Zero trust security: what it is, why it matters, and how to implement it

According to the 2026 Kaseya State of the MSP Report, 71% of MSPs reported year-over-year cybersecurity revenue growth, and zero trust architecture is increasingly the framework clients ask about when evaluating how their MSP approaches security. Download the full report.

“Never trust, always verify.” That is the core principle of zero trust, a security model that has moved from academic framework to the foundation of modern enterprise security architecture over the past decade.

The traditional security model assumed that everything inside the network perimeter was trustworthy. Users, devices, and applications inside the firewall were treated as safe by default. That assumption was reasonable when employees worked from offices on company-owned devices connected to a corporate network. It makes no sense in an environment where work happens from anywhere, on any device, accessing cloud services that sit entirely outside the perimeter. Kaseya’s security platform protects more than 50,000 MSPs and IT teams navigating exactly this shift, which gives us a clear operational picture of where the perimeter model breaks down and what actually replaces it.

What zero trust is

Zero trust is a security framework, not a product, that requires continuous verification of every access request regardless of where it originates. It assumes the network has already been compromised and designs access controls accordingly: limiting lateral movement by constraining what any authenticated user or device can reach, and continuously validating that authenticated sessions are behaving as expected.

NIST defines Zero Trust Architecture (ZTA) in Special Publication 800-207 as moving security controls from the network perimeter to individual resources, each resource enforcing its own access policy rather than relying on a trusted network boundary.

In practical terms, zero trust means users are verified with strong authentication before accessing any resource, devices are verified as meeting security requirements before access is granted, access is limited to only the specific resources the user actually needs, all access is logged and monitored, and access is re-evaluated when context changes such as location, device health, or unusual behavior.

Why the traditional perimeter model failed

The traditional castle-and-moat model, keep threats outside and trust everything inside, rested on three assumptions that no longer hold.

The perimeter is no longer clearly defined. Work happens from home, from coffee shops, on personal devices. Applications run in cloud environments outside the corporate network entirely. The concept of an “inside” has become indistinct.

Insider threats, whether malicious employees or compromised accounts, originate inside the perimeter. A model that trusts everything inside provides no protection against the significant share of breaches that never involve external network entry.

Attackers who do breach the perimeter through phishing, credential theft, or supply chain compromise can move laterally with minimal friction across a flat, trusted network. Lateral movement is how a single compromised endpoint becomes an enterprise-wide incident. The 2021 Kaseya VSA supply chain attack is a precise illustration: access through a single trusted channel rippled outward precisely because downstream environments implicitly trusted what came from above them.

Zero trust addresses all three failure modes by replacing implicit trust based on network location with continuous, context-aware verification.

The three core principles of zero trust

Verify explicitly. Authenticate and authorize every access request using all available signals: user identity, device health, location, the resource being requested, and behavioral patterns. Network location is not a trust signal.

Use least privilege access. Limit users to the minimum access required for their role and limit the duration of that access. Just-in-time access provisioning for privileged operations, and time-limited access grants for temporary requirements, reduce the exposure window when credentials are compromised. An account that can only reach what it needs, for as long as it needs it, is dramatically less valuable to an attacker.

Assume breach. Design controls on the assumption that the network has already been compromised. Segment access to limit lateral movement. Encrypt all data in transit and at rest. Monitor all activity for indicators of compromise. Plan incident response for the scenario where an attacker already has a foothold inside the environment.

Zero trust in practice: how to implement it

Zero trust is a journey, not a binary switch. Most organizations implement it incrementally across five dimensions, each building on the last.

Identity and access management. This is the foundation. Strong authentication (MFA, ideally phishing-resistant hardware keys or app-based factors), identity governance covering who has access to what and why, and privileged access management for administrative credentials are the starting point. Every access decision flows from a verified identity. Dark Web ID, part of Kaseya 365 User, provides continuous credential monitoring to catch compromised identities before they become active breach vectors.

Device compliance. Access should depend not just on who you are but on the health of the device you are using. Conditional access policies that require endpoints to meet security requirements before accessing sensitive resources implement the device verification principle. Datto EDR, part of Kaseya 365 Endpoint, provides the continuous endpoint monitoring that device compliance policies depend on: an endpoint with a behavioral threat active or a critical unpatched vulnerability should not have the same access rights as a clean, patched, fully managed device.

Network access control. Replace broad VPN-based network access with application-specific access. Users authenticate to specific applications rather than to the network as a whole. This is the domain of ZTNA (Zero Trust Network Access), and Datto Secure Edge is Kaseya’s purpose-built ZTNA and SASE solution for MSPs managing client remote access at scale. For a detailed technical look at how ZTNA replaces VPN, see our guide to ZTNA vs VPN.

Application-level controls. Access policies at the application layer define not just who can connect but what actions they can take once connected. Role-based access within applications, combined with monitoring of application-layer behavior, closes the gap that network-level controls alone cannot address.

Continuous monitoring. Zero trust requires continuous monitoring of authenticated sessions for behavioral anomalies: access to unusual resources, abnormal data transfer volumes, authentication from unexpected locations, or privilege escalation attempts. SaaS Alerts, part of Kaseya 365 User, provides this continuous monitoring for cloud and SaaS application environments, detecting account compromise and suspicious activity in near real time and triggering automated response actions.

Zero trust for MSPs

MSPs have strong incentives to implement zero trust both internally and as a service offering.

Internally, MSP environments are high-value targets. A compromised MSP credential can cascade into every client environment that MSP manages. One MSP partner using Datto Secure Edge described it this way: “We use Datto Secure Edge to lock down our own techs. They can’t log into KaseyaOne unless they’re connected through Datto Secure Edge, which gives me peace of mind.” Zero trust architecture that enforces MFA on all access, implements privileged access management for RMM credentials, and segments client environments from each other limits the blast radius when any component is compromised.

For clients, zero trust is increasingly a compliance and cyber insurance requirement, particularly for clients in healthcare, finance, and government sectors. An MSP that can speak to zero trust architecture, map client environments against its principles, and deliver the technical components incrementally is positioned as a strategic security advisor, not a reactive help desk.

The commercial opportunity is real. Rather than zero trust being a single project with a single deliverable, it is a continuous advisory and implementation service. Each of the five dimensions listed above represents a distinct engagement, and each builds client dependency on the MSP’s expertise and toolstack.

Common zero trust misconceptions

“Zero trust means trusting nobody.” Zero trust means replacing implicit trust with verified trust. Verified users, devices, and sessions absolutely get access. The principle is about the basis for that trust, not its existence.

“Zero trust is a product you buy.” No single product delivers zero trust. It requires coordinated implementation across identity, devices, network access, applications, and monitoring. Products support its implementation; the architecture requires decisions and ongoing governance.

“Zero trust requires rebuilding everything from scratch.” Implementation is incremental. Starting with MFA on all accounts and device compliance policies addresses the highest-risk gaps immediately. Network segmentation and application-level controls can follow as the program matures. An MSP that has deployed EDR, enforced MFA, and implemented ZTNA for remote access has already moved the security posture significantly closer to a zero trust model.