MSPs & customer data: protection on and off site
A while back I did a quiz for the holiday season. Some folks enjoyed it and others not so much. In that quiz one of the questions was:
“What organization contractor was responsible for logging into an unsecured network, accidentally releasing the Slammer worm at a Nuclear Power plant?”
The correct answer was Davis-Besse.
This got me thinking about the MSP (Managed Service Provider) relationship with their customers and the chilling thought that the MSP might become the APT (Advanced Persistent Threat), leading to a potential wide scale data breach. I say this because of two seemingly innocuous incidents, both executed by an MSP, that I was informed of:
- A project to refurbish computers from a health clinic
- A server upgrade at a law firm
MSPs need to put together procedures and policies when it comes to handling customer data and believe me, customer data is everywhere. Whether it’s cashed credentials for business and ecommerce websites, password lists or email .pst files, workstations and servers are full of customer data. Put simply, the almost day-to-day act of copying user files to portable media for a workstation refresh makes you a custodian of customer data.
The refurbish project was a big win for the MSP. Only three years old and leased with 2GB of Ram, these 12 Dell machines with Duel Core Intel Processors had plenty of life in them. Considering the MSP made a little money taking them off premise and “wiping” the machines, it was clearly more profitable to refurbish them for not-for-profit customers than recommending new machines for lighter users.
As a precaution against that awful call of “We’re missing a file that was on Chad’s old workstation, can you get us a copy?”, the machines were backed up to a large Network Attached Storage (NAS) box at the MSP’s office – at least the C:\Documents & Settings\User directories. Over the years, this particular MSP had amassed hundreds of thousands of records of customer information. Should someone grab the NAS and run, the consequences of a gigantic data breach loomed large. None of this backed up data was encrypted. As an MSP it makes good business sense to secure customer data as you would your own data – policies and procedures must be created.
The law firm server upgrade was flawless with few application related hiccups. Part of the process was to backup all the shared drives of the firm’s 15 staff and three partners. This was accomplished by a ubiquitous 3TB USB3 portable hard drive. The new server was installed, configured and the data all migrated back. Job well done; and bill sent to customer.
The next day while reviewing the gear that had come back from the site the question was raised. “Where is the 3TB USB portable hard drive that contains an entire copy of the law firms data, unencrypted?” Silence ensued, followed by a frenetic wave of search-related activity. The hard drive was found, backed up (now password protected and encrypted) and re-formatted for use next time.
As a result of both of these scenarios and the increasingly litigious environment when it comes to data breach, the MSP is a big target in the IT supply chain. It’s important to consider physical security for data that is not yours and it’s likely as an MSP you have several customers worth of data on your server and possibly on your portable media.
A regular small/medium size safe with keypad (and physical key backup) is useful for temporary storage of media that contains any sort of sensitive data. The safe does not have to be data certified as if the media melts in a fire then the breach issue is solved and becomes the least of your worries.
Anything containing customer data, which is no longer required, should be wiped clean unless extra precautions are required or legislated, a re-partition and format should be adequate. USB sticks should be erased after use. Portable media, or customer hard drives in process of being backed up should be in the safe until they can be wiped. Backups of any customer data on USB or Portable media should be in the safe. Hard drives removed from customer equipment should be stored safely as well.
Also, this may be common sense, but a really good idea is to have stickers or tags on the portable media (or attached to the lanyard of USB sticks) that identify your company, have contact information on and even offer a reward for safe return.
In 2015, it’s time to phase out any media you’re using that does not have an encryption password on it. As an example (not an endorsement) the MSP is now looking at the WD My Passport 1TB Portable External Hard Drive Storage USB 3.0 – equipped with a WD Security utility to allow for password protection, and built-in hardware encryption for the drive to protect files from unauthorized use or access.
Complementing this is a MAC and PC compatible Kingston DataTraveler Locker G3 64GB USB 3.0 Flash Drive with two security features: Password protection, which allows users to set a password to prevent unauthorized access; and Intrusion Prevention, where the drive locks down and reformats after 10 invalid login attempts.
Providing great service to your customers includes being responsible for any of their data you might have. MSPs need to take reasonable precautions to ensure they are not the reason for a customer data breach.