Internal Security for the Modern MSP
By Charles Weaver
- What end-user concerns need to be addressed with regards to MSP security
- Lessons learned from the past several years
- Standardized security best practices all MSPs should apply
The evolution of managed service provider (MSP) security practices has a long history going back to the mid-1990s. The threats were different back then, as were the technologies used and the customer expectations. Today, in this era of expanding cybersecurity threats, the modern MSP must adopt a vastly different internal security posture. MSPs have long understood the value of delivering managed security solutions to customers, but the time has come to set those same security expectations inward.
End-user Concerns with the Modern Day MSP
To begin, let us be clear about the legitimate concerns consumers of managed services have. The democratization of cyberattacks means that organizations have a legitimate belief that they will be attacked, regardless of whether they have anything of value to be stolen. This critical distinction is what defines this new age of cybercrime and cybersecurity from previous eras when organizations would deploy IT security resources in accordance with their perceived risk.
The balancing of resources with the nature of the data and infrastructure being protected must still take place. Nobody expects a small business to pay enterprise prices to protect their data. However, with the proliferation of data breach notification laws and data privacy regulations, all organizations, regardless of size, must take certain baseline precautions. The same is true of MSPs.
Clients expect their MSPs to be secure. How can the MSP protect the client if the MSP itself is not also secure? These security expectations often manifest themselves in the form of transparency and information requests. The end-user customer may already believe in the benefits of the MSP relationship. What the client also needs is reassurance about the nature of the MSP’s internal security and data privacy controls, so that no additional or unreasonable risk transfers to the client organization.
For the vast majority of MSPs, this information request from clients is not about radically changing how they have run their MSP organization. Instead, it is about effectively communicating to the customer what steps the MSP is already taking to protect the managed services delivery pipeline.
Lessons Learned from the Cyber Age
There should be little disagreement that the past few years has seen an unprecedented rise in sustained cyberattacks against organizations of all sizes. In addition to these “random” and indiscriminate attacks, cybersecurity threats against MSPs have also increased. In many ways, the attacks on MSPs were to be expected. As the gatekeepers (and often the only IT guardians) of organizations of all sizes, MSPs stand in the way of all the bad actors who wish to steal, compromise, or otherwise hold for ransom the data that these entities hold most precious. For the organization believing itself to have no valuable data, sometimes just the crippling of their IT infrastructure can bring the business to a halt.
The targeting of MSP supply chain tools and vendors is also a new phenomenon and one that all MSPs ought to expect to continue for the near future. The new attack vector of MSPs and their supply chain, however, should not in any way imply that removing the MSP from the equation will make the end-user organization safer. Quite the contrary. Removing MSPs will make all organizations currently outsourcing their IT related services far more vulnerable, particularly those smaller organizations who have no IT department or resources.
A useful analogy would be the homeowner who experiences a burglar breaking into their home through the front door. The response would not be to remove the front door, but rather to improve the lock on the door and put into place other security measures adequate to protect the home.
Following this analogy, MSPs must realize that they are not tightly interconnected with the security of their clients and must first stabilize internal MSP security before they can be of service to their clients.
Standardized MSP Security
For the beginning MSP, or any MSP unsure of where to start looking to develop and implement internal security and operational best practices for their MSP business, we have a lot of useful guidance to offer. Whether your business relates to NIST/CMMC, SOC 2, ISO 27001, or some other form of IT standard, there exists a framework specifically designed for MSPs which predates all the modern-day cybersecurity standards and laws: MSP Verify.
Based on the Unified Certification Standard for Cloud & Managed Service Providers (UCS), the MSP Verify (and Cloud Verify for SaaS providers), offers the provider a precise roadmap for implementing service delivery best practices (including IT security controls specific to the MSP and SaaS business model). MSP Verify allows the modern international MSP to map these standardized practices to many of the existing standards, such as SOC 2, ISO 27001, and CMMC.
In addition, the MSP Verify provides the MSP with a report to communicate with customers exactly how the MSP is securing itself. While an exhaustive list of internal security controls is impractical here (click here for a full list of the UCS objectives and requirements), the following represents some of the more frequently discussed areas of internal MSP security tested during the MSP Verify certification process:
- MSP supply chain. Attacks on MSP vendors such as Kaseya and SolarWinds have brought the managed services profession into the spotlight globally. MSP Verify addresses mitigating controls and procedures which can significantly reduce the likelihood of a successful attack on an MSP and its customer, originating from the vendor or tool used by the MSP.
- Security Monitoring. While a longstanding service delivered to customers, MSPs are now expected to aim those same tools and services internally to monitor and identify anomalies within the MSP network and systems.
- MSP operational resilience and continuity. Just as customers seek these same outcomes from their IT outsourcing relationships, MSPs must also demonstrate sufficient operational and business resiliency in the event of a cyberattack. Common methods of MSP continuity include internal backups, cyberattack planning, and operational redundancy.
- Risk Mitigation. MSPs should strive to help their managed services clients achieve a reasonable and fair distribution of risk. Risk allocation amongst the MSP and client can be achieved through common techniques such as legal agreements, cyber insurance, and effective vendor management.
There are many other areas of focus the MSP will be tested on within the MSP Verify program. The objective is twofold: first, to ensure that the MSP is taking sufficient notice of its internal security and operational practices, AND second, that it can communicate those controls to a customer or prospect in an efficient and reliable manner.
MSPs have a long and prosperous history, which shows no signs of slowing down. In an age of increasing cyberattacks, the role of the MSP will only continue to strengthen. MSPs, however, cannot expect to operate in a vacuum and without transparency. Those days are gone. The modern MSP must acknowledge their role in the greater global IT management and security ecosystem and must take certain steps to demonstrate both proficiency and transparency to those organizations who rely on them most.