Not Just Firewalls And Anti-Virus: Data Security Requires Multi-Pronged Approach
Securing a customer's data requires a multi-pronged approach wherein success makes an MSP a hero but missing one little thing can result in disaster.
That's the word from Joshua Foltz, chief security and compliance officer at Axcient, a Mountain View, Calif.-based data protection and data compliance technology developer, who on Monday told MSPs attending this week's XChange 2019 conference that a narrow approach to security does not work.
When it comes to data security, it is crucial to understand who has access to the data, make sure data is not lost either to the wrong people or through a customer issue, and ensure data does not become corrupt, Foltz said.
[Related: From AI To Security: PCM's Stephen Moss On The Solution Provider's 2019 Initiatives]
"Security is far more than firewalls and anti-virus," he said.
There are three principles of security, which can be easily remembered by the acronym "CIA," Foltz said. They are confidentiality of the data to keep secrets secret, integrity of the data to make sure it doesn’t change outside the customer's control, and availability of the data to make sure the customer can access it as needed, he said.
A good data security system requires MSPs to be active during three critical time periods, Foltz said.
The first is during the pre-attack phase, where it is important to offer as thorough a regime of protection as possible, he said. "You not only have to be good at security, you have to be darn near perfect," he said.
This can be done with the aid of a framework such as one from the Center for Internet Security (CIS) or from the National Institute of Standards and Technology (NIST), Foltz said. Citing the CIS framework, he noted there are 20 items that a thorough security system should be able to mitigate before an attack occurs. "As long as you are doing all of these things, you're doing pretty good," he said.
However, he said, it is important to follow all the requirements of the framework. He noted that one of the requirements in the CIS framework—implementing a security awareness and training program—is probably the most overlooked item. "If you aren't training your customers, you have a big gap," he said.
The pre-attack part of security requires developing two key plans, Foltz said.
The first is a business continuity plan, which expands the idea of disaster recovery to include multiple aspects of recovering a business after an attack. A business continuity plan is typically a large, formal document with a lot of steps, he said.
The second is an incident response plan, which Foltz said should be very specific and very simple. "If you are in the middle of an attack, everyone is freaking out," he said.
During an attack, it is important that customers immediately go to their incident response plan, which should include calling the MSP and taking the affected devices offline, Foltz said.
During the attack phase, everything in theory should be normal because the customer should be following the incident response plan, he said. "And then you guys as MSPs are heroes," he said.
The third critical phase is the post-attack phase, Foltz said.
The first step is to resolve the issue as customers rarely know what happened. This might require working with a third-party team, Foltz said.
With a good plan, the attack likely resulted from a customer issue, and in this case the MSP should realize it is not his or her responsibility to clean up the mess. "It's not your job to clean up the mess. … There's only so much you're responsible for," he said.
The second step is to recover the data, including at the device layer, file layer, hypervisor layer and SaaS layer, Foltz said.
That is followed by the need to execute a breach report, which is increasingly more easy to do, he said. "Our industry today is pretty forgiving," he said.
Foltz did a good job of pointing out the key points of building and executing a complete data security plan, said Melvin Williams, director of business development at M&N Communications, a Blue Bell, Pa.-based MSP.
"He made it clear that it is important that the challenge to get to your customer's data has to be more expensive than the value of that data," Williams told CRN.
M&N has in the last year been transitioning from a consultant to an MSP, and learned that security is the best way to get a start in managed services, Williams said.
"Security is driving all the decisions," he said. "In an economy where data is king, the way data is being targeted is making it hard for executives to make sound decisions."