The elastic zero-trust environment for today’s MSP & enterprise
Lists of current issues experienced by IT service providers usually include the “problem” of complying with data protection governance. It’s often portrayed as a roadblock to progress that needs to somehow be overcome so the MSP or internal IT services provider can, in some way, get on with the “real business” of protecting the organization. It’s true that legislation concerning cybersecurity is usually late and often comes with bureaucratic overheads. But data-related legislation from state or national governments simply reflects the concern that all citizens and organizations have that their data is protected and properly treated. What are the reasons for those concerns? The fact that data breaches, accidental or malicious, are at best inconvenient and intrusive, at worst economically disastrous.
Compliance with data governance is, therefore, not inconvenient; it should be a given when organizations do things properly. And doing things properly in 2023 means protecting users, partners, clients, employees, and companies’ data to the utmost possible degree. By giving the very best protection possible, organizations remove themselves from the category of “low-hanging fruit,” which consists of those who choose not to do things properly.
As a cybersecurity professional or MSP decision-maker, you’ll be very aware of the extant and emerging rafts of legislation around the world. A case in point of the latter are the DORA regulations affecting financial services companies that trade in, or that have customers in, Europe. Every company has to be cognizant of DORA’s implications because if not today, then tomorrow, it will have some dealings affected by the legislation. Complying should be almost a default side-effect of good practice in data protection, regardless.
Defining good practice in protection
Creating a safer environment in which systems and people can work effectively needs to begin with the fact that any asset can be weaponized by bad actors. An asset in this sense may be an endpoint, a server, a cloud-based application, or a person. Therefore the balance needed is to allow any asset the privileges it needs to work and no more. There is, however, an adjunct to that: if any element needs greater ability (read: privileges) can easily request the ability and have the request responded to and acted on swiftly.
It’s here we find our definition of zero-trust. But unlike a definition of a fixed system in “traditional” cybersecurity (a VLAN, a LAN, a subnet), our zero-trust definition is malleable over time. Protecting each endpoint (person or device) requires context: in a server, the context might include the changing of roles over time – an ActiveDirectory controller may also start providing internal DNS, for example. In the case of people, hybrid working and the newly re-embraced ability to travel means remote use policies have to change from day to day.
Layers of complexity
In large organizations, there is always a high degree of fluidity in terms of IT topology, and modern architectures not only reflect that but are engineered for that exact ability: VMs and containers are not designed to be static. Similarly, in pure HR terms, the people in large organizations change roles, shift from department to department, collaborate in changing workgroups, and move from working at home on a personal laptop to the company’s desktop. Changes to machines and people are the reality, too, for even the smallest MSP. After all, a couple of dozen client companies make for a highly complex picture to manage and protect.
It’s in the complexity and malleability of systems that problems can occur. Errors happen more often when people are under stress, and employees with deadlines hanging over them and a working environment that won’t let them achieve what they need will be stressed. Likewise, a laptop used on the corporate LAN might, on the same day, be used on a dubious hotel wi-fi network.
Old-school endpoint protection, therefore, may be effective when the screws are wound down tight, but finding the ever-shifting balance between capability and data protection is impossible.
The solution is multi-part
Like any cybersecurity protection, zero-trust environments in today’s complex businesses comprise several parts. Ringfencing, for example, is application-based. What are applications tasked with doing, and what resources do they need to access? Should a video player be allowed access to the Registry, for example, and why would a CAD package need access to every site on the internet?
If we step through each application’s remit, we begin to discover the extent of the environment that needs oversight. Allowlisting, for example, lists what is allowed to run and where. More prosaically, do web-based SaaS apps need local storage capabilities? Some might benefit from a local archive of data, for example, while others should be prevented from writing to mounted shares or volumes.
Network access control is probably the closest that old-school systems administrators and cybersecurity veterans will recognize as perimeter policies or firewall rulesets. But the manual configuration of a server running dozens of VMs shouldn’t mean having to shell into each instance and change config files one by one. Today’s endpoint protection systems in zero-trust environments will encapsulate policy and use dynamic ACLs to allow policies to change when that’s needed.
The final part of the equation that makes zero-trust endpoint protection fit for purpose in the modern organization (enterprise or multi-client MSP) is the ability to request and control privilege escalation by any endpoint (server, client, personnel) quickly and safely. Issues like shadow IT and BYOD need never have troubled IT staff to the extent they did a few years ago if rapid-response, granular escalation control had been in place. Sensible, policy-based rules that allow what’s required (and no more) for just as long as required hit the sweet spot between protecting endpoints and enabling them.
As the links embedded in the paragraphs above may have informed you, the ThreatLocker endpoint protection platform ticks the necessary boxes for us: it’s been engineered to reflect today’s reality for users and machines in complex organizations. It’s used by many of the world’s biggest companies for good reason, but the zero-trust methodologies it brings can be easily rolled out across smaller companies and public sector organizations.
Whether your role involves discreet companies’ IT systems (like an MSP) or many departments and divisions, the ThreatLocker solution is the one that’s engineered to keep people and systems safe. By doing so, they remain compliant as a matter of course. ThreatLocker won’t help you submit your cybersecurity audit to the authorities, but it will provide both the metrics on tap and more-than-the-required standards of protection.
Reach out to discuss how your changing business can gain protection and compliance wherever it goes tomorrow.
22 September 2023
22 September 2023
21 September 2023