Is Your Cloud Vendor Putting Your MSP Practice At Risk?
While MSPs may have little control over they manner in which software vendors take their products to market, MSPs can still exercise their freedom of choice as to the vendors with whom they do business. As more software vendors move their code to the cloud, there are some critical steps they need to take in order to keep current with the managed services channel; which just so happens to be the majority of the IT channel these days.
While every MSP's needs are different, the following should be discussed and resolved with ALL of your cloud vendors. Depending on your (and your customers') needs, the outcome may change but knowing the answers to these questions can save you a lot of problem down the road.
Who's Cloud Is It?
Being a good software company does not mean you are a good cloud company. Just because you like the software and its functionality does not mean the ISV's cloud environment is safe, secure, or reliable. Asking a simple question about the cloud infrastructure used by the ISV is a really good starting point.
Is The Cloud Verified?
Once you've determined whose cloud it is, you next need to know more about the cloud environment. Specifically, you'll want to know whether it is certified, if it has been checked out by a third party (besides the ISV), and if the cloud has any verification reports you can read.
It's important to mention here that there are quite a few cloud vendors using third party infrastructure. This is an accepted practice as long as it is done in the proper manner. What is not acceptable is using the third party infrastructure provider's certifications and audits as if they belonged to the ISV. This is a common practice in our profession and needs to come to a quick and definitive end.
ISV's need to be verified themselves, along with any third party IaaS providers. All MSPs should check with their cloud vendors to see if they comply with this practice.
Who Is Liable?
It is also an unfortunate and common practice for ISVs and cloud vendors to limit most or all liability with their partners. While a MSP may limit its own liability by getting cyber liability insurance (which will cover the data loss or breaches due to the negligence of the MSP), breaches and losses of data caused by the third party ISV (or the ISV's cloud vendor) are typically another matter and would not be covered by the MSP's insurance.
If MSPs sign agreements with their cloud vendors accepting the ISV's complete rejection of any liability due to the fault of the ISV or its cloud vendors, this type of relationship can lead to dangerous consequences. Shared liability between the MSP and its third party ISV and cloud partners is necessary for protecting the end-user customer.
MSPs have long understood the need for protecting their customers from data loss and cyber attacks. Living in the IT services world has taught most MSPs how to operate safely. ISVs are relatively new to the IT services world and need to play catch up fast.
If ISVs are unwilling to offset MSP and customer liability, it is entirely possible MSPs will start to retake control of the cloud and begin to offer cloud computing solutions themselves and reject cloud based SaaS offerings.
Let's hope it doesn't get to that point.