As an MSP, you have been long aware that your clients need to increase and standardize their IT security defenses to decrease the risk of cyberattacks and possible regulatory fines. However, did you know that new regulations could extend this risk to your own business?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which starts to roll out in 2017 and goes into full effect in May 2018, expands the organizations deemed responsible for the protection of consumer date from data controllers (aka data owners) to any company or individual that processes this data―including third parties no matter where in the world they are located. (Late October, Karen Bradley, UK secretary of state stated that the UK will “opt into the GDPR” resolving confusion on how Brexit could impact GDPR in the immediate term.)
This means, as ComputerWorld observed, that “anyone who touches or has access to [a company’s] data, wherever they are based, is responsible in the case of a data breach…Third parties will need to be extra vigilant when it comes to securing the data of others, and data owners will want to thoroughly vet their partners.”
Clearly the GDPR impacts EU-based MSPs and cloud service providers most immediately. However, every MSP should take this as an opportunity to reassess how they secure their clients’ data. It’s no longer sufficient to offer piecemeal security offerings―some AV there, a bit of patching here, and backup processes that inconsistently followed.
Today’s security threats―and the constantly changing compliance regulations―require a consistent and layered security approach. As an MSP, you can leverage this layered approach to both offer holistic security services to your customers, as well as protect your own business from increasingly onerous regulatory fines.
Better Protection through Layered Security
Even better, taking a more inclusive approach can―with the right technology solutions and automation―improve security while freeing up time and resources for other projects. What is included in this layered approach for an MSP?
- Full 360O visibility. You can’t manage what you can’t see. You need a solution that easily and continually discovers all devices on your network and your customers’ networks, including servers, laptops, kiosks, mobile devices, scanners, and peripherals. It also needs to constantly collect real-time status on all operating details for these devices to keep systems up to date.
- Consistent anti-virus and anti-malware (AV/AM). Once all devices are visible, you need to ensure that they are protected with AV/AM software. Installing is just the beginning―you need to update systems to ensure they are always running the latest versions. So get a solution that makes this easy and automatic.
- Keeping patches current. All devices need to be up-to-date on Microsoft and other 3rd-party patches. Patches and updates can be tested centrally then pushed out to all machines or select groups once they are proven safe. Again, with the right type of automation, you can be confident that all patch updates are successful―and that you’ll get an alert if they aren’t.
- Policy-based configurations. Look for solutions that enable multiple sets of policies to be applied automatically based on any set of groupings you want―by customer, device type, user role, or even location type―and that can check that each device is in compliance with its assigned policies. This way, you can standardize and update all infrastructure under your care with confidence. Of course, doing this successfully depends on powerful and flexible automation to keep up with multiple policies and update many devices by simply changing a policy once.
- Regular, routine backup and recovery. Routine, reliable (and encrypted) backup and recovery is a vital component of any complete layered security approach. In addition, complete and regular backups are also a defense against CryptoLocker and other ransomware attacks.
- Complete Identity and Access Management (IAM). You already know you can’t use vendor-supplied defaults for system passwords. IAM takes this further by including multi-factor authentication (MFA), which is also a PCI DSS requirement. IAM also includes centralized credential management, policy-based rules, and Single Sign On for end users (including partners―remember how Target was breached!) to keep internal systems and customer systems protected.
- Policy-based access. You need to be able to create as many policies about access as for device configurations. With these policies in place, you can quickly and completely delimit access to systems and data based on staff’s functionality and job requirements. In addition, you can create policies to require password changes after so many days and/or lockout rules after so many failed login attempts. Location-based rules would control when and where users can sign in―limiting user access, for example, by location such as building, city, country, etc. This can protect against unverified users accessing systems and POS devices.
- Deprovisioning users. Statistically, admins enable more users than they disable. While outside attacks lead the list of retail breaches, it’s only prudent to make sure you have a way to quickly and completely deprovision a user―whether employee, sysadmin, customer or partner―from any and all systems under your care.
- Alerts on usage patterns. You need to be alerted of any potential security breach beyond viruses and malware, including unusual patterns of user behavior or access or suspicious spikes in bandwidth utilization.
- App blocking. Disallowing certain apps―say peer-to-peer apps or Flash―can help keep systems clean and running strong. This also provides another security dimensions since apps that are more vulnerable can be blacklisted to prevent users from installing and inadvertently creating an enticing entry point for hackers.
- Web filtering. Blocking websites sites known to host spyware, viruses or malware limits vectors of attack opened by unwitting users. Filtering is usually accomplished through many tactics, including a database of black-listed websites, policy-based content filtering, and scanning and inspecting SSL-encrypted traffic.
- Real-time tracking alerts. If a device, laptop or even server idea leaves a customer’s building, you should know instantly where it is once it’s back online.
- Securing/destroying data. Once you know a device has gone out of corporate control, you need to be able to ensure the data on the system is not accessible to malicious players. You need the ability to remotely disable the device, encrypt the data, or even destroy the OS on that device.
If you’re interested in learning how Kaseya VSA and Kaseya AuthAnvil can enable you to implement an inclusive layered security approach, download our “Automation Cheat Sheet: IT Compliance, Audits and Security.”