As an MSP, you have been long aware that your clients need to increase and standardize their IT security defenses to decrease the risk of cyber attacks and possible regulatory fines. However, did you know that new regulations could extend this risk to your own business?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which starts to roll out in 2017 and goes into full effect in May 2018, expands the organizations deemed responsible for the protection of consumer date from data controllers (a.k.a. data owners) to any company or individual that processes this data―including third parties no matter where in the world they are located. (In late October, Karen Bradley, U.K. secretary of state, stated that the United Kingdom will “opt into the GDPR,” resolving confusion on how Brexit could impact GDPR in the immediate term.)
This means, as ComputerWorld observed, that “anyone who touches or has access to [a company’s] data, wherever they are based, is responsible in the case of a data breach …Third parties will need to be extra vigilant when it comes to securing the data of others, and data owners will want to thoroughly vet their partners.”
Clearly the GDPR impacts EU-based MSPs and cloud service providers most immediately. However, every MSP should take this as an opportunity to reassess how it secures client data. It’s no longer sufficient to offer piecemeal security offerings―some AV there, a bit of patching here, and backup processes that inconsistently followed.
Today’s security threats―and the constantly changing compliance regulations―require a consistent and layered security approach. As an MSP, you can leverage this layered approach to both offer holistic security services to your customers, as well as protect your own business from increasingly onerous regulatory fines.
Better Protection through Layered Security
Even better, taking a more inclusive approach can―with the right technology solutions and automation―improve security while freeing up time and resources for other projects. What is included in this layered approach for an MSP?
- Full 360O visibility. You can’t manage what you can’t see. You need a solution that easily and continually discovers all devices on your network and your customers’ networks, including servers, laptops, kiosks, mobile devices, scanners and peripherals. It also needs to constantly collect real-time status on all operating details for these devices to keep systems up to date.
- Consistent anti-virus and anti-malware (AV/AM). Once all devices are visible, you need to ensure that they are protected with AV/AM software. Installing is just the beginning―you need to update systems to ensure they are always running the latest versions. So get a solution that makes this easy and automatic.
- Keeping patches current. All devices need to be up-to-date on Microsoft and other third-party patches. Patches and updates can be tested centrally then pushed out to all machines or select groups once they are proven safe. Again, with the right type of automation, you can be confident that all patch updates are successful―and that you’ll get an alert if they aren’t.
- Policy-based configurations. Look for solutions that enable multiple sets of policies to be applied automatically based on any set of groupings you want―by customer, device type, user role or even location type―and that can check that each device is in compliance with its assigned policies. This way, you can standardize and update all infrastructure under your care with confidence. Of course, doing this successfully depends on powerful and flexible automation to keep up with multiple policies and update many devices by simply changing a policy once.
- Regular, routine backup and recovery. Routine, reliable (and encrypted) backup and recovery is a vital component of any complete layered security approach. In addition, complete and regular backups are also a defense against CryptoLocker and other ransomware attacks.
- Complete Identity and Access Management (IAM). You already know you can’t use vendor-supplied defaults for system passwords. IAM takes this further by including multi-factor authentication (MFA), which is also a PCI DSS requirement. IAM also includes centralized credential management, policy-based rules and Single Sign On for end users (including partners―remember how Target was breached!) to keep internal systems and customer systems protected.
- Policy-based access. You need to be able to create as many policies about access as for device configurations. With these policies in place, you can quickly and completely delimit access to systems and data based on staff’s functionality and job requirements. In addition, you can create policies to require password changes after so many days and/or lockout rules after so many failed login attempts. Location-based rules would control when and where users can sign in―limiting user access, for example, by location such as building, city, country, etc. This can protect against unverified users accessing systems and POS devices.
- Deprovisioning users. Statistically, admins enable more users than they disable. While outside attacks lead the list of retail breaches, it’s only prudent to make sure you have a way to quickly and completely deprovision a user―whether employee, sysadmin, customer or partner―from any and all systems under your care.
- Alerts on usage patterns. You need to be alerted of any potential security breach beyond viruses and malware, including unusual patterns of user behavior or access or suspicious spikes in bandwidth utilization.
- App blocking. Disallowing certain apps―say, peer-to-peer apps or Flash―can help keep systems clean and running strong. This also provides another security dimensions since apps that are more vulnerable can be blacklisted to prevent users from installing and inadvertently creating an enticing entry point for hackers.
- Web filtering. Blocking websites sites known to host spyware, viruses or malware limits vectors of attack opened by unwitting users. Filtering is usually accomplished through many tactics, including a database of black-listed websites, policy-based content filtering, and scanning and inspecting SSL-encrypted traffic.
- Real-time tracking alerts. If a device, laptop or even server idea leaves a customer’s building, you should know instantly where it is once it’s back online.
- Securing/destroying data. Once you know a device has gone out of corporate control, you need to be able to ensure the data on the system is not accessible to malicious players. You need the ability to remotely disable the device, encrypt the data or even destroy the OS on that device.
If you're interested in learning how Kaseya VSA and Kaseya AuthAnvil can enable you to implement an inclusive layered security approach, download our "Automation Cheat Sheet: IT Compliance, Audits and Security."
Joining Kaseya in 2012, Miguel Lopez brings over 20 years of experience to his role as SVP, Managed Service Providers (MSPs). In this position, he consults daily with MSPs to help them solve their clients’ business problems with technology solutions. Prior to joining Kaseya, Miguel served as the director of consulting services for All Covered, a nationwide technology services company that is a division of Konica Minolta Business Solutions USA Inc. In 2008, All Covered acquired NetCor Technologies, a leading MSP that Miguel founded and managed since 1997. NetCor specialized in serving highly regulated industries such as healthcare, CPAs, law firms and retail companies.
Guest blogs such as this one are published monthly and are part of MSPmentor's annual platinum sponsorship.