Share This:

The cybersecurity authorities of the United Kingdom, Australia, Canada, New Zealand and the United States have issued an alert to notify managed service providers (MSPs) of an increase in malicious cyber activity and provide best practice security guidance for how to combat these threats. If adopted, this will in many cases increase the cost of delivering services. The advice includes:

  1. Log the delivery infrastructure activities used to provide services to the customer, including both internal and customer network activity as appropriate and contractually agreed upon.
  2. Adopt multi-factor authentication (MFA) across all customer services and products, including accounts that have access to customer environments that should be treated as privileged.
  3. Review and verify all connections between internal systems, customer systems, and other networks as part of an effort to segregate customer data sets in a way that limits the impact of a single vector of attack.
  4. Do not reuse administrative credentials across multiple customers.
  5. Apply least privilege principles to both internal and customer environments, avoiding default administrative privileges.
  6. Implement updates on internal networks as quickly as possible.
  7. Regularly backup internal data as well as customer data, where contractually appropriate, and maintain offline backups encrypted with separate, offline encryption keys.
  8. Encourage customers to create secure, offsite backups and exercise recovery capabilities.
  9. Develop and regularly exercise internal incident response and recovery plans and encourage customers to do the same.
  10. Understand supply chain risk and manage the cascading risks it poses to customers.
  11. Negotiate terms of a contract with their customers to provide clear explanations of the services being provided and all contingencies for incident response and recovery.
  12. Verify whether the customer restricts MSP account access to systems managed by the MSP.

The guidance provided, however, is not just limited to MSPs. Customers of MSPs are also being advised to focus on how to secure the services they consume, including:

  1. Enable effective monitoring and logging of their systems.
  2. Implement comprehensive security event management that enables appropriate monitoring and logging of systems.
  3. Provide visibility, as specified in the contractual arrangement, to logging activities, including presence, activities, and connections to the customer networks made by an MSP.
  4. Ensure MSP accounts are properly monitored and audited.
  5. Notify the MSP of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks.
  6. Share alerts with a security operations center (SOC) for analysis and triage.
  7. Ensure that their contractual arrangements mandate the use of MFA on the services and products they receive. Contracts should also require MFA to be enforced on all MSP accounts used to access customer environments.
  8. Make sure they understand their MSP’s policy on software updates and request that comprehensive and timely updates are delivered as part of an ongoing service.
  9. Ensure that their contractual arrangements include backup services that meet their resilience and disaster recovery requirements, including requiring them to implement a backup solution that automatically and continuously backs up critical data and system configurations and store backups in an easily retrievable location that is air-gapped from the organizational network.
  10. Include in contracts incident response and recovery plans and that they are tested at regular intervals.
  11. Understand the supply chain risk associated with their MSP, including risk associated with third-party vendors or subcontractors.
  12. Set clear network security expectations with their MSPs and understand the access their MSP has to their network and the data.
  13. Specify whether the MSP or the customer owns specific responsibilities, such as hardening, detection, and incident response.
  14. Have a thorough understanding of the security services their MSP is providing and address requirements that fall outside the scope of the contract.
  15. Ensure MSP accounts are not assigned to internal administrator groups and only grant access and administrative permissions on a need-to-know basis in a way that can be verified and audited.

No one knows for sure how many MSPs and customers will follow this security guidance. However, the next time there is a major security incident, MSPs should expect to be asked a lot of tough questions concerning how well they followed this guidance. Like it or not, the cost of securing managed services is going to rise but on the plus side, the total cost of being an MSP should decline as the number of security incidents hopefully declines.

Photo: encierro / Shutterstock


Share This:
Mike Vizard

Posted by Mike Vizard

Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike blogs about emerging cloud technology for Smarter MSP.

6 Comments

  1. cannot repeat the importance of these items, and now important to actually do it and not have it on list

    Reply

  2. Fantastic advice, very thorough. Thank you

    Reply

  3. Moss Jacobson May 25, 2022 at 9:00 am

    As MSPs this should ALL be best practices and should not have to be forced by regulators. Security posture is one of the great differentiators in our business!

    Reply

  4. Great list of recommendations! Thank you for sharing!

    Reply

  5. Gareth Coleman May 31, 2022 at 7:07 am

    Fantastic article and one I have share with the rest of our team here. These sorts of processes are often seen as standard go to practices but the number of times I have seen the processes missed or ignored because it was ‘too much like hard work’ or ‘overly disruptive’ to roll out is frankly scary!

    All these points should be used whenever possible and not as a ‘nice to have’.

    Reply

  6. Good recommendations to follow.

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *