This post is jointly authored by CTO Jason Viera and CIO/CSO Jason Albuquerque. Click their names to connect with them on LinkedIn and share your thoughts or questions.
Recent ransomware attacks have highlighted concerns that managed service providers (MSPs) are an increasingly tempting target for hackers. It isn’t that companies like Carousel have more valuable data than anyone else, but with access privileges to multiple clients’ assets – their networks, software, unified communications infrastructure, data centers, Windows environments and servers (cloud or on-prem) storing their data – it’s little wonder an MSP looks like a one-stop shop to an attacker.
With that perspective in mind, several years ago Carousel took a hard look at how we engaged with our managed services clients. We knew that, even if a business has a strong defensive strategy, anyone trying to infiltrate their network only needs to be right once to be successful. As malware becomes cheaper and faster to deploy, attackers can more easily scale their efforts to find those weak spots and exploit them. The result is that the odds are stacked in the hackers’ favor. When it comes to cybersecurity, it’s not a matter of if your defenses will be circumvented, but when.
You May Also Like: Choosing a Security Solution: Take the Long View
Our team saw several areas where we could fine-tune our practices and protocols to ensure we were helping our customers maintain the strongest cybersecurity posture possible. Using our internal expertise and technologies, we developed an approach that includes a mix of proactive and reactive capabilities. Because there’s no silver bullet in cybersecurity, our suite of services covers a range of prevention tools, such as endpoint security, network monitoring, and data segmentation. We have even helped our clients with cyber event recovery support. Building resilience for these types of attacks often begins with effectively testing business continuity and disaster recovery (BC/DR) plans to be sure your organization can return to normal operations quickly if you’re hit with ransomware or experience some type of attack.
In addition to measures implemented at the customer level, we’ve taken the cyber security strategy at Carousel a step further by examining how we can ensure our access to clients’ systems doesn’t become a potential vulnerability. Looking at the traditional architecture underpinning the MSP-client connection, we realized the use of persistent VPN tunnels, for example – long a mainstay in these types of service-driven relationships – is a threat vector. We identified additional risk areas related to many of the conventional practices around everything from securing access credentials to enabling administrative controls.
Rather than continue with the status quo, Carousel committed to improving the way we handle security in our role as an MSP. Among numerous other behind-the-scenes enhancements, we leveraged our in-house operations and service management technology and expertise to develop an abstraction layer that separates our systems from the assets within our clients’ environments, replacing traditional VPN access with a methodology that’s better secured against intrusion.
You May Also Like: Have your cake and pie and eat it too: Why a new technology needn’t be an all or nothing approach.
We also changed how our internal team members gain access to customers’ systems and information. Conventional wisdom says a password and a multi-factor authentication (MFA) token are usually sufficient to thwart intruders, but our protocols for remote access require additional unique identifiers that only our systems know. Even with a stolen or corrupted credential – a known attack vector in several highly publicized breaches – a hacker still doesn’t have everything needed to gain access through Carousel’s connections.
Once a session is properly authorized, we wanted our customers to have better insight into who was accessing their environments. We now record every session to provide a full audit trail of activities. Clients can review every instance of access, from identifying which engineers gained entry to their systems right down to the keystrokes of a specific session. We record the who, the how, and the when, and our documentation also includes the details behind every credential that was authorized.
Because adverse cyber security events can have a crippling effect on your business, we encourage every enterprise to do their due diligence on any potential MSP. Knowing which technical skill sets they have is important, but don’t stop there. Research prospective partners’ architecture. Review their processes for managing your infrastructure. Put your vendor risk management hat on and look at how they perform their services. Dig into the details of their protocols and keep asking questions until you’re confident they take security as seriously as you do.
Simply put, when you consider that an MSP could be yet another threat vector, you may be missing important risk areas if you evaluate them only as a third-party provider. Instead, we recommend you hold them to the same high standards you’ve established for your own organization.