Cloud Damage Control for MSPs
If MSPs ever came up with a creed or motto, "first do no harm" might be a good starting point. In reflecting on last week's widespread Amazon outage, a lot of companies (including MSPs) are wondering whether they can immunize themselves against future cloud outages.
It is safe to say that many people heard or read about the Amazon outage, especially those outside the IT channel. That means, your customers heard about it and likely were impacted by it. Now, let's put aside the discussion about whether this was a preventable problem. MSPs need to look at last week's episode in the context of how to communicate these types of disruptions to customers in the future, without losing customer confidence.
Recently, I wrote about how cloud vendors can actually harm MSPs. Last week was a good example of this. While no MSP can take responsibility for what happened at Amazon, many customers may not understand that Amazon was ultimately responsible for any IT problems experienced.
How can you minimize fallout from a public cloud vendor? Here are some simple methods for protecting your reputation, and your customers.
Don't Stick Your Neck Out
If it isn't your cloud, why would you take credit for it? Public clouds should be treated as what they are; largely reliably, inexpensive, scalable, but sometimes fickle creatures. Public clouds do break from time to time. Tell your customers if you use a public cloud what the limitations are, not just the benefits. If only to limit risk to your own reputation.
Contract Carve Out
Include in your managed services agreements limitations of liability related to cloud environments not owned/controlled by your MSP. It's good practice to tell your customers about the benefits/limitations of public cloud, but it is an absolute necessity to include such language in your service agreements.
Are You Insured?
So, you've informed your customers about the benefits and risks of public cloud, and you've updated your service agreements with risk limiting language, what about your insurance?
Having comprehensive MSP insurance, which covers both the traditional general liability issues, but also cyber originating threats, has become the norm, not the exception. Further, MSPs would be well served to talk with customers about their own insurance covering the client for similar types of cyber threats not resulting from negligence from the MSP.
MSPs need to develop and implement a comprehensive strategy to protect both their internal and customer systems. This includes the usage of any cloud environment not owned or controlled by the MSP (most notably public clouds).
When it comes to using public clouds, there are a lot of benefits to both MSP and customer alike. But, MSPs should never take on the liability of these public cloud vendors needlessly. Having a transparent process of communicating which cloud environments are being used to deliver the managed services is a best practice. It is also a good way to avoid taking the blame for something you cannot control.