Risk Considerations When Selecting A Managed Service Provider

December 6, 2022

Risk Considerations When Selecting a Managed Service Provider

Considerations, best-practices for defensive network architecture, and cyber security concerns when selecting a new MSP partner.

1. Least Privilege

Managed Service Providers (MSP) and/or their sub-contractors should be granted the minimum necessary rights assigned to perform their job, for the shortest duration possible. Your organization should regularly review system level access, and disable old/unused credentials. On a periodic basis, a trusted member of your IT department, or your MSP should verify service accounts are being used and do not have more access rights than necessary applied to the account.

Questions to ask:

How many accounts with elevated permissions are going to be required or created by your team, and who will have access to these accounts?

How many service accounts will be created, and how will they be secured?

What is the risk associated with old accounts, or accounts with too much access?

Service accounts used for scanning, or to connect applications to your active directory may need to be used for a legitimate purpose. However, these accounts often become a target for bad actors to enter your network.

2. Authentication and Access

MSP accounts should adhere to the same password policy (if not stronger) as your organization. MSP accounts should always enforce MFA. This is especially true if the account has elevated access to your network, or resources. Access to your network should be kept to a minimum and should be logged either by a SIEM, system, or firewall.

Questions to Ask:

How will you and your technicians connect to assist my employees?

Do you enforce MFA for your employees’ workstations and email?

Will you be opening a site-to-site VPN to access our internal network?

How will your technicians login to manage our servers, backups, and Office365?

What are risks associated with access and authentication?

Managed Service Provider’s networks are a target for bad actors, and if your data stored within their network is not protected, the bad actor will also gain elevated access to your internal network.

3. Implement Strong Controls and Policies

Regularly update and patch operating systems and networking equipment. Equipment brought on site (such as a management PC, sometimes considered a “jump” terminal) must adhere to the same cyber security standards as other machines in your organization.

This includes enabling audit-logs for success and sign-in failures, enforcing enterprise antivirus and DLP policies, utilizing encryption of HDD/SSD, and restricting access to sensitive VLANs such as servers, or networking equipment when possible.

Questions to ask:

Where can we review a log of updates pushed or scheduled?

Where can we review a list of systems connected to our LAN?

Are management PC’s on my network encrypted?

Do we have access to review our antivirus alerts, and where?

Where Data Collected From your Organization is Stored

Private data collected and utilized by your MSP must be protected, and have strict policies around who can access confidential data, and from where. Your MSP should be able to answer the following questions, and provide documentation on their policies for collection, storage, and access of your private data.

Questions to ask:

What do you and your team use to collect and store our passwords?

Where can your team access our data from?

How do you conduct employee and vendor vetting that access our data?

“Detailed guidelines for log and records maintenance, including requirements for the MSP to provide secure storage of backups and for detailed records of when accounts are accessed, by whom, for how long, and what actions were completed. 1

Partner with a company that is hyper-focused on cyber security.

We follow strict cybersecurity safeguards to protect data collected from our clients.