As an MSP, you probably spend a lot of time making sure that your platform is secure — using long, complex passwords and (hopefully) two-factor authentication wherever possible; specifically named superuser accounts, rather than general shared sysadmin ones; heuristic-based anti-malware tools; and so on.
That’s good. It makes it harder for your platform to be compromised and offers your customers a degree of confidence that you’re providing what they need.
However, such security is only good while it lasts. If a malicious attack does result in a breach, then the walled garden is compromised, and an external attacker can then wander at will through whatever data and information the security level they have broken provides them with.
Therefore, it’s time for MSPs to up their game and start to look to informational security. After all, if an item of hardware is compromised, it can ‘just’ be swapped out and in. Even at an application level, a compromised application can be spun down, deleted, and replaced with a new, more secure version, particularly where containers or virtual machines are being used. However, if data or information is compromised, then the very life blood of an organisation has been taken — and it may be too late to do anything to ameliorate any negative consequences.
Information security opportunities
Information security is generally not seen as being an MSP’s problem. Primarily, the customer is in charge of how they put together their applications and how they secure the information.
However, a forward-looking MSP can make money by offering a few general services to its customers that can make life easier for them. The first and probably simplest option is to provide encryption services for data and information. Many MSPs already do this, so I would consider this to be pretty much table stakes at the moment. The use of information classification to apply encryption (and therefore use of resources) only to information that needs encrypting is something I don’t see much of, though.
“It’s time for #MSPs to up their game and start to look to informational security.” @SmarterMSP
Providing data leak prevention (DLP) services is another relatively easy service for MSPs to provide. A partitioned shared service where general MSP-provided rules can be combined with customer-specific ones can help prevent most of the accidental (and a fair amount of the malicious) leaking of information outside of the customer’s environment. For example, an email meant to go to email@example.com can be captured and prevented from being sent if a user accidentally tries to send it to firstname.lastname@example.org. Again, data classification and encryption rules can also help make DLP work at an optimum level.
This then brings us to the best service that an MSP can help its customers with — data rights management (DRM).
Benefits of data rights management
The main problem with information is that once it’s off of your customer’s network, it is no longer under their control. Unless, that is, DRM is implemented.
DRM makes it so that any information asset must refer back to a central point before any action can be taken on it. Therefore, should an email escape the DLP filters and be delivered to the wrong person, any data associated with that email will have to refer back to the DRM system on the customer’s network (i.e. that being provided by the MSP) before anything can be done. Now, if email@example.com has received the email, she cannot do anything with it as the reference back to the customer’s network will find that she has no rights to access the information. At that stage, the file can either be fully encrypted and/or deleted depending on the associated rules and rights governing what can be done to the file.
Indeed, let’s say firstname.lastname@example.org gets the email correctly. The DRM system can still prevent her from detaching and saving any attachments, forwarding the message, or printing it out, etc.
Let’s assume that a company that used to be a big supplier is acquired by an organisation’s competitor. Where suitable DRM is in play, all documents that the soon-to-be-ex-supplier has on their systems can be remotely locked so that the competitor can’t gain access to them.
An MSP implementing encryption, DLP, and DRM, and helping their customers to set up these services moves into a different, higher-value market. Enabling an organisation to more easily move information around its value chain turns these levels of security from being an avoidable insurance policy cost to a business-enabling investment.
And, it’s investment that the MSP can make a profit from.