Zero Trust Is A Huge Security Opportunity. It Also Means ‘Heartburn’ For Some MSPs.

Zero trust is ‘something that we’re going to have to learn and adapt to—100 percent,’ one MSP tells CRN. ‘It’s coming.’

Depending on what type of solution provider you are and what type of cybersecurity expertise you bring, zero trust is a massive growth opportunity or a source of additional pressure, due to the steep learning curve.

For many in the channel, it’s probably both.

“It’s one of those things where it’s going to cause some heartburn for a lot of MSPs because a lot people don’t know how to manage it or understand it,” said Roddy Bergeron, CISO at Enterprise Data Concepts, an MSP with offices in New Orleans and Lafayette, La.

[Related: Zero Trust Security’s New Pitfall To Avoid: Over-Investing]

Zero trust is “something that we’re going to have to learn and adapt to—100 percent,” Bergeron said. “It’s coming.”

Zero trust is increasingly seen as the ideal architecture for stopping hackers in today’s threat environment. Following the principles of zero trust means implementing more ways to verify users really are who they claim to be, and adding measures to ensure malicious actors won’t get far even if they thwart initial defenses.

In recent years, particularly with the shift to distributed workplaces, zero trust has taken hold in a huge way as a unifying approach for cybersecurity. A survey by the Cloud Security Alliance last year found that just about every IT and security professional—94 percent—reported they were in the midst of implementing a zero trust strategy. And 77 percent planned to increase their spending over the next year.

In many ways, this industrywide push for zero trust is unprecedented.

“I think before in cyber, we’ve been really piecemeal in our implementation of security,” said Max Shier, CISO at Optiv, No. 25 on CRN’s 2022 Solution Provider 500. “I don’t know if we’ve really looked at it in its holistic nature, like we do now when it comes to zero trust.”

‘Comprehensive’ Security

No single product or platform can deliver zero trust today, but a variety of security tools have come to embody the idea. Those include identity authentication and authorization tools, especially those that ensure users can’t access more than they need to for their role, known as “least-privileged access.”

Another piece of the puzzle is deploying a modern remote access platform—known as ZTNA (zero trust network access)—which is considered a more secure replacement for VPN since it can consider other pieces of context before granting access, such as location and security health of the user’s device.

A third element that’s useful for zero trust, micro-segmentation, can prevent a breach from spreading across an organization’s environment.

In short, zero trust is “a number of different security disciplines and pillars of security rolled up into one,” Shier said.

“It really is a comprehensive security program and architecture. Whereas before, you may have said, ‘Well, I need my firewall. So let’s look at those and implementing firewall rules. I need my endpoint protection, so let’s look at that,’” he said. Security tools have “always been segmented and siloed off from each other. It never really has been looked at in a comprehensive manner like this, and as granular as this.”

While in many ways these attributes are why zero trust is such a powerful concept for security, they’re also among the biggest hurdles for many organizations, Shier said.

“I think that’s where a lot of people get overwhelmed,” he said. “When you start looking at how granular you need to get when it comes to a true zero trust architecture, it’s not an easy task.”

‘Unique’ Role For The Channel

All of this is why solution providers are so crucial when it comes to enabling zero trust for customers—they can look at things more comprehensively because they know all the different pieces.

“Every company is trying to leverage zero trust right now,” Shier said. “And I think companies like Optiv or other service providers are in a unique position right now [because] you could leverage us, the service provider, to do 90 percent of the work that you need.”

For instance, solution providers can look at different vendors that are the best for meeting the specific needs of each customer, he said.

“You may not need a Lamborghini—you may need a Toyota,” Shier said. “And if that’s what you need, and that’s what’s best for your use case, then that’s what you should be looking for.”