Identity, Zero trust, MSSP

Why Identity Management is Foundational to Zero-Trust for SMBs

Zero Trust Network Architecture

COMMENTARY: Small and midsize businesses (SMBs) are increasingly at risk for cybercrime. As the CTO of Syncro, I see this firsthand. SMBs face the same threats as enterprises, but with fewer tools and far less support.

Yet while cybersecurity risks are increasing, most SMBs aren’t asking for zero-trust solutions, let alone implementing them independently. That’s why MSPs and MSSPs, not their clients, need to take the lead.

Rather than waiting for clients to ask for zero-trust by name, MSPs can guide them by educating them on what zero-trust is, why it matters, and how identity management is central to making it work. When we link security to productivity, efficiency and risk reduction, not just threats, SMBs can understand why it’s worth the investment.

Zero-Trust, Simplified for the SMB Audience

Zero-trust is an IT security model that requires strict identity verification for every person and device trying to access a private network, regardless of whether they are inside or outside of the network perimeter. Zero-trust is a mindset based on a “never trust, always verify” principle. Every user, device and application must be authenticated and continuously validated, regardless of where it’s coming from.

This mindset is especially important in today’s world, where cloud-based tools, remote work, and mobile access are the norm.

The Role of Identity in SMB Security

In traditional IT environments, the network perimeter was the security boundary. But that boundary has dissolved. Now, identity is the new perimeter.

Identity and access management (IAM) tools like multifactor authentication (MFA), single sign-on (SSO) and conditional access policies are essential to verifying that users are who they say they are. Without strong IAM, zero-trust isn’t possible.

Unfortunately, many SMBs don’t have the time, tools, or expertise to implement these protections effectively. Often, they rely on weak passwords, shared logins or ad hoc provisioning. Attackers know this about SMBs and are exploiting these identity gaps by using sophisticated social engineering and credential stuffing that traditional IAM systems cannot detect or prevent in real-time.

The Rise of Tech Support Scams

One increasingly common threat that underscores this issue is tech support scams, also known as techscams. These attacks trick users into thinking they need urgent technical help—often impersonating well-known companies like Microsoft or antivirus vendors.

According to Microsoft’s 2024 report, techscam traffic surged over 400% between 2021 and 2023, far outpacing the rise of malware and phishing. While these scams have traditionally targeted consumers, SMBs are now increasingly being exploited.

These scams are especially dangerous for small businesses because:

  • Employees often use personal and work devices interchangeably.
  • IT teams (if they exist) may not have centralized control or visibility.
  • Scammers are increasingly impersonating legitimate business vendors and tools SMBs rely on every day like QuickBooks or M365.

In some cases, attackers gain remote access to business devices, install keyloggers or malware, and even extract payment credentials or customer data—all starting with a fake “support” pop-up or phone call.

Where SMBs Fall Short on Identity

Even beyond scams, many SMBs are vulnerable due to gaps in basic IAM hygiene:

  • Over-permissioned users: Staff often have access to more systems than necessary.
  • Weak or inconsistent MFA: Many small businesses still don’t require MFA across all accounts.
  • Lack of lifecycle management: Former employees sometimes retain login access for weeks—or longer—after departure.
  • No centralized policy enforcement: Password policies, login alerts, and audit logs are rarely monitored.

These issues lead to what I call a “fragmented identity perimeter.” In other words, no one is quite sure who has access to what, and when. Definitely makes for a ripe target for attackers.

How MSSPs Can Help and Lead

This is where MSSPs (and MSPs with security capabilities) can make a meaningful difference. Your SMB clients may not want a lecture on zero-trust, but they do want to avoid downtime, ransomware and compliance penalties. That’s your opening.

Practical ways MSSPs can build and support Zero-Trust environments:

  • Run IAM audits and Secure Score assessments (especially for Microsoft 365 environments).
  • Implement and enforce MFA, SSO, and Conditional Access policies.
  • Automate onboarding and offboarding to ensure access controls are updated in real time.
  • Educate clients on real-world risks and potential impact.
  • Help define risk thresholds. What access is truly needed? Where can we tighten control without slowing down users?

Microsoft 365: The MS(S)P’s Opportunity to Teach Identity

One way that MSSPs and MSPs can make their SMB customers better understand zero-trust and identity management is by connecting it to the tools they already use every day.

Many SMBs run their entire business on Microsoft 365, which makes it a perfect example of identity-centric security. Every user, permission and access policy in M365 flows through identity. MSSPs and MSPs that know how to leverage Secure Score, Conditional Access, Defender for Identity, and other Microsoft-native tools are well-positioned to deliver scalable, compliance-ready IAM.

By walking clients through how these features work in Microsoft 365, MSPs can shift the conversation from high-level security concepts to practical, real-world benefits. Framing it this way shows SMBs that stronger security doesn’t mean locking down everything. It means giving the right access to the right people, at the right time.

Security That Supports the Way SMBs Work

The real objective for most MSSPs and MSPs isn’t just implementing security controls; it’s about building systems that align with how their clients actually work. When MSPs and MSSPs approach identity as both a core security element and a productivity driver, they can help their SMBs stay protected without introducing unnecessary complexity into their day-to-day operations. Security that aligns with how a business runs becomes something clients value, not just tolerate. The result is both meaningful protection and the trusted partnership that today’s SMBs are looking for.


MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].

Kristen Costagliola

Kristen Costagliola is the Chief Technology Officer at Syncro, where she leads the company’s engineering efforts to deliver high-quality products for managed service providers and IT professionals. With a background in software engineering and a passion for building strong, cohesive teams, she has led global engineering organizations of 150+ professionals across software development, QA, DevOps, SRE, and UX. Before joining Syncro, Kristen held leadership roles at Datto, where she oversaw engineering for multiple product lines, driving innovation and scalability. She holds a Bachelor of Science in Computer Engineering from Fairfield University and is a Certified Scrum Master. Kristen is committed to fostering a culture of trust, openness, and inclusivity within the workplace.

You can skip this ad in 5 seconds