MSPS HAVE PLENTY of cloud-based options for RMM systems, but many still prefer to run them on-premise. However, doing so can pose significant cyber risks if providers fail to properly follow secure best practices, possibly exposing themselves and their customers.
The supply chain attack on MSPs running Kaseya Virtual System Administrator (VSA) in July 2021 was a wake-up call for those with on-premise RMM platforms. The ransomware attack affected up to 1,500 downstream users and forced a weeklong shutdown of a supermarket chain in Norway.
It was the largest in a series of attacks on MSPs. Threat actors often target MSPs and other software providers to maximize the impact of their actions. “Bad actors are constantly attacking MSPs as they know that they can go through them to infiltrate the MSP’s clients and their data,” says Bill Campbell, CEO of MSP Balancelogic, based in Waldorf, Md.
Bill Campbell
The Kaseya incident doesn’t prove that on-premise RMM platforms are inherently less secure than cloud-based systems, however. Campbell argues that proper security comes down to three factors: the MSP’s talent, the team’s experience, and the RMM platform itself.
“With on-prem systems, there is a lot more complexity, and sometimes more hands touch the setup and deployment, so there is much more room for error. Now, if we are talking about a SaaS product, this will take away some of the user error vs. just configuring and deploying the RMM in the MSP’s cloud provider, such as AWS,” Campbell says.
Anthony Polselli, CEO of San Diego-based Natural Networks, believes that factors such as a provider’s maturity, resources, and knowledge of the client base determine whether running RMM on-premise increases risk.
“There are a lot of smaller MSPs out there that don’t have the resources available to dedicate to security.” This, he says, likely makes them more vulnerable if they choose to run RMM on-premise instead of using cloud-based software. For those lacking the security know-how, Polselli says, the cloud is a better option. “If it’s not your skillset, let somebody else do it.”
Security Best Practices
“As an MSP, we have the ultimate responsibility to make sure our clients are secure and their data is protected,” Campbell says. With that in mind, he recommends that MSPs perform continuous vulnerability scanning and penetration testing on their networks. If providers skip these practices, they may think their environments are secure when they are not, he says.
A common issue that leads to breaches is failing to patch on-prem systems in a timely manner. Regular patching is among a comprehensive set of measures the U.S. Cybersecurity and Infrastructure Agency (CISA) recommends to fend off supply chain attacks.
Anthony Polselli
Polselli is a proponent of patching, strong passwords, and two-factor authentication. He also strongly recommends geofencing to prevent attacks from threat actors in countries where an MSP has no clients. In countries and regions where clients are present, MSPs should make their RMM visible to only their clients’ specific IP addresses, he says.
When loading new scripts, MSPs should require approval by two managers to avoid errors, Polselli advises. Other controls such as inactivity timeout also should be in place, he says. If a technician walks away from the RMM console without logging off, the system should be programmed to time out after a short period.
Picking the RMM platform that best suits an individual MSP is critical, says Campbell. This could mean having automation capabilities to complement in-house expertise. It could also mean providing a client portal so customers can view and manage helpdesk tickets.
“There are some features that are ‘must haves’—solid remote connection to client devices, confirmation of patches queued and installed, remote sessions logged when connecting to clients’ endpoints, and strong authentication,” he says.
Continuous Learning
To maximize their security posture, MSPs need to keep current on threats and defense methods by joining peer groups and forums and attending security events, says Polselli. When it comes to proper security, he argues, nothing is more important than knowledge.
PEDRO PEREIRA is a New Hampshire-based freelance writer who has covered the IT channel for two decades.
Image: iStock
