The goal of implementing Zero Trust security is finding its way into small and medium sized business (SMB) environments, and a vital step involves the implementation of continuous scanning for vulnerabilities, a report released this week reveals.
Authors Edward Amoroso, chief executive officer (CEO) of TAG Cyber, Janet Schijns, CEO of JS Group, and Frank Raimondi, vice president of channel development at IGI CyberLabs, all agree that while SMB leaders will probably not have access to large budgets or expertise levels to protect their resources, they must nevertheless find ways to reduce their cyber risk.
Released at CompTIA ChannelCon 2022 in Chicago, the report suggests that managed service providers (MSPs) implement an on-going program that is feasible to initiate even if a firm’s security budget is minimal.
“The now-popular concept of Zero Trust is particularly well-suited to SMB environments,” it notes.
“Smaller companies naturally gravitate toward public cloud and Software as a Service (SaaS) infrastructure because they will not typically manage an enterprise perimeter-based network. Continuous scanning is an excellent step toward achieving the goal of Zero Trust to reduce cyber risk for your SMB customers.”
The good news, it says, is that SMBs are “well positioned to implement the architectural model because of a tendency to distribute their applications and workloads to cloud and SaaS environments.
“This type of arrangement lends well to Zero Trust because access permissions are not just assumed. Rather, they are explicitly granted – and the result is a typical set-up where most users and resources in an SMB do not share mutual trust behind a perimeter.”
The authors suggest that implementing a Zero Trust strategy is important for two reasons:
- “First, it should be obvious that trying to duplicate larger company perimeter networks is a bad idea. The trend for larger organizations is clearly toward deperimeterization, so smaller companies are on the right track moving toward distributed mesh architectures using public cloud and SaaS applications.”
- Second, and “perhaps more important is that with the ubiquity and flexibility of the typical modern SMB, managed services comes increased potential for cyber threats.”
“A major misconception amongst SMB leaders is that because you and your customers manage modest infrastructure, they might not be a target for adversaries,” they wrote. “This is incorrect – and in fact, a capable malicious actor will often see SMB resources as excellent targets given their common low level of protection, especially if not working with a security focused managed service provider.”
A key problem, the report states, is that with a cloud and SaaS set-up, vulnerabilities remain in most environments.
“Unlike with larger companies with security teams, unmanaged SMBs are particularly susceptible to this problem, because they will not have the staff, resources, or tooling to detect and remove any vulnerabilities. These can range from misconfigurations in cloud services to improperly provisioned access to SaaS applications,” it says. “The reason vulnerabilities are so vital to remove is that they provide the entry-point for all malicious actors. Stated simply, without vulnerabilities, there are no cyber-attacks.”
The traditional approach to the detection and eventual removal of vulnerabilities involves audits that are either done with a scanning tool or completed by human auditors who review systems, discuss threats with team members, and evaluate the result of tests, the report states.
“While such activities are important, they suffer from the once-and-done problem that exists with any audit. That is, once an audit is done, any subsequent problems will remain unknown until the next review.”
The authors recommend the installation of a continuous scanning tool that ties the concepts of vulnerability management and continuous security together in a manner consistent with Zero Trust protection, noting, “The idea is that scanning would be done on an on-going basis across the SMB enterprise resources to ensure that gaps are avoided and that no security or compliance weaknesses emerge after a review has been performed.”