UK Government Warns That MSPs Are an Attack Surface

The United Kingdom National Cyber Security Centre (NCSC-UK) has published a warning to businesses about engaging with MSPs to manage their cloud services. They describe MSPs as a “third attack surface” to worry about.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) subsequently sent the warning across America and encouraged U.S. organizations using MSPs for administering cloud services to implement the NCSC-UK guidance.

The warning lists steps business owners should take before trusting their MSPs with “the keys to your kingdom.” It also repeats the five-country 2021 warning about MSPs that “outsourcing IT services provides both increased benefits and risk to an organization.“

In part, the NCSC-UK warning says, “Using an MSP is a security trade-off… the MSP’s own IT system can be a juicy target for attackers, given that they (and hence any successful attackers) can use that common system to log in to and manage their various customers' cloud deployments.”

It goes on to talk about ways MSPs can secure access to their clients’ cloud services, but then says, “we've previously heard of companies not implementing this crucial control, so you should confirm this rather than assuming it.” In other words, organizations should verify the MSP’s security practices instead of believing their marketing.

Specifically, the NCSC-UK recommends businesses take the following steps to ensure that their MSPs can be trusted with their cloud management. This is what NCSC-UK (and CISA in the U.S.) are telling your prospects and customers:

1. Ensure that the MSP’s cloud privileges are proportionate and minimized by the concept of least privilege to their tasks and contracts. Specifically, prevent the MSP from reading sensitive data and having root/global administrator access to your cloud.

2. Ensure that your Security Operations Center (SOC) can tie the MSP’s activities to specific people’s accounts (i.e., that the MSPs are not using generic shared management accounts). While MSPs often use remote management tools that can track which tech or engineer is accessing a client’s cloud, the UK warning is telling end-user business owners that they should do the tracking.

3. Ensure that the MSP staff uses multi-factor authentication (MFA) when they authenticate to your cloud’s admin interfaces, and only from a privileged workstation. That can be tough to manage across an MSP’s staff who may be working in multiple locations.

4. Ensure that the MSP hasn’t outsourced the administration of your cloud service to another company that you don’t have a direct contract with, or ensure your contract requirements extend to the MSP’s suppliers. This can be a challenge to MSPs that outsource their helpdesk and back-end network management functions.

5. Ensure your contract with an MSP requires them to inform you if they have a breach or if there are any breaches that happened in the MSP’s supply chain.

You should use the NCSC-UK warning as a roadmap to securing your services and contractually protecting your clients.

When something goes wrong it may be natural for your client to blame you if you are managing their cloud. But your role is limited, and dependent both on your client and their cloud service, neither of which you can control. Furthermore, you are dependent on your own third-party tool vendors whose clouds you use, and you can’t control them either.