Sapsiwai - Fotolia

RMM software: Should MSPs buy baked-in security?

MSPs must carefully weigh the pros and cons before purchasing RMM software with baked-in security features. The alternative -- to buy security products separately -- also has its drawbacks.

Whenever Peter Kujawa must decide on a remote monitoring and management (RMM) software product that has security software embedded within it, he always evaluates the features and functionality of the product and then returns to the one consideration that takes precedence over all others.

"Our No. 1 priority is that we provide best-in-breed products for security to our clients, because if we don't and they have a security event, then they are going to need help from our support center and we include all-you-can-eat support into all our contracts," Kujawa said. Kujawa is president of Locknet Managed IT Services, a managed service provider (MSP) based in Onalaska, WI. The MSP is a division of EO Johnson Business Technologies.

The cost of cleaning up a security breach can eat into an MSP's profit margins, a thought that is enough to make Kujawa look at other security software alternatives for his customers, which are mainly in the financial and healthcare verticals.

"It's a tough business, and it's very important for us and for all our customers that we prevent a security breach from occurring in the first place," Kujawa said.

Locknet Managed IT Services manages approximately 8,000 desktops, 1,500 servers and about 400 firewalls for customers located in three states: Wisconsin, Minnesota and Iowa.

As security concerns grow, cloud computing adoption advances, and regulatory compliance adds more complexity to the burden of managing data, customers are turning to MSPs to help them address their security needs.

For MSPs, providing security services typically boils down to taking one of two approaches: either sign up with an RMM software vendor that provides security functionality embedded in their RMM tools, or buy a security product separately and integrate it into the RMM software.

The choice between these two approaches often comes down to product features, price, and ultimately what an MSP thinks is best for their business and their customers' security needs.

RMM software with security bundled in

According to Kujawa, the advantages of using an RMM platform with security features baked in include ease of deployment, quicker time-to-market and the ability to use one pane of glass to manage a customer's infrastructure. Additionally, from a licensing perspective, MSPs can work with one RMM vendor to resolve security issues.

Nevertheless, there are many drawbacks.

One major problem for Kujawa is that he doesn't want to be "held hostage" to what RMM vendors are offering. As a result, he has chosen to buy the security software separately.

"We have found those systems to be more effective from a security perspective than any of the systems that are offered through our RMM platforms," Kujawa said. "We can be more selective and pick and choose from different vendors depending on our needs, as opposed to just going with what the RMM platform provides."

Kujawa said his company uses Fortinet firewalls, ESET antivirus, ZIX email encryption and a Barracuda spam filter.

Locknet Managed IT Services' decision to select independent security products reflects what many see as one of the main weaknesses of RMM platforms that come with security features: those features are watered-down versions of security software. They're less likely to withstand malware, viruses and intrusion by hackers that attempt to steal sensitive data.

An MSP can't be so intransigent that they only have one solution. They have to be able to take multiple solutions to market, and that includes security.
Charles WeaverCEO and co-founder, MSPAlliance

According to Ryan Delany, global solutions marketing manager at IT security firm Trend Micro, reduced functionality is a main disadvantage to buying an RMM system with embedded security. It doesn't provide the protection that customers need. Because of this, MSPs, especially smaller companies with tight budgets, should look for RMM software with more features embedded into the product, such as a unified threat management (UTM) device, a web filtering offering or an email filtering application, he said.

"What typically happens is the MSP will buy the integrated option that doesn't have a bunch of features and then they will supplement it with other third-party products that have those features," Delany said. "In the end, their cost of delivery can be 10 times more than if they were to buy a full-featured product in the first place."

Delany also said certain RMM security products have slower release cycles and if a security vendor releases a new version of the security software to the public, the version that's integrated into the RMM may not be updated for another six months. He also cautions MSPs to think about vendor lock-in.

"One of the things we've seen is that the RMM vendor decides to end their contract with the company that provided the security solution and go with another vendor," Delany said. "What that means to an MSP is that they have to go and rip and replace the security solution across their entire customer base, and typically the vendor is not going to pay them back for that."

A similar problem occurs when MSPs switch RMM software vendors.

"If you are using an integrated solution and you decide to switch RMM vendors, then you'll have to rip and replace the security solution, versus if you had a standalone security solution in place, in which case you would not have to touch it," Delany said.

Other problems Delany cited are that MSPs have less control when they choose RMM software that comes with security features. When MSPs have complete control over a standalone security infrastructure and product, they can contact the security vendor directly if problems arise. However, in a situation where the security software is embedded into RMM software, the MSP typically calls on the RMM vendor, who acts as a proxy, to obtain support. The result is that more people are involved and more delays can occur when addressing security issues.

Buying your security products separately

Charles Weaver, CEO and co-founder of the MSPAlliance, said MSPs must be open to a variety of security software products as they -- and their customers -- grapple with adopting an RMM security strategy that will address security and privacy concerns for cloud-based users and those operating their own private servers.

"An MSP can't be so intransigent that they only have one solution. They have to be able to take multiple solutions to market, and that includes security," Weaver said. "That's where I think the ability to be flexible is very important."

The MSP Consortium, an organization that offers a free RMM platform to MSPs, is steadily transforming its platform to allow MSPs greater breathing space in selecting technology and finding the right approach that meets their customers' requirements.

Describing themselves as an organization dedicated to making MSPs profitable, The MSP Consortium, which started in April, has approximately 1,500 RMM users. With plans to launch the latest version of its RMM platform in the fourth quarter of this year, the consortium's upgraded product will have its own app store that offers security products from competitors.

"In terms of security, we'll have everything you can think of, from antivirus to antispam to DLP [data loss prevention] to UTM and security analytics," said Melih Abdulhayoglu, board member of The MSP Consortium. "We are not going to limit an MSP by saying, 'Oh, you can only buy from us because you are using our free RMM.' No, our RMM is open to everyone, including our competitors, so we have incorporated both approaches."

Abdulhayoglu is also CEO of Comodo Group, the company that provides the MSP Consortium's RMM software.

If some view the RMM security problem as one that can be solved by incorporating more security software from a variety of vendors to their RMM solution, others beg to disagree.

Delany suggests that this strategy could upset the whole premise of the MSP model, which is built on fixed costs, repeatability, consistency and standardization.

"If you start letting one customer have Symantec and another have Trend Micro and a third use McAfee and the fourth use Kaspersky, it becomes a real cost burden on you as an MSP," Delany said. "You have to learn four different products, four different consoles, and four different usernames and passwords. It just goes against the whole idea of what you are trying to accomplish as an MSP."

Nicole Lewis a freelance business and technology writer based in Miami, Fla.

Next Steps

Get more insight to help you select RMM software for your business.

Read about a range of ancillary tools for managed services providers.

Reports depict the unsettling state of the SMB security.

Dig Deeper on Technology Business Management Software