Why Security Should be Top of Mind When Choosing an MSP by Brent Whitfield

As the IT environment becomes increasingly complex and risk-prone, it is unsurprising that enterprises are choosing to outsource their IT management to the cloud. After all, managed service providers (MSPs) are staffed with the top technical minds, have access to enterprise-grade security tools and can even save the company a lot of money when compared to the overhead of a fully staffed IT team.

However, that doesn't mean that a company can neglect its responsibility for data security. On the contrary, great care should be taken when sharing data with any third party because the wrong choice can easily lead to sensitive information ending up in the wrong hands.

MSPs come in many guises and this article looks at six of the most common outsourced services and where the risks lie.

Patching and Updating Server Software – Server Management

Outsourcing server management is popular due to the complexity of monitoring and maintaining server software and apps and the low costs when compared to in-house management or the server provider's own services.

Part of the role of server management is applying security patches, hotfixes and software updates promptly before new vulnerabilities can be exploited.

When signing up to a server management service, the maximum time between an update being released and it being applied to the server should form part of the SLA. There should also be a clear change control process in place to help with auditing. It is worth having someone in-house to monitor this in the early stages.

Clarifying Responsibilities – Managed Cloud Services

In the race to embrace the cloud, many businesses took a leap too far and, as detailed in this RKON survey, wished they could go back and do it all again properly. Most mistakes were in the area of compute resource allocation, leading to higher-than-expected bills.

Using a managed cloud services provider is one way to avoid making the same mistake but it is important everybody is clear about their security responsibilities. For example, if you are connecting into a public cloud service such as AWS or Azure, their jurisdiction ends at the edge node where your network connects into theirs. You are also responsible for configuring your cloud IT services. LA County's recent 2-1-1 breach was due to an AWS S3 bucket being erroneously set to public.

Who Configured the Firewall? - Managed Network Infrastructure

There can be a fair bit of overlap between managed cloud services and managed network infrastructure, especially when it comes to hybrid architectures which are half on-site and half in the cloud. 

Managed network infrastructure usually includes services such as load balancing and configuring firewalls and intrusion detection and prevention software (IDPs). It is clearly important that your firewalls and edge devices are configured correctly so make sure someone with the requisite knowledge is involved from your end as a safety net.

Security should be seen as an integral part of your network infrastructure rather than something bolted on at the ends.

Is the Security Helpdesk Secure?

Outsourcing security as part of an IT support package is often a wise move. After all, the technical expertise and security tools available to a managed helpdesk will be beyond that of most small or medium-sized enterprises.

However, handing over any access to your systems should always be done cautiously. Business owners should do their due diligence and find out what methods are in place to manage access to sensitive data and restrict permissions to a 'need to know' basis. Are agents able to see passwords and gain control of a company's systems? Are communications encrypted? Are there physical protections in place (e.g. CCTV and monitoring alarms) to prevent unauthorized access to data?

Can your Backups be Trusted? - Managed Data Backup

Managed backup services offer businesses peace of mind to know that their important data is being replicated across different states and sometimes countries, ready to be recalled in the event of an IT disaster. 

However, the other side of that coin is the increase in potential attack surface as that sensitive data becomes available in multiple locations. Business owners should satisfy themselves that sensitive data will be securely encrypted in storage and transit.

Listening in with JavaScript - Managed VoIP Services

Finally, managed VoIP services can be at risk, especially if VoIP devices are left with their default passwords or with no security whatsoever. A UK-based researcher identified flaws in certain Cisco and Snom products that would allow hackers to intercept calls using only a few lines of JavaScript. The vulnerability could also enable the hacker to switch on microphones or re-route calls.

Of course, the huge convenience and cost-saving benefits inherent in the MSP model shouldn't be thrown out due to a few scare stories. Business owners just need to be aware that responsibility for security can never truly be outsourced.

About the Author:

Brent Whitfield is the CEO of DCG Technical Solutions Inc. DCG provides the specialist advice and Los Angeles IT support businesses need to remain competitive and productive, while being sensitive to limited IT budgets. Brent has been featured in Fast Company, CNBC, Network Computing, Reuters, and Yahoo Business. IT Services provider, https://www.dcgla.com was recognized among the Top 10 Fastest Growing MSPs in North America by MSP mentor. Twitter: @DCGCloud

Around the web:
https://securityonline.info/los-angeles-county-data-breach-exposes-3-2-million-files-containing-terrifyingly-sensitive-data/