To date, much of the conversation around certifications and third party audits has centered around the service provider. Customers ask the MSP for their certification/audit credentials and the provider hopefully complies.
In a cloud world, however, the role of traditional software and hardware vendors has changed dramatically. years ago, these same vendors provided their technology on premise and their role in compliance was relatively small. Today, the trend is for the vendors to offer the technology through premise and cloud hosted models, with some vendors opting to go exclusively to a cloud hosted model (meaning their cloud).
At the same time cloud adoption has been growing, there is more attention being paid to transparency and compliance of MSPs and cloud computing environments. With this increased attention has come the need to evaluate all the partners associated with a provider’s service delivery. Simply put, this means vendors must be prepared to meet similar compliance and audit requirements if they wish to remain viable in the channel.
The following is a partial list of some common third party scenarios where vendors and MSPs will need to demonstrate compliance.
Data Centers
Third party data centers have long been accustomed to being audited in order to be a valid part of the service delivery supply chain. This practice will continue. This means MSPs who do not own or control their own data center need to be sure those facilities have been verified.
Cloud Backup
The popularity of hybrid and pure cloud based backup and storage solutions has grown rapidly in the last few years. For many MSPs, they have opted to use third parties to provide the hardware, software, and the cloud environment for the backed up data. These facilities need to be verified in order to satisfy many of the regulated industries around the world.
NOC and Help Desk
Third party network operation centers and help desk services are frequently used by both smaller MSPs and those companies new to the managed services profession. Too few, however, of these third party providers have ever been verified by a third party. In many cases involving industries like financial services and health care, the access of customer data by these third parties is not sanctioned. We are already seeing scenarios where customer auditors are requesting that MSPs show that ALL their third party vendors are compliant and audited by a third party.
Infrastructure as a Service
IaaS is a very popular methodology for assisting service providers in their cloud computing endeavors. However, IaaS providers also need to be compliant with whatever scenarios in which the MSP uses them.
MSPs need to use third party providers in order to grow and scale their practices. This will not change. What does need to change is the amount of transparency between the MSP and all their vendors and service providers. Specifically, MSPs need to treat all their third parties as is they will one day be asked for an audit report. The chances are high that this will happen.
It is better that the MSPs source third parties who already demonstrate compliance and possess third party issued certifications and audits prior to engaging with them. This will save a lot of time later on.