There is a significant business risk lurking in the cloud computing industry and it is a matter of time before this exposure becomes public in some form of cloud outage, or worse, a data breach. So, what risk am I referring to? I am talking about the huge gap between service providers and third party providers, like data centers.
The MSPAlliance does a lot of certifications and audits on MSPs, cloud providers, and data centers every year. Too often, we see service providers rely on the certifications of their partners, rather than focusing on their own process, documentation, and security. In fact, I think the practice of reliance on partner certifications can actually be damaging because it creates a false sense of security, both with the service provider and the customers who are unaware of this significant risk gap. I’ll explain.
When service providers make representations about their Network Operation Centers, help desks, data centers, or any other capability they market, there is a fine line between salesmanship and misrepresentation. Many MSPs partner with other providers in order to bring key features like NOC, help desk, and hosting, to their customers. Most customers trust their MSP and wouldn’t question these representations. But, if the customer knew that the MSP really didn’t own or operate the data center, didn’t own the NOC, didn’t own the help desk, would that really matter? For some it might, for others it might not.
The point is not that a MSP or cloud provider own everything they deliver; this is simply not practical. Instead, the point is about transparency and how much detail the service provider offers customers when it comes to which services are being delivered by the MSP and which by 3rd parties. In some markets, like financial services, omitting this information could result in serious trouble for the MSP and their customer.
In my opinion, the more serious and widespread problem is when service providers simply neglect to adopt policies and procedures because they think their “partner” has it covered. For example, an MSP uses a data center that possesses a certification like SSAE 16 or UCS. The MSP may think that the certification is enough to cover their own policies and procedures. This is simply not true! MSPs, even if you outsource to 3rd party partners, you must have policies and procedures that govern and are effective for your own environments, right up to the point they interact with the partner.
MSPs and cloud providers who co-locate with a data center should have policies that govern their own physical security, how users authenticate to customer systems, disaster recovery plans, and other important controls that directly impact their ability to deliver IT services. To avoid this important process is to avoid the most basic elements of being a qualified and transparent service provider.
Put another way, MSPs who do partner with other service providers who have these certifications, will find it much easier to pass the UCS and SSAE 16 audits, since we regularly “reference” 3rd party relationships in our UCS audit reports. This documentation goes a long way in helping customers make sense of the many intracacies of providing managed services.
Customers often don’t mind that MSPs partner with other providers. They just want to know so they can make more informed choices.