Zero trust has been a concept in information security for over a decade. The principle — never trust, always verify — was articulated by Forrester Research in 2010 and formalized by NIST in Special Publication 800-207 in 2020. What changed in the past two years is that zero trust moved from an aspirational framework to an operational requirement driven by federal mandates, cyber insurance underwriters, and a breach landscape that punishes implicit trust.
Executive Order 14028, signed in May 2021, required federal agencies to adopt zero trust architectures. The ripple effects reached the private sector through supply chain requirements, insurance policy conditions, and the NIST CSF 2.0 framework that embedded zero trust principles into its updated guidance. By mid-2025, any MSP that hasn't begun implementing zero trust principles across its client environments is selling a model that the market is moving away from.
What zero trust actually means for an MSP
Zero trust is not a product. It's an architectural approach built on three pillars:
- Verify explicitly. Authenticate and authorize every access request based on all available data points — identity, device health, location, resource sensitivity, anomaly detection.
- Use least-privilege access. Limit access to only what's needed for the specific task, with just-in-time and just-enough-access policies.
- Assume breach. Design controls assuming the attacker is already inside the network. Segment access, encrypt traffic, and monitor continuously.
For MSPs, implementing these principles means rethinking how they deliver several core services:
Identity and access management
Zero trust starts with identity. Every user, device, and service account needs strong authentication tied to conditional access policies. This means deploying MFA universally (not just for remote access), implementing single sign-on with conditional access that evaluates device compliance and risk signals, and eliminating shared credentials across technician teams.
Network microsegmentation
The traditional flat network — where any authenticated device can reach any resource — is incompatible with zero trust. MSPs need to implement segmentation that limits lateral movement, whether through VLANs, software-defined networking, or identity-aware firewalls that enforce policy per-session rather than per-network-zone.
Endpoint verification
In a zero trust model, the device requesting access matters as much as the user. MSPs need to verify device health — patch status, encryption status, endpoint protection presence, compliance with security baselines — before granting access to sensitive resources. Non-compliant devices get limited access or none at all.
Zero trust isn't something you buy. It's something you build — and an MSP's willingness to architect it tells you whether they're selling security or selling the appearance of security.
The cyber insurance driver
Cyber insurance underwriters have become one of the most effective forcing functions for zero trust adoption. Renewal questionnaires in 2024-2025 increasingly ask about:
- MFA deployment coverage (percentage of users and systems)
- Network segmentation between IT and OT environments
- Privileged access management (PAM) for administrative accounts
- Endpoint detection and response (EDR) deployment coverage
- Email filtering and anti-phishing controls
Organizations that can't demonstrate these controls — all of which align with zero trust principles — face premium increases of 50-300% or outright coverage denial. For SMBs relying on their MSP to implement these controls, the MSP's capability directly affects insurability.
Common implementation mistakes
MSPs that adopt zero trust in name only — deploying MFA and calling it done — miss the architectural intent. Common gaps include:
- MFA without conditional access — authenticating users but not evaluating device health or risk signals at the time of access
- Segmentation without monitoring — creating network segments but not monitoring traffic between them for anomalies
- PAM without just-in-time — managing privileged accounts but leaving standing administrative access active 24/7
- Encrypting data at rest but not in transit — protecting stored data while allowing plaintext communication between internal services
Questions for your MSP
Zero trust readiness assessment
- What percentage of our users have MFA enabled, and what type of MFA?
- How is network access controlled for devices that fail compliance checks?
- Do your technicians use standing administrative access or just-in-time elevation?
- How is east-west (lateral) traffic monitored within our network?
- Can you provide a network segmentation diagram showing trust boundaries?