Initially, customers may balk at the idea of putting up hurdles against their productivity. However, these hurdles don’t need to be extreme and can often provide more flexibility for the customers. One of the first steps involves matching authentication levels to the risk presented by an application. You should always turn on MFA for your personal banking applications and should do the same for sensitive business applications. You should understand what applications are in use, which present the most risk, and who should have access. This is where the complexity comes into place.
While zero-trust models were developed for enterprise networks and can get extremely complex—requiring multiple tools acting in concert—you don’t need to have all the tools in place to make a major difference in reducing risk at customer sites.
Here are some important rules to keep in mind:
- Network segmentation
It’s common for SMBs to have only one network for everything. However, this can open those businesses to considerable risks. If someone compromises that one network, they could damage productivity, spread malware across the network, steal proprietary information or data and resell it, or simply sit on the network gathering information for a larger attack. When you work with clients, try to segment their networks into multiple zones. At a minimum, try to set up a corporate network with higher security standards and a guest network for people visiting the office or for employees’ mobile devices. This way if someone brings a device that’s not completely secure, they won’t risk exposing the main internal network to security threats. You can also add additional network segments to help protect them with a next-generation firewall to prevent lateral movement within an organization. - Identity and access management
To help keep systems safe, you should maintain strong practices around managing user access. Adhere as best you can to the principle of least privilege—keep all information and system access on a need-to-use, need-to-know basis. Additionally, you should have strong onboarding and offboarding practices. When employees leave, shut their accounts down immediately and collect all equipment. Periodically audit user access levels and accounts as well. If someone changes departments, for example, you don’t want them maintaining access to old systems. Minimizing privileges like this allows you to minimize damage in the event of an insider attack or if an external threat actor hijacks someone’s account. - Verification
Multifactor authentication (MFA) is an absolute must. You should verify accounts from several sources to help ensure that access request come from a truly trusted source. This includes access to even offsite, cloud applications. For some particularly critical users or risky assets, you may want to increase the number of hoops they have to jump through to gain access. For example, they may need to use MFA and use an encrypted VPN when outside of the building to gain key access—and they may need additional monitoring on their accounts. - Monitoring
Once a device or user has been given the green light, you still should remain a little suspicious. In other words, you should have good monitoring in place to make sure authenticated users don’t start performing destructive actions like copying large numbers of files to a device (indicating potential data theft) or deleting data in bulk. A good security information and event management (SIEM) tool can help you monitor for potential network threats. However, if this is out of your comfort zone, then (at a minimum) try setting up checks for common threats or suspicious behavior in your remote monitoring and management tool. Additionally, a good endpoint protection solution can help round out your capabilities without requiring a ton of in-depth security knowledge. An AI-driven solution can help monitor for suspicious behavior at the endpoint level and alert you when something comes up.
Trust Must Be Earned
Businesses face threats from more angles than ever before. As businesses continue embracing hybrid IT, MSPs need to be more vigilant than ever in protecting their customers from attack at multiple angles. This means you’ll need to design your network and services to remain suspicious of requests before granting access.
When it comes to enacting zero-trust security, access management is paramount. A robust password management solution can play a major role in policing access. SolarWinds® Passportal helps you control access to services among your MSP team by allowing you to quickly grant and revoke access to services and accounts as needed, all while allowing technicians to create strong passwords and giving them one-click access to services. Additionally, SolarWinds Passportal Site™ allows you to sell password-management-as-a-service to your customers so they can also maintain strong security internally. Learn more by visiting the site today.
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.