Partner Tips: 5 ZTNA Best Practices for Managed Service Providers

Implementation of Zero Trust principles reduces the cost of a data breach by about $1 million, according to research from IBM. Startlingly, the same research found that only 41% of organizations said they have deployed a zero trust security architecture, while 59% said they haven’t. MSPs can bridge the gap for clients who fall into the latter category through a combination of best practices and secure remote access and tunneling technology. 

In our last installment of our series, we discussed how MSPs can get client buy-in for Zero Trust Network Access (ZTNA). Now that your clients are on board, it’s important to follow a few best practices to keep them on the right track. 

ZTNA overview 

To recap: ZTNA is a method that can mitigate the growing risk all organizations face through the concept “never trust, always verify.” This applies to devices and people. This architecture can prevent breaches and minimize human error — which might be why 47% of surveyed IT professionals are looking to apply ZTNA to their end-user experience, and soon. 

Zero trust isn’t a solution you simply buy out-of-the-box, or off-the-shelf from a vendor. It is a powerful security architecture that focuses on continuous verification and precise, context-specific access control so your customers can get the advantage of context-specific, least privilege access to distributed applications. This becomes increasingly important in multi-cloud environments where you may have microservices-based applications living in multiple places. 

Recommended Reading: Zero Trust With OpenVPN Protocol for Network Access = Our ZTNA-Capable Solutions

5 key strategies for MSPs when implementing ZTNA for clients

While larger enterprises were typically seen as early adopters of ZTNA, the benefits stand for all sizes of businesses across all industries, including small businesses. As you evaluate implementing a ZTNA framework for your clients, remember these six best practices to help guide your customers.

1. Help your clients market the zero trust mindset internally

ZTNA requires a shift in mindset – both for you as the MSP and for the client and their employees. 

That means helping clients create an internal marketing campaign to shift the mindset to adopt the "never trust, always verify" approach, which can be especially tricky in a small business where team members share devices or credentials. Zero trust means that every individual user and device must prove their identity and be authorized before accessing an organization’s applications, data, services, and other resources – even if it is from a company-issued device. 

You’ll need to help your clients reframe this in a positive way — after all, the ‘zero’ trust doesn’t refer to not their team as people, but rather to the authentication process. It’s about keeping bad actors at bay and mitigating the ever-present and ever-growing risk of cybercrime. Create collateral for clients to use internally to help their teams understand the reason why, regardless of the user's location or network, authentication should be established on a per-request basis. For example, you can share the OpenVPN ZTNA whitepaper to help their employees understand the why behind the initiative. 

2. Help clients adopt multi-factor authentication (MFA)

Part of requiring authentication every time means including Multi-Factor Authentication (MFA). As you already know, MFA adds an extra layer of protection by requiring users to provide multiple forms of identification before accessing resources. This means combining different factors like passwords, fingerprints, SMS codes, or mobile apps to verify identity. Implementing MFA is one of the simplest, and quickest ways to enforce a ZTNA architecture, as it will significantly reduce the risk of unauthorized access.

Your clients may be resistant to using MFA, as it can seem time consuming to set up and enforce. You’ll need to make sure your clients are aware that the goal of MFA is to prevent access to internal secure networks, should bad actors capture login credentials somehow. You’ll also need to make sure that you help your clients choose and configure an MFA method or SSO solution that is compatible with your secure remote access tool, like OpenVPN. For example, you can use SAML with OpenVPN, among other options.  

3. Implement micro-segmentation 

Getting your clients set up with ZTNA takes a little bit more than making sure they understand the mindset and have MFA in place. You’ll need to spend some time setting up micro-segmentation and split tunneling depending on your clients’ specific business needs and network usage. 

Micro-segmentation involves dividing your network into smaller, isolated segments to contain potential security breaches. This means creating virtual barriers within your client’s network; also giving you the ability to define application-level security controls. With micro-segmentation set up, even if attackers manage to gain access to one segment of your network, they’ll have a tough time accessing the remaining parts of your infrastructure – thereby preventing lateral movement. 

This will lower your risk of someone making a successful attack on your clients, period — they become a less attractive target if attackers know they’ll have to jump through hoops every step of the way. In short: micro-segmentation increases control of your security and limits the impact of potential breaches, safeguarding your network.

4. Utilize least privilege access

It’s important to minimize the level of access of each user in any given clients’ network — and this applies not only to your team, but to your client’s team and to applications and IoT devices. They, and you, should only have the level of access necessary to complete approved tasks. 

This idea is a fundamental principle of ZTNA, and it minimizes the risk of unauthorized actions. This process also reduces the potential damage caused by compromised accounts — so even if hackers manage to find a way to log in with your user’s password and get through the MFA process, they’ll still only have access to a minimal segment of your network. To maintain this, you’ll need to make sure to regularly review access privileges with your clients and promptly revoke unnecessary permissions as the need to do so arises. One way you can do this is to set up a quarterly check-in with your clients to ensure all access levels are up-to-date. 

5. Keep customer applications private

Protecting against unauthorized access is one of the main goals of ZTNA – and one way to keep your customers safe from unauthorized access is by keeping their applications hidden or inaccessible from the internet. But how do you do that?

Keep your own and customers' applications on a private network so that they cannot be discovered over the internet, and only use a ZTNA solution that can provide secure identity-aware access to these private applications by using encrypted tunnels over the internet. Note that even though some ZTNA solutions will use VPN technologies to create a tunnel to access the private network, it should not equate to network-level access where the connected device has access to all the applications on the private network. In keeping with the ZTNA principles, micro-segmentation, access control, and other technologies should be used to provide users with least-privilege access.

Your clients’ ZTNA initiatives start with you 

As an MSP, you know ZTNA is important and getting your clients set up for success with ZTNA in the long run starts with you – otherwise you wouldn’t be here. You also likely know that ZTNA is not one single tool, but that doesn’t mean it needs to be overly complex. When you’re managing several clients at once and implementing ZTNA essentials, simplicity is key. 

OpenVPN’s secure remote access solutions allow you to manage all of your customers from one portal without sacrificing security for each individual client. Become an OpenVPN partner and you’ll have access to CloudConnexa® and Access Server with features that align with all five of the best practices listed above. Manage access, enforce MFA, encrypt and monitor your data — all from a cloud-based private network hosted by one of the most trusted names in network security. 

Sign up to be an OpenVPN partner today and you’ll get 50% margins on your first three customers. If you’re already an OpenVPN partner, we’re glad you’re here! Check out our partner resources to get more out of your partnership.