The United Kingdom National Cyber Security Centre (NCSC-UK) has published a warning to businesses about engaging with MSPs to manage their cloud services. They describe MSPs as a “third attack surface” to worry about.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) subsequently sent the warning across America and encouraged U.S. organizations using MSPs for administering cloud services to implement the NCSC-UK guidance.
The warning lists steps business owners should take before trusting their MSPs with “the keys to your kingdom.” It also repeats the five-country 2021 warning about MSPs that “outsourcing IT services provides both increased benefits and risk to an organization.”
In part, the NCSC-UK warning says, “Using an MSP is a security trade-off… the MSP’s own IT system can be a juicy target for attackers, given that they (and hence any successful attackers) can use that common system to log in to and manage their various customers’ cloud deployments.”
It goes on to talk about ways MSPs can secure access to their clients’ cloud services, but then says, “we’ve previously heard of companies not implementing this crucial control, so you should confirm this rather than assuming it.” In other words, organizations should verify the MSP’s security practices instead of believing their marketing.
Specifically, the NCSC-UK recommends businesses take the following steps to ensure that their MSPs can be trusted with their cloud management. This is what NCSC-UK (and CISA in the U.S.) are telling your prospects and customers:
- Ensure that the MSP’s cloud privileges are proportionate and minimized by the concept of least privilege to their tasks and contracts. Specifically, prevent the MSP from reading sensitive data and having root/global administrator access to your cloud.
- Ensure that your Security Operations Center (SOC) can tie the MSP’s activities to specific people’s accounts (i.e., that the MSPs are not using generic shared management accounts). While MSPs often use remote management tools that can track which tech or engineer is accessing a client’s cloud, the UK warning is telling end-user business owners that they should do the tracking.
- Ensure that the MSP staff uses multi-factor authentication (MFA) when they authenticate to your cloud’s admin interfaces, and only from a privileged workstation. That can be tough to manage across an MSP’s staff who may be working in multiple locations.
- Ensure that the MSP hasn’t outsourced the administration of your cloud service to another company that you don’t have a direct contract with, or ensure your contract requirements extend to the MSP’s suppliers. This can be a challenge to MSPs that outsource their helpdesk and back-end network management functions.
- Ensure your contract with an MSP requires them to inform you if they have a breach or if there are any breaches that happened in the MSP’s supply chain.
You should use the NCSC-UK warning as a roadmap to securing your services and contractually protecting your clients.
When something goes wrong it may be natural for your client to blame you if you are managing their cloud. But your role is limited, and dependent both on your client and their cloud service, neither of which you can control. Furthermore, you are dependent on your own third-party tool vendors whose clouds you use, and you can’t control them either.
Get ahead of the warning by building out your own Shared Responsibility Model showing the responsibilities you have for your clients’ cloud services security, what your clients’ responsibilities are, and what the cloud provider is responsible for. For example, what if there is an incident because your client failed to tell you that an employee or contractor should have had their access terminated? What if their cloud’s security fails? Are you liable?
You should incorporate these concepts into your contracts, limiting your liability only to things you can control.
You should also review your procedures and implement policies to share more information with your clients.
Recommendations like this warning and breach reporting laws are requiring more security and transparency when it comes to accessing client systems and clouds. Implement zero-trust concepts to your access to client resources. Offer to proactively provide your clients with the access logs your RMM tool generates when your staff accesses their resources, review the reports, and automatically send clients their reports each month.
Remember that you aren’t in this alone. Talk with your attorney to ensure your contracts meet your current needs. Whenever a client wants to change the terms of your contract, spend the money to get your lawyer’s advice. If your lawyer says no, then you need to decide how bad you want the revenue based on the risks you will incur. Also understand how your Errors and Omissions and cyber liability insurance policies cover you when managing a client’s cloud.
Trust in MSPs is being targeted. The more regulators and governments warn businesses about working with MSPs, the more you need to up your game and be willing to show that you are walking the walk, not just talking the talk. You must earn your client’s trust every day, even when they aren’t looking.
But clients also need to understand their roles and responsibilities, which they can’t just outsource.
MIKE SEMEL is a former MSP and founder of Semel Consulting, which provides advisory services to MSPs and end users for compliance, cybersecurity, and business continuity planning. He worked with CompTIA to develop its Security Trustmark Plus, and with RapidFire Tools to create Compliance Manager GRC.
