New security guidance will raise cost of delivering managed service

The cybersecurity authorities of the United Kingdom, Australia, Canada, New Zealand and the United States have issued an alert to notify managed service providers (MSPs) of an increase in malicious cyber activity and provide best practice security guidance for how to combat these threats. If adopted, this will in many cases increase the cost of delivering services. The advice includes:

1. Log the delivery infrastructure activities used to provide services to the customer, including both internal and customer network activity as appropriate and contractually agreed upon.
2. Adopt multi-factor authentication (MFA) across all customer services and products, including accounts that have access to customer environments that should be treated as privileged.
3. Review and verify all connections between internal systems, customer systems, and other networks as part of an effort to segregate customer data sets in a way that limits the impact of a single vector of attack.
4. Do not reuse administrative credentials across multiple customers.
5. Apply least privilege principles to both internal and customer environments, avoiding default administrative privileges.
6. Implement updates on internal networks as quickly as possible.
7. Regularly backup internal data as well as customer data, where contractually appropriate, and maintain offline backups encrypted with separate, offline encryption keys.
8. Encourage customers to create secure, offsite backups and exercise recovery capabilities.
9. Develop and regularly exercise internal incident response and recovery plans and encourage customers to do the same.
10. Understand supply chain risk and manage the cascading risks it poses to customers.
11. Negotiate terms of a contract with their customers to provide clear explanations of the services being provided and all contingencies for incident response and recovery.
12. Verify whether the customer restricts MSP account access to systems managed by the MSP.

The guidance provided, however, is not just limited to MSPs. Customers of MSPs are also being advised to focus on how to secure the services they consume, including:

1. Enable effective monitoring and logging of their systems.
2. Implement comprehensive security event management that enables appropriate monitoring and logging of systems.
3. Provide visibility, as specified in the contractual arrangement, to logging activities, including presence, activities, and connections to the customer networks made by an MSP.
4. Ensure MSP accounts are properly monitored and audited.
5. Notify the MSP of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks.
6. Share alerts with a security operations center (SOC) for analysis and triage.
7. Ensure that their contractual arrangements mandate the use of MFA on the services and products they receive. Contracts should also require MFA to be enforced on all MSP accounts used to access customer environments.
8. Make sure they understand their MSP’s policy on software updates and request that comprehensive and timely updates are delivered as part of an ongoing service.
9. Ensure that their contractual arrangements include backup services that meet their resilience and disaster recovery requirements, including requiring them to implement a backup solution that automatically and continuously backs up critical data and system configurations and store backups in an easily retrievable location that is air-gapped from the organizational network.
10. Include in contracts incident response and recovery plans and that they are tested at regular intervals.
11. Understand the supply chain risk associated with their MSP, including risk associated with third-party vendors or subcontractors.
12. Set clear network security expectations with their MSPs and understand the access their MSP has to their network and the data.
13. Specify whether the MSP or the customer owns specific responsibilities, such as hardening, detection, and incident response.
14. Have a thorough understanding of the security services their MSP is providing and address requirements that fall outside the scope of the contract.
15. Ensure MSP accounts are not assigned to internal administrator groups and only grant access and administrative permissions on a need-to-know basis in a way that can be verified and audited.

No one knows for sure how many MSPs and customers will follow this security guidance. However, the next time there is a major security incident, MSPs should expect to be asked a lot of tough questions concerning how well they followed this guidance. Like it or not, the cost of securing managed services is going to rise but on the plus side, the total cost of being an MSP should decline as the number of security incidents hopefully declines.

Photo: encierro / Shutterstock