IT and Business Insights for SMB Solution Providers

Three Questions, Three Answers About Zero-Trust Security

Not sure what it is or how to do it? Learn what experts have to say. By Rich Freeman
Reader ROI: 
ZERO-TRUST SECURITY is an essential strategy for protecting businesses in the age of cloud computing and work from anywhere.
AT ITS HEART, zero trust is a mindset in which no person, process, application, or endpoint is deemed implicitly trustworthy.
ENCRYPTION, MFA, and microsegmentation are all core elements of a good zero-trust architecture.
PENETRATION TESTS are useful for convincing customers to invest in zero-trust technologies.

TRUST has always been a dangerous commodity in IT. In the era of cloud computing and work from anywhere, in which attacks grow continually more sophisticated and defensible perimeters no longer exist, it’s a luxury that neither channel pros nor their customers can afford. Businesses today need a new approach to protecting information and assets that many experts call “zero-trust security.”

At a recent SMB Forum event, ChannelPro asked three experienced providers of cybersecurity services to explain exactly what that term means and how to put it into practice with end users. Here are their thoughts on three fundamental questions about a critical concept.

1. What is zero-trust security?

More than a specific technology, or even a set of them, zero-trust security is a mindset in which no person, process, application, or endpoint—inside or outside the network—is considered implicitly trustworthy, and every attempt to access any resource must prove that it comes from a legitimate source with appropriate privileges.

Michael O’Hara

“I think about it in terms of authentication,” says Michael O’Hara, principal consultant at MEDSEC Privacy Consulting, a healthcare industry cybersecurity service provider. “What you’re really looking at is who’s trying to access the data, who or what has the ability and the rights to access the data, and how is that being monitored so that at any given time a person trying to access a workload, whether it’s in the cloud or on-prem, is authenticated and validated.”

That, in turn, is fundamentally an exercise in defining, setting, and enforcing sound policies, according to Bruce McCully, chief security officer at Nashville, Tenn.-based Galactic Networks, a managed security services provider. “What we’re doing with our partners and other MSPs to help them protect themselves is really help them get to a point where they’re managing these different policies and basically monitoring them for changes and abuse, rather than just throwing on more and more agents and hoping that the next anti-virus is going to protect them,” he says.

O’Hara stresses the particular importance of policies that give people everything they need to do their job—but nothing more—by assigning access rights on a “least privilege necessary” basis. The same logic should apply to applications, hardware, and everything else, he adds.

“When we think about traditional least privilege, it’s for users,” O’Hara notes. “We don’t really think about that when we’re talking about our workloads or our network equipment or our servers.”

About the Author

Rich Freeman's picture

Rich Freeman is ChannelPro's Executive Editor

ChannelPro SMB Magazine

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.