When it comes to managed and cloud services, regardless of who you talk to, security is a touchy subject. No one denies the importance of a good defense, but no one wants to accept the risk of a breach, either. Service providers can adopt best practices to mitigate risk, but industry experts say there’s no way to completely eliminate the risk associated with data breach.
"The customer of managed services and cloud wants to put as much risk away from themselves and onto the service provider as possible. The service provider wants to transfer or avoid as much risk as possible, but they also want the sale," said Charles Weaver, CEO of Chico, Calif.-based MSPAlliance, an industry association and certification body for managed services and cloud computing professionals. In essence, service providers and their customers are at direct odds with each other.
To further complicate matters, experts agree a breach is inevitable. "In security, if you're the good guy, you're playing defense. If you play defense long enough, you lose. Something is going to get you," said Benson Yeung, senior partner and founder of Triware Networld Systems LLC, a full-service consulting and integration company based in Santa Clara, Calif.
In security, if you're the good guy, you're playing defense. If you play defense long enough, you lose. Something is going to get you.
senior partner and founder, Triware Networld Systems
"We can't accept the liability, and the reason why is it's impossible. If you think about technology today, let's say the Windows OS, you can't go another month without getting another patch," said Steven Reese, CTO of Ontario, Calif.-based Sigmanet Inc., a value-added reseller and IT consultancy offering a variety of solutions and managed services.
Reese continued: "You have to think about risk in two veins: the likelihood of a breach and the impact of a breach. No matter what I do, I can't change the impact. If a credit card number is stolen, it's stolen. The impact to the customer is the same no matter what I do. From our perspective, the best I can do in this industry is reduce the likelihood of a breach -- implementing multiple layers of security, taking a defensive posture, applying good policy. Doing that helps curb a lot of that problem we run into with regards to security breaches, but in order to fully insure somebody, it would be an impossibility."
Yeung addresses the problem head-on with new clients. "I always like to put myself as well as clients in the mindset that at some point in time they're going to get hacked. I start with the worst case scenario: What is the worst that can happen if we get hacked today?" Yeung said. This discussion allows Yeung to identify the client's most critical assets. However, he doesn't focus solely on shoring up defenses. He also addresses incident response. "To me, recovery is more important than defense. We all do defense, but how will you recover when the defense fails?"
The value of contracts
Unlike most service providers, Yeung doesn't take any action to limit his company's liability should a customer be breached. He doesn't like contracts, and he doesn't have insurance, he said. Instead, he builds relationships with his clients based on trust. "It doesn't matter what's written down. If they don't trust you, it doesn't matter. I wouldn't take on any project where I wasn't trusted 100 percent. The entire industry is built on trust. Whenever there is no trust, it's just not going to work," he said.
Robby Hill, founder and CEO of Florence, S.C. -based HillSouth, an IT consulting firm offering managed services and integration services to small and medium-sized businesses, said his company has contracts updated every few years with an attorney, and they include a standard indemnity clause. However, the contracts provide little if any protection. "What we found out in the healthcare sectors is that [the standard indemnity clauses] don't apply to healthcare data with the new regulations that [have] come down. Everyone's responsible whether they indemnify themselves or not," he said.
Regardless of the type of data service providers handle, it presents some risk -- but the risk extends beyond the solution provider. "The information people give at a doctor's office or healthcare office is no different than what the bank might have. It's very sensitive information that can be used for identity theft. We are right to want to protect it, but we need to understand that the risk spreads through the whole ecosystem, not just the provider," Hill said.
This, of course, includes the customer's environment. "That's hard for the customer to understand: that at some point there still falls a level of liability on the customer. There's only so much we can do before it comes down to [the fact that they] need to care for [their] information," Reese said.
As an example, Reese said there is little he can do if data becomes corrupt. "The reality is if that happens, there's no level of recovery I can provide. If it's backed up, it's not really lost or corrupt. But if someone's data goes away and there's no backup, there's nothing I can do. … Even the biggest data centers still provide the same kind of [contractual] language. They can't be held liable to lost or corrupt data," he said.
Best practices to mitigate risk
Regardless of the service provider's view of risk, there are standard best practices that can limit the company's liability in the case of a breach. According to Weaver, it all starts with "a really well-prepared set of service agreements. I don't mean some circa-1995 Webhosting contract copied from the Internet with the other company's name scratched off and the service provider's own put on there. I mean a real contract drafted or at least reviewed by an attorney who knows cloud and managed services," Weaver said. "A well-crafted agreement should reflect accurately what the service provider is capable and willing to do in terms of risk."
Tips to mitigate risk related to a customer data breach
1. Hire a lawyer to draft or review a well-developed service contract, keeping in mind that some U.S. regulations, such as in the healthcare field, override indemnification that is usually possible through contractual agreements.
2. Buy insurance to cover events that might not be foreseen in the contract.
3. Employ individuals with technical certifications in the areas they are working in.
4. Get your business certified by a certification body like MSPAlliance or Smithers Quality Assessments.
5. Get your business audited by an independent third party.
"That will tell the customer what the MSP is willing to do and not do. It will tell the MSP that if [they're] saying something that doesn't jibe with what's in the agreement, then [they] have a problem. It shows them where they're skirting the boundaries of their own comfort zone," Weaver said.
Weaver also advises service providers to purchase insurance. "It's a stopgap. It will handle the overflow or whatever the contract did not cover," Weaver said. "It will help catch the stuff that happens in the relationship but that may not have been anticipated. … Insurance plus a good service agreement will give a lot of protection to the customer and the service provider," he said.
Finally, Weaver said that service providers need to demonstrate that they are qualified to deliver the services they are selling. "You've provided the agreement that will provide a legally binding relationship. Insurance will provide financial assurance to the customer and the MSP, but … how do you prove what you're doing? That's where audit and certification come in," Weaver said. This means having individuals certified in the areas important to the customer as well as having the service provider's company certified and audited.
"A benefit to the MSP is being able to communicate and prove very quickly what you can do for a customer. A lot [of service providers] just rely on sales and marketing to build that trust. A well-certified bench of technicians in a certain area as well as having the company certified is good for proving fairly quickly that you are who you say you are and that you're capable of doing the work," Weaver said.
Being certified can also have an immediate financial benefit. Weaver said Lords of London, the MSPAlliance's insurance policy carrier, gives MSPAlliance member customers who are certified and audited a percentage back. "If they have insurance and are certified, they'll see a lower premium," Weaver said.
"When working with insurance companies that understand technology solutions providers, you'll start to see all these questions related to 'Do you do this? Do you do that? Are you implementing these procedures?' I take that seriously. That's what the insurance company wants us to have," Hill said. "Any time carriers have suggestions we can take to reduce risk, we take them."
"Our industry is an industry where we take on a lot of risks. We just have to know up front what we're doing and take steps every day to mitigate the risks that we take. Most solutions providers have access to confidential data on any given day from a client. That's the nature of our business. Everybody in our industry should take that seriously and put the right tools and processes in place to protect the information your customers trust you with," Hill said.
This was first published in September 2013