Zero trust network access (ZTNA) has been around since 2010 and rose in popularity in 2021 when the National Security Agency (NSA) and the Biden Administration released their guidelines and recommendations. But just because ZTNA has been around for a while and has data to back why it should be used doesn’t necessarily mean MSPs have automatic client buy-in when it comes to restricting access.
According to a 2023 survey, the top challenge for 21% of IT technicians is dealing with advanced and sophisticated security threats. Several of those threats, including DoS attacks, can be mitigated with secure network access and a zero trust model – but the idea of zero trust can make people bristle. Often, the idea of zero trust breeds the fear of locking employees – or even clients themselves – out of their own secure systems and reducing productivity through restriction of information. This fear may present a roadblock to MSPs who see the value in ZTNA.
In this post, we’ll cover a few tips and tricks to help your clients embrace ZTNA little by little, while making your job as their MSP easier.
Education is the foundation for client buy-in when it comes to enforcing any type of major security change. Let’s delve into the foundations of ZTNA, which we encourage you to share with your clients.
According to Gartner, zero trust network access (ZTNA) “creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities. The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. This removes application assets from public visibility and significantly reduces the surface area for attack."
In short, the ZTNA practice is to “never trust, always verify.”
Of course, when you explain this to your clients – especially those who have a small business where more open trust is imperative for employees who have multiple job functions – it can seem a relatively new idea. As we mentioned earlier, it might make clients wary that only you will have full access to their systems and data (not true) or that their employees will feel frustrated with more limited access (also not necessarily true). However, ZTNA is a foundational part of protecting the clients’ business from cyber attacks, whether they originate from inside or outside of the traditional perimeter. In fact, research from IBM found that zero trust reduces the cost of a data breach by about $1 million.
Zero trust solutions cannot simply be bought out-of-the-box, or off-the-shelf from a vendor. As an MSP, you know that a solid security posture is created through a combination of services and tech stack. That’s why the NSA called ZTNA a “continually maturing roadmap.”
At a high level, these are the guidelines from the NSA:
The executive order from the Biden Administration is directed at government entities to increase their cybersecurity, but the private sector should take note. In addition to guidance on implementing zero trust, it also includes the following:
That’s quite the list. It helps paint the picture of the breadth of the security landscape.
We mentioned this earlier, but it bears repeating: zero trust is not a one-solution fix. It takes cooperation and coordination between you and your clients. It also takes understanding the challenges your clients are facing in their current IT environment. These challenges may include:
The way you shape the initiative and market it to your clients and their employees will have a direct correlation with their buy-in. Try adjusting the message and frame this security initiative positively: you’re on a journey to “build digital trust.” Remind them that zero trust as a practice does not mean you want to lock them out of systems or limit their access to what they need to do their jobs. Rather, it just means they will need to verify their identity to gain full access to the things they need so they can prevent phishing attacks and breaches. They’ll also need to know that the journey to zero trust is not a straight line, and the transition will require their trust in you as well.
Trust is built on personal connection. Don’t implement zero trust as a top-down approach coming from one or a few in the organization. Your client’s CIO or CISO may not have a personal relationship with the entire workforce, and the employees may be unfamiliar with your role as the solution provider or reseller.
Lean on personal relationships to help build digital trust and deliver the message through more meaningful conversations. Try to communicate this initiative to your clients and their employees face-to-face, in personal emails, or through casual conversations on the phone. Additionally, when possible, offer one-on-one training sessions to help your clients and their employees become proficient – or at least willing to adopt the zero trust initiative.
What is the current status of your client’s cybersecurity strategies? Have they experienced any breaches? Do they have plans in place? Are their employees routinely using shadow IT? Share as much as you can about where you are currently and where you plan to be in the future. Transparency also requires telling the truth, which may include sharing details about a past breach or that the current state of their cybersecurity isn’t strong – yet. Additionally, you’ll need to make sure to communicate the reason for least privilege access due to ZTNA.
But taking this one step further, you’ll need to be transparent about what is needed from your clients to implement ZTNA measures. This transparency about the implementation process can clear up some of the confusion and help your clients buy into the idea of the new processes. This will also provide clarity on the priority level of ZTNA as a whole for their business.
When things go well, great MSPs highlight the success of their team and clients; when things go poorly, they take on the blame for losses when reasonable. This can apply to building digital trust as well by sharing a different message than what we often hear in cybersecurity. How often do you see articles about how employees are the greatest risk? While this, statistically, proves to be true (think phishing emails leading to ransomware problems), the blame doesn’t fall solely on employees. Instead, give credit to those who actively foster good digital trust and don’t engage in shadow IT practices, and accept blame as a company when you fall short. And of course, acknowledge that it is great clients who make this security initiative possible at all by routinely using the tools you give them, including secure remote access solutions.
Once your client has decided to move forward with ZTNA essentials, you can take the next step to set up the partnerships you will need for success.
OpenVPN has solutions that help enforce zero trust access, all manageable in a single pane of glass for MSPs. We understand that perimeter security is obsolete, managing lateral movement is a must, unifying access authorization matters, and you want to protect your users, not just your business data. Our products provide the essential set of ZTNA capabilities, and gaining access to the network does not mean that one can access all the applications on the network – or even discover which applications are present on the network.
Become an OpenVPN partner, and get 50% margins for your first three customers.