A recent series of high-profile data breaches is likely to have a profound impact on IT service providers for years to come.
One of the fundamental assumptions any organization makes when electing to rely on an IT service is that the people providing that service can be trusted. When most employees of a service provider typically discover that something like a firewall has been misconfigured, they typically inform the end user. As most IT service providers know, the number of instances of IT infrastructure that might be misconfigured in the age of the cloud numbers in the hundreds of millions.
Long term impacts of breaches on IT service providers
Service providers will be required to document who has access to a customer’s IT environment within their organization. IT service providers should expect to see more customers demanding to know more about the backgrounds on the individuals being hired to manage the IT services being delivered.
Most customers run extensive background checks on their own internal IT employees. Many of them demand to know if similar background checks have been conducted on the employees of the IT service provider. Contracts are also likely to contain liability language specifically addressing damages stemming from the actions of an insider.
The second impact is that organizations that have been reluctant to host sensitive data on a public cloud are now going to be even less inclined to trust an external service. It’s not so much those organizations don’t think the cloud platform is more secure than their own environment, it’s just that the processes associated with moving and securing data are simply too flawed for them to trust.
Cloud security is based on a shared responsibility model that assumes the end customer is responsible for everything to do with application security while the service provider ensures the underlying infrastructure is secure. In practice, most organizations don’t have the DevSecOps processes required to make sure mistakes involving misconfiguration don’t happen.
The third major impact comes under the heading of it’s an ill wind that blows no one any good. As more organizations fully appreciate how flawed their DevSecOps processes really are in the age of the cloud, many of them are likely to look to managed service providers (MSPs) for help. The onus, of course, will be on the MSP to prove they can be trusted.
As Amazon Web Services CTO Werner Vogels recently noted, cybersecurity is fundamentally broken. The challenge and opportunity for MSPs is to help both IT organizations and cloud service providers fix a problem that will eventually destabilize the entire IT sector if left unaddressed.
Photo: Gorodenkoff / Shutterstock