The Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency (NSA), have defined a set of best cloud security practices that specifically call for managed services providers (MSPs) to provide more visibility into their IT operations.
The agencies note that MSPs serving multiple customers are now a primary target for cybercriminals. They then use the access they gain to compromise multiple downstream IT environments. Organizations must now extend the same shared responsibility model they apply to cloud service providers to MSPs. The agencies also note organizations need to understand how MSPs protect themselves by conducting audits of the services being provided.
The agencies advise organizations to only select MSPs that are willing to provide visibility into their operations. This includes making logs and other similar mechanisms for conducting security investigations available via an immutable storage service that provides access to those logs for an extended period.
The agencies advise organizations to consider what agreements are in place that pertain to notification and recovery if a suspected security breach occurs. Organizations should consider how they will respond to unusual, high-impact events, such as security incidents, extended outages, or system failures when relying on MSPs.
Organizations should also adopt identity access management tools. They should also require multifactor authentication for privileged accounts. For example, requiring MSPs to only use trusted devices from specific locations to access their IT environments.
Finally, the agencies advise organizations should not rely on a single provider of managed security services. If those services are compromised, organizations should be able to actively switch to another set of services.
Cybersecurity incident planners should consider what responders might need from an MSP to thwart any attack effectively.
MSP must demonstrate value and set expectations
The bar for providing managed services is rising in a manner that increases the overall cost of delivery. Each MSP will need to determine to what degree the organizations they serve are likely to require increased visibility. A small-to-medium business may not be as inclined to define a service level agreement that in terms of defining the level of services expected, may not be as deep as an enterprise. However, MSPs that do make the investments required are likely to do everything they can to make sure organizations are aware of the value of those services when competing with a rival that might, by not providing the same depth of capabilities, be undercutting their pricing.
Each time there is a major cybersecurity incident involving an MSP there is going to be plenty of blame. MSPs would be well-advised to define a set of expectations upfront. This is to ensure the amount of blame that might be shifted their way is as little as possible.
Photo: corgarashu / Shutterstock
