As the one-year anniversary of the SolarWinds Orion breach and the six-month anniversary of the Kaseya VSA breach both approach and a year filled with seemingly endless reports of high-profile ransomware attacks and vulnerable print spoolers draws toward a close, faith in the integrity of the tools MSPs rely on to serve and secure customers is arguably at an all-time low.
“We’re in a situation where MSPs don’t know which vendors to trust, because they don’t know whose stuff is secure,” says Ryan Weeks, Datto’s chief information security officer.
Indeed, data published last week by Acronis in partnership with ChannelPro showed that 53% of MSPs don’t fully trust the vendors they work with to secure end users. Worse yet, 49% don’t completely trust their own ability to keep customers safe.
According to Weeks, overcoming that “crisis in confidence” (an echo of words he used during a keynote presentation at the 2021 DattoCon partner event last month) is a shared responsibility.
“If you look at all of these attacks, how they’re being facilitated, the attackers are not leveraging incredibly advanced tactics,” he says. “It’s simple stuff. And so the more that we do simple things well consistently, the stronger we’re going to become as a community.”
For MSPs, that means embracing the basics of cybersecurity hygiene like keeping software patched, employing multifactor authentication, and closing up firewall ports. More specifically, Weeks urges channel pros to implement all 56 controls in the Center for Internet Security’s implementation group 1.
“That’s one thing every—and I mean every single—MSP should be doing,” he says. “If every MSP did that and did it well, the rate of adverse security outcomes in the channel would dramatically decrease.”
As for RMM vendors like Datto, he continues, their responsibility is to get much more rigorous about locking down their software. “We need to demonstrate a very high level of competency in how we secure the RMM.”
“Demonstrate” is the key word in that statement. Saying that you’ve implement the NIST cybersecurity framework or its equivalent is one thing, but proving that you’re implementing best practices for software security through independent verification, Weeks believes, is essential to regaining the channel’s confidence.
With that goal in mind, Datto opted in 2019 to begin implementing the Business Security in Maturity Model, or BSIMM, a set of practices based on input from dozens of financial institutions, healthcare providers, software developers, and other businesses meant to define best practices for application security. Participating companies work to achieve level one (baseline), level two (mature), or level three (advanced) competence in up to 121 specific risk-reduction activities like penetration testing and developer training that are grouped into 12 categories.
“It’s our opinion that companies that take software security seriously have achieved at least a level two in all 12 of the focus areas of the BSIMM framework,” Weeks says, adding that Datto reached that milestone earlier this year after 18 months of effort.
The rankings, moreover, continually evolve over time as BSIMM participants learn more about risks and countermeasures. “The framework changes every year,” Weeks says. “We’re not measuring ourselves against a static thing.”
Beyond its rigor, though, what appealed most to Datto about the BSIMM framework is that compliance with its guidelines must be audited by an outside third party.
“This is a way that you can both prove your commitment and demonstrate through independent verification that you take this seriously,” Weeks says. “It’s a way that we can ease the concerns of MSPs, but also raise the bar for software security in the channel as a whole.”
BSIMM participants must be reassessed every two years, so Datto’s next evaluation will take place in 2023. “In the intervening time, we’re going to continue to increase the number and maturity of the activities that we conduct to really build out a world-class software security program,” Weeks says.
World-class perhaps, but not fool-proof. “This is not a promise that nothing bad will ever happen,” Weeks concedes. “What it does is it dramatically reduces the likelihood that that will happen.”
It also, he adds, gives MSPs a concrete standard to measure vendors against. “Every single MSP should be demanding to have a conversation with their vendors about what type of maturity framework they’re following to ensure the safety of that software.”
Datto, of course, is far from alone in training more attention on product security. Kaseya, for example, is spending “millions and millions” extra on penetration testing and other measures. ConnectWise launched a similar initiative early last year following media reports about vulnerabilities in its remote access solution, and is likely to have more to say on the topic at its IT Nation Connect event in Orlando next week.
Datto intends to make further progress against BSIMM in the future as well. “This is just the first stop for us,” Weeks says.