Security

Cloud App Security: Advising Your Clients on Application Usage

18 March, 2020

These days, businesses increasingly rely on cloud services for day-to-day operations. While some infrastructure remains in-house, businesses frequently use cloud services because they’re convenient and often cheaper. Cloud computing in general is secure. However, individual cloud services often have flaws and vulnerabilities—and each service your client adds to the roster increases their security risks.

With this shift toward the cloud, the role of MSPs has changed from pure providers and vendors to advisors. While you’ll always need to monitor and maintain your customers’ systems, you now need to play a role in helping them make smart technology decisions, including which applications present potential risks. So when a customer calls and they want to switch to a local software vendor for their customer resource management (CRM) solution, how should you advise them?

Advising your client

Before you begin, it’s worth making sure you and your customer are on the same page about what constitutes a cloud service. When people think cloud services, typically the major players like Microsoft Office 365, Salesforce, or NetSuite come to mind. However, [ital]anything[/ital] you provide credentials to must be vetted. I want to present a high-level process you can use to audit the services a customer uses; however, you can use this process any time customers want to add a new app into the mix.

Step one—criticality: First, divide applications between two categories: mission-critical and nice-to-have. Breaking them into tiers lets you make critical decisions later. If you determine a nice-to-have application is risky, you can make a strong argument to the customer for dropping the application. If a mission-critical app carries a similar risk, you can take additional security precautions or suggest replacement applications for the main app.

Step two—risk factors: Next, determine how risky each service is across a few dimensions. Here are some starting points:

Size: In general, larger, established companies will have more resources than smaller ones. A local CRM provider that just launched will likely be a larger risk than an established behemoth like Salesforce or even a smaller provider who’s been in the game for a few years. The smaller companies may not have the right protocols in place, but they also may lack the capacity for proper response after an incident. You can check this information out by doing research on the company—but to some extent, even a bit of intuition can go a long way. For instance, if a company’s website seems sketchy, they likely won’t invest much in their security either. Another benefit of being a larger, more established company is that when they’re breached, that breach gets headlines. You can get a better sense of how they respond, and assume they have skin in the game.
Security and trust centers: Many software providers have portions of their websites dedicated to security and privacy. It’s a good sign if a company has a trust center that describes their security, development, and data handling practices. If your customers are in regulated industries, check if the vendor is certified. However, even if you don’t have to worry about regulations, demonstrating certifications for frameworks like NIST, ISO, or FIPS, they’ll likely be lower risk than those who don’t.
Prior breaches: If a company shows up in the headlines for being breached, this shouldn’t disqualify the vendor. In fact, this gives you additional data on the vendor and how well they responded to the incident. You should check to see if they were transparent with customers and timely in their responses. For instance, if people on Reddit spent days waiting for a resolution, that should tell you something about their responsiveness. At a minimum, for critical services, check the vendors’ press statements around the incident. You want to find out what happened, how fast they responded, and—most importantly—what they’ll do to avoid similar breaches in the future.

Step three—recommendation: Finally, make a recommendation to your customers. If a service is mission critical, but their security seems spotty, consider offering alternative recommendations. This also gives you the opportunity to clock additional hours on a migration project if required. However, in the end, make sure the decision remains in your customers’ hands.

Keeping customers safe in the cloud: These days, MSPs need to play the role of trusted advisors for customers. While monitoring and protecting devices and networks still tops the list of MSP duties, MSPs should also help them avoid security challenges due to choosing the wrong cloud application should play a role. Your customers rely on your expertise to make sound strategic decisions for their businesses—so make sure to follow some of the tips I mentioned above. You could greatly reduce your customers’ risks in the long run.

Regardless of vendor, staying safe in the cloud requires employees to use strong password practices. Often, all it takes is one username and password combination falling into the wrong hands to cause a serious data breach. That’s why it’s essential to use a strong password manager. SolarWinds^® Passportal is purpose-built for MSPs to help technicians generate strong passwords while offering one-click access to services. On top of that, SolarWinds Passportal Site allows you to offer password management as a service to your customers, helping them stay safe with their cloud applications and offering you additional revenue. Learn more today by visiting passportalmsp.com.