Zero trust network access (ZTNA) has been around since 2010 and rose in popularity in 2021 when the National Security Agency (NSA) and the Biden Administration released their guidelines and recommendations. But just because ZTNA has been around for a while and has data to back why it should be used doesn’t necessarily mean MSPs have automatic client buy-in when it comes to restricting access.
According to a 2023 survey, the top challenge for 21% of IT technicians is dealing with advanced and sophisticated security threats. Several of those threats, including DoS attacks, can be mitigated with secure network access and a zero trust model – but the idea of zero trust can make people bristle. Often, the idea of zero trust breeds the fear of locking employees – or even clients themselves – out of their own secure systems and reducing productivity through restriction of information. This fear may present a roadblock to MSPs who see the value in ZTNA.
In this post, we’ll cover a few tips and tricks to help your clients embrace ZTNA little by little, while making your job as their MSP easier.
Zero trust crash course for clients of MSPs, VARs, and resellers
Education is the foundation for client buy-in when it comes to enforcing any type of major security change. Let’s delve into the foundations of ZTNA, which we encourage you to share with your clients.
According to Gartner, zero trust network access (ZTNA) “creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities. The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. This removes application assets from public visibility and significantly reduces the surface area for attack."
In short, the ZTNA practice is to “never trust, always verify.”
Of course, when you explain this to your clients – especially those who have a small business where more open trust is imperative for employees who have multiple job functions – it can seem a relatively new idea. As we mentioned earlier, it might make clients wary that only you will have full access to their systems and data (not true) or that their employees will feel frustrated with more limited access (also not necessarily true). However, ZTNA is a foundational part of protecting the clients’ business from cyber attacks, whether they originate from inside or outside of the traditional perimeter. In fact, research from IBM found that zero trust reduces the cost of a data breach by about $1 million.
NSA guidance on zero trust
Zero trust solutions cannot simply be bought out-of-the-box, or off-the-shelf from a vendor. As an MSP, you know that a solid security posture is created through a combination of services and tech stack. That’s why the NSA called ZTNA a “continually maturing roadmap.”
At a high level, these are the guidelines from the NSA:
- Adopt a zero trust mindset: be aware, be wary, and be prepared for a disaster that may have happened yesterday.
- Embrace zero trust guiding principles: never trust, always verify, assume you’ve already been breached, and verify, verify, verify.
- Leverage zero trust design concepts: define a solution that identifies critical data/assets/applications/services (DAAS), protect the most critical DAAS, define access control, and gain full visibility in logs and monitoring.
The executive order from the Biden Administration is directed at government entities to increase their cybersecurity, but the private sector should take note. In addition to guidance on implementing zero trust, it also includes the following:
- Incident reporting by IT contractors.
- Security requirements for software contractors.
- Encryption, MFA, EDR (end-point detection and response) by agencies.
- Cyber incident review board.
- FedRAMP cloud security modernization.
- IoT security labeling program.
- CISA incident response “playbooks.”
- Government-wide log retention/analysis policy.
That’s quite the list. It helps paint the picture of the breadth of the security landscape.
Common challenges that may impact trust buy-in to a ZTNA model
We mentioned this earlier, but it bears repeating: zero trust is not a one-solution fix. It takes cooperation and coordination between you and your clients. It also takes understanding the challenges your clients are facing in their current IT environment. These challenges may include:
- Shadow IT: Especially if you are an MSP who is newer to the client, they may have a few outdated, and potentially dangerous, workarounds. These workarounds may not always be easy for employees to spot as being dangerous. For example, employees might be using a personal Dropbox or Google Drive account to share large files. They may create their own Slack channels or use a personal Slack account for work chats, or they might use Zoom instead of your company’s preferred video chat software. These all seem innocent enough, but without network security and zero trust, it’s easier for a bad actor to find an entry point.
- Confusion or mistrust of zero trust: The term “zero trust”, while gaining traction, is still a new idea for clients and their employees. “Trust no one” might have worked in the X-Files episodes from our TV days past, but spreading that message across an organization doesn’t foster a positive culture. But that doesn’t mean you should avoid implementing a zero trust architecture because of a potential negative reception – far from it.
- Adoption and proficiency: Your clients are busy – often adopting a new initiative like ZTNA is at the bottom of their to-do list. When your clients are used to being in fire-fighting mode, it can be even more difficult for them to find time to become proficient in any specific initiative. There’s also a general lack of clarity for many clients around how to implement ZTNA, what is needed of them, and what level of priority a project like ZTNA measures should be assigned.
Reframe and reshape the message around ZTNA
The way you shape the initiative and market it to your clients and their employees will have a direct correlation with their buy-in. Try adjusting the message and frame this security initiative positively: you’re on a journey to “build digital trust.” Remind them that zero trust as a practice does not mean you want to lock them out of systems or limit their access to what they need to do their jobs. Rather, it just means they will need to verify their identity to gain full access to the things they need so they can prevent phishing attacks and breaches. They’ll also need to know that the journey to zero trust is not a straight line, and the transition will require their trust in you as well.
Make a connection
Trust is built on personal connection. Don’t implement zero trust as a top-down approach coming from one or a few in the organization. Your client’s CIO or CISO may not have a personal relationship with the entire workforce, and the employees may be unfamiliar with your role as the solution provider or reseller.
Lean on personal relationships to help build digital trust and deliver the message through more meaningful conversations. Try to communicate this initiative to your clients and their employees face-to-face, in personal emails, or through casual conversations on the phone. Additionally, when possible, offer one-on-one training sessions to help your clients and their employees become proficient – or at least willing to adopt the zero trust initiative.
Be transparent & truthful
What is the current status of your client’s cybersecurity strategies? Have they experienced any breaches? Do they have plans in place? Are their employees routinely using shadow IT? Share as much as you can about where you are currently and where you plan to be in the future. Transparency also requires telling the truth, which may include sharing details about a past breach or that the current state of their cybersecurity isn’t strong – yet. Additionally, you’ll need to make sure to communicate the reason for least privilege access due to ZTNA.
But taking this one step further, you’ll need to be transparent about what is needed from your clients to implement ZTNA measures. This transparency about the implementation process can clear up some of the confusion and help your clients buy into the idea of the new processes. This will also provide clarity on the priority level of ZTNA as a whole for their business.
Take blame but give credit
When things go well, great MSPs highlight the success of their team and clients; when things go poorly, they take on the blame for losses when reasonable. This can apply to building digital trust as well by sharing a different message than what we often hear in cybersecurity. How often do you see articles about how employees are the greatest risk? While this, statistically, proves to be true (think phishing emails leading to ransomware problems), the blame doesn’t fall solely on employees. Instead, give credit to those who actively foster good digital trust and don’t engage in shadow IT practices, and accept blame as a company when you fall short. And of course, acknowledge that it is great clients who make this security initiative possible at all by routinely using the tools you give them, including secure remote access solutions.
Take the next step to ZTNA for your clients
Once your client has decided to move forward with ZTNA essentials, you can take the next step to set up the partnerships you will need for success.
OpenVPN has solutions that help enforce zero trust access, all manageable in a single pane of glass for MSPs. We understand that perimeter security is obsolete, managing lateral movement is a must, unifying access authorization matters, and you want to protect your users, not just your business data. Our products provide the essential set of ZTNA capabilities, and gaining access to the network does not mean that one can access all the applications on the network – or even discover which applications are present on the network.
Become an OpenVPN partner, and get 50% margins for your first three customers.