This article is based on a panel discussion at ChannelPro’s December 2020 Cloud and Managed Services Online Summit.
PROTECTING SOFTWARE-AS-A-SERVICE and infrastructure-as-a-service workloads in multiple clouds is more difficult and more in demand than on-premises security. That’s the bad news. The good news is it’s more lucrative too.
Channel pros who want to capitalize on this opportunity while protecting their customers’ businesses need to adopt best practices, recognize that new tools and techniques will be necessary, and choose their cloud service providers (CSPs) wisely.
Why Cloud Security Is Hard
Cloud computing has been on the rise, but the coronavirus pandemic and the need to spin up and support remote workforces has turbocharged adoption. IDC expects the global market for cloud services, software, and hardware to exceed $1 trillion annually by 2024, with a compound annual growth rate of 15.7%. Unless properly protected, all those cloud-based applications, servers, and storage repositories will continue to be a massive target for attackers.
It’s imperative, then, that managed service providers embrace and excel at cloud security. There are several challenges, however. For one, the potential threats MSPs face in a cloud environment aren’t necessarily the ones that they’re used to dealing with in an on-premises environment, so different skills, techniques, and tools are required.
The tools channel pros are accustomed to implementing “”are designed to work in environments that we control,”” says Michael Cocanower, CEO of itSynergy, a Phoenix-based MSP. The challenge now is securing customers’ in an environment the MSP doesn’t control, he explains.
MSPs need to adjust in two ways, Cocanower says. First is examining whether their current tools support integration with cloud platforms. “”A lot of the tool vendors … have started to enable new functionality in their tools that allows you to hook into the cloud environments and plug those into your existing management infrastructure.””
Second, he says, MSPs need to get up to speed on the security tools that cloud providers like Amazon and Microsoft offer and learn how to “”tweak those … so that they’re optimally configured to secure our customers’ environments.””
Another challenge is getting buy-in from customers on a shared security model. “”A lot of folks believe that if they put their application, their work process, [their] data up in the almighty cloud, that someone else is going to take care of the security,”” says Michael O’Hara, owner and principal consultant of Sparta, N.J.-based MEDSEC Privacy Consulting. He calls that belief “”the threat of misunderstanding.””
In actuality, cloud security is a shared responsibility, stresses Angela Davis Dogan, founder and CEO of Davis Dogan Advisory Services, a risk management consultancy in the Greenville, S.C. area. “”There’s certain security measures that need to take place on the client side. There’s certain security measures that the client needs to make sure are in place on the cloud side. And then the cloud side needs to execute and make sure that those security measures are in place and that they’re proactively ensuring security exists in their environment.””
MSPs, therefore, must understand the cloud provider’s security model and what they may need to implement to protect their clients. O’Hara suggests asking cloud providers for their “”matrix of responsibilities”” document, which should outline what the CSP and the tenant client are responsible for.
Best Practices to Get Cloud Security Right
MSPs should have their own well-documented security policies and procedures in place, of course, and convey those to cloud providers so that expectations are clear. “”That’s where that matrix [of responsibilities] comes in, because you want to make sure that your outsourced cloud provider is living up to, if you will, the same security standards that you require internally,”” Davis Dogan advises.
Along with the CSP, customers too must adhere to a security baseline that includes policies for access control, firewall rules, backup methodologies, and so on. O’Hara says this can be an opportunity for MSPs. “”You can help your customer write those policies and procedures so that they have that baseline security,”” he says, adding that once those policies are in place they should be audited. “”Security is not a set-it-and-forget-it proposition.””
Enforcement of customer adherence to policies should be in every MSP’s contract, according to Davis Dogan. “”The contract gives you the backing to be able to have the enforcement practices, to ensure that your security policies and standards that you’ve set forth are being adhered to,”” she says.
Cocanower adds that adherence is particularly important if the MSP’s customer is in a regulated industry such as financial services or healthcare. “”If you’re a federally regulated entity, that’s one of the first things that an inspector is going to look at is when the … Office of Compliance Inspections and Examinations [renamed by the SEC in December to the Division of Examinations] comes in to audit a financial adviser. Yes, they’re going to ask for copies of all your policies, but when we see letters of corrections or deficiencies from these inspections, one of the biggest sources that they say [is], ‘Yeah, your policies are beautiful. You’re not following them. So it doesn’t matter. It doesn’t count.””
MSPs may need to adjust contracts in further ways if they’re providing cloud security, Cocanower notes. With an all-you-can eat model for a fixed monthly fee, for instance, he believes MSPs “”dramatically underestimate”” the amount of risk they’re taking on. “”And I truly question whether they are pricing those agreements appropriately to compensate them.””
Choosing Cloud Vendors
If implementing, enforcing, and staying up to date with cloud security sounds daunting, Davis Dogan recommends adopting a framework such as the NIST Cybersecurity Framework, ISO 27001 and 27002, or the Cloud Security Alliance Cloud Controls Matrix (CCM). Following a framework can also help in choosing secure cloud vendors, she says. CCM, for instance, includes the Consensus Assessments Initiative Questionnaire (CAIQ). “”CAIQ gives you the questions that you should ask.””
This line of questioning is particularly important when evaluating smaller cloud providers, Cocanower notes. While it’s probably safe to assume that big public providers like Microsoft, Amazon, and IBM “”have their ducks in a row … you really need to dig in if it’s somebody you haven’t heard of before, or if it’s a small line-of-business application vendor who’s just moved to the cloud in order to stay relevant,”” he says.
Remember that the cloud is really just “”a server farm somewhere that somebody is running,”” O’Hara adds, and how sophisticated that server farm is and what safeguards are in place will vary.
The bottom line is security is never simple, O’Hara says, but if MSPs “”start with the foundational policies and procedures and contracts, and make sure that you’re constantly challenging your conceptions of security, you’re off to a great start.””