Page 92 - Cyber Defense eMagazine forJune 2021
P. 92
Debate over the term “zero trust” notwithstanding (critics of the term correctly argue that “zero” is
a misnomer, and today’s implementations might be more accurately described as “policy-based adaptive
risk” or similar), MSPs should look for opportunities to onboard customers into ZTA concepts and seek
to apply zero trust principles like defense in depth, microsegmentation, and just-in-time access to how
they manage customer environments.
To enable MSPs to employ these practices when managing client environments, a future RMM,
built on zero trust principles, might include features like:
· Zero trust network access to client environments, with a central policy engine authorizing each
connection to a client environment as a substitute for today’s unattended remote access
· Conditional access rules to protect key RMM functions like remote access and remote code
execution. Trying to connect to a client environment outside of an MSP’s normal business hours?
Prompt for multi-factor authentication before authorizing the connection. Trying to connect from
outside the U.S.? Block the connection request.
· An allow listing mechanism that only runs scripts that are cryptographically signed by the MSP
· Segmentation of other MSP assets from the RMM platform. Do we really want to integrate
credential managers with remote access tools?
Zero trust is more than just a marketing buzzphrase; it is a security philosophy that reflects the
reality that users routinely access corporate data from outside the traditional corporate network, often
including third-party cloud services, and increasingly on personal devices. Future iterations of RMM
platforms must build these assumptions (and their attendant security considerations) into the platform.
2. The Right Amount of Remote Access
Perhaps the most-used feature of RMM platforms is unattended remote access (screen sharing,
file transfer, remote code execution). The ability to seamlessly hop on screen with a customer to
troubleshoot an IT issue is considered a fundamental capability for an MSP. Particularly among small
businesses, customers “just want things to work” and don’t want to be burdened with security processes
or protocol.Today’s security realities warrant pushing back on these assumptions, at least until more
secure iterations of RMM platforms are available. In the interim, the following practices for managing
remote access may be justified to protect an MSP’s client base, even if there are some trade-offs with
convenience.
Cyber Defense eMagazine – June 2021 Edition 92
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.