With the operational complexities and regulations businesses face today, basic computer services and support may not be enough to allow them to keep pace with their competition. Myriad regulations and a multitude of other activities make it difficult for any contemporary organization to survive (let alone thrive) without people who can design and implement increasingly specialized systems…and keep them up and running. Of course, before the first piece of that IT infrastructure has even been identified, someone has to determine the company’s goals and build the guidelines that will help achieve those objectives.
Those are several of the roles solution providers should be involved in. Businesses need someone to be their architect; not just for system design but also to develop the policies and programs that must be in place to automate their processes. For example, before customer-related information and business-critical data can be safely and securely stored using a cloud backup solution, someone has to determine which files, records and other details need to be saved.
Priorities and protocols must be developed around the specific compliance issues and business needs of the organization. Information security specialists can provide that support, helping their customers compose effective policies with well-defined objectives for protecting their data. Working closely with the business management team, they develop the strategy for properly securing all files and information within the organization and recommend the best procedures and systems for each specific organization.
These are the types of services being offered by many of today’s most successful solution providers. By combining their information security experience with their other unique talents (i.e. consultation skills, business acumen) these IT organizations are capitalizing on a distinct customer need. Few businesses have their own in-house experts who can offer this type of comprehensive support, so those providers with the ability to identify their customers’ precise data protection requirements will have an edge over their competition.
Information security is not just a service but a differentiator that can improve renewal and new business opportunities for the properly prepared MSP. Some of the most valuable parts of these consulting and solution practices include:
Policy development. Each business needs a solid plan to ensure effective information security practices are followed, but someone has to build it. A good consultant starts with a full inventory of the organization’s information and current data systems and assesses each specific compliance and business need related to those files and documents. The policy must address each applicable federal, state and local regulation that applies to the organization and specify the role of each employee in the protection schemes. These documents should provide clear guidance to the employees charged with performing each of the covered activities and it must be updated continually and made available for any regulatory compliance audits.
It is vital that each security policy reflects the true procedures the organization follows, or the company will fail to meet the standard measures of compliance. If employees (especially the management team) fail to enforce a rule from the time of its inception, it will hold little merit and will become unenforceable. Regulators and attorneys will be quick to note the organization’s liability.
Comprehensive IT security suite. To properly protect onsite and offsite data, businesses need to implement an all-inclusive protection system. Antivirus and antispam offer a good first-line of defense, with data encryption and firewall services providing that next level of protection. Password and key protection block access to unapproved individuals, while mobile device management and VPN applications offer secure but flexible solutions for any business.
With regard to the cloud, policies should be put in place to ensure data is encrypted before it leaves the customer’s facility using 256-bit AES encryption, the same standard adopted by banks and used by the U.S. government for top-secret documents. The encrypted data should be transmitted to the offsite data center via a secure Internet channel, and the customer’s data should be stored in a cloud data center that meets the criteria for SSAE (Statement on Standards for Attestation Engagements) 16 audit standards, which includes security features such as 24/7 video and network monitoring, biometric-based access control, backup power supplies and redundant connections to the Internet.
One final step MSPs should be including as an added measure of protection for their customers is data integrity scanning. This is what gives IT service providers and their customers the peace of mind in knowing that should a customer’s data ever need to be restored, everything would turn out as promised.
Network assessment. How secure is the infrastructure being used for inputting and maintaining data? A review of an organization’s data/voice environment related to its current functionality, security and disaster recovery/business continuity capabilities is imperative. It gives providers the information they need to make enhancements, suggestions and design ideas around the right information-protection systems.
The network assessment also provides the information a solution provider needs to create data security policies and procedures, as well as determine the best backup plan, which should include a local and offsite (i.e. cloud) component. Snapshots of the customer’s data should be set at intervals aligned to the customer’s tolerance for data loss, which can range anywhere from 15 minutes to 8 hours.
No backup solution is complete without a data recovery plan. Solution providers should understand the processes and time required to perform a data restore locally as well as be prepared for a worst-case scenario data restore from the cloud. For customers with low tolerances for downtime, virtual machines should be considered as a means to more quickly restore customer data.
With a little preparation and planning, most MSPs can create their own data security consulting practice and help their customers create their own policies and procedures. That’s a service solution providers can build their businesses on and differentiate themselves from their competitors for years to come.
For more information on data security the regulations covering data storage for banking institutions and securities firms, see the white paper, “FINRA Compliance with Data Storage, Retrieval and Security.”
Jay Bolgatz is vice president of Engineering at Intronis, a cloud-based backup and disaster recovery provider that works closely with VARs and MSPs. Monthly guest blogs such as this one are part of The VAR Guy's annual platinum sponsorship.