrestha said.
In addition, BeyondID earlier this month launched a service that also aims to advance the state of customers' zero-trust deployments. The company's Okta Identity Engine upgrade offering helps companies automate access to integrated enterprise systems or workloads, using secure mobile devices, Shrestha said. Those devices authenticate users through phishing-resistant authenticators such as biometrics, he added.
The time required to level up a zero-trust initiative -- a task that includes technology deployment, training and updating security policies -- varies by customer. Martin said the schedule depends on several factors: budgets, competing projects, skill sets, organizational culture and the client's risk appetite for taking on zero trust.
But Martin said the average timespan he is seeing is 12 to 18 months, noting that organizations that have experienced a breach are more likely to accelerate adoption.
But even after customers reach the various zero-trust maturity milestones, their programs will continue to evolve.
"When you go to zero trust, every asset on the network is untrusted and policies around that tend to be dynamic," Chou said. "And because of that, you need to iterate through that and be able to adapt your policies as you're maturing your zero-trust roadmap."
Martin agreed that zero trust is a perpetual work in progress.
"It is critical to remember that zero trust and any security program are continuous and require flexibility to keep pace with the everchanging threat landscape," he said. "The zero-trust journey is never complete."