The MSPAlliance today announced several significant enhancements to its 10-year old MSP/Cloud Verify program.
The industry organization for managed service providers (MSPs) regularly updates the MSP/Cloud Verify (MSP/CV) program, the oldest certification for providers. The latest enhancements address the following areas: infrastructure as a service risk assessments; Microsoft (and other vendor) services provider license agreement (SPLA) licensing controls; improved corporate health reporting; improved internal MSP security controls, such as password management; and, improvements around MSP responses to ransomware and other cybersecurity attacks on client systems.
"This latest update reflects significant issues that we [the board] feel have come up and are important to the service provider community and any company going through the MSP/Cloud Verify process," said Charles Weaver, CEO of the MSPAlliance, who noted that the standard reflects continual change in opportunities and the threat landscape that both MSPs and their customers need to be aware of.
Taking a deeper dive into the enhancements, Weaver started by addressing legal risks that comes from licensing pressures from software vendors. While he used Microsoft as an example, Weaver said the issue is not unique to Microsoft. In fact, he noted that this issue is more common among legacy software vendors who are in the process of changing how they sell from on premises to cloud or virtualized models.
So, for example, Microsoft has specific licensing language for service providers that restricts or mandates how service providers must license virtualized environments. "So when MSPs are selling infrastructure to a customer, whether the MSP owns the hardware or not and whether they own the software license or not, it could subject them to great legal peril if the software vendor were to conduct a software audit and find that they were owing for missed licenses and then assess a fine," Weaver explained.
As a result of identifying this risk to MSPs, the MSPAlliance has enhanced the certification to ask questions to identify and help educate the MSP on potential areas of risk within their licensing model to mitigate risk.
Another area that was marked for change had to do with the lack of standardization among MSPs around password management. "It's no longer a best practice if an MSP takes a spreadsheet and puts passwords in it and password protects that spreadsheet. That's not a safe environment for that data," said Weaver.
The MSP/CV recommends that in 2016 MSPs adopt a password management technology -- whether on premises or cloud-based -- for internal use and to sell to their customers.
Also related to security is the recommendation that MSPs have a ready-to-go plan, for their customers and their own organizations, against cyberattacks or ransomware or any type of crippling event that could disable an entity operationally.
In order for MSPs to pass the MSP/CV program they're going to have to prove that they have a plan in place against a cybersecurity attack, according to Weaver.
The corporate health enhancement has to do with reporting on the health of MSP organizations, and looks at financial metrics, customer retention rates, and employee retention rates, for example. "This is to give MSPs and their customers a sense of how the company is set up, its track record and provide a sense of comfort to the customer," said Weaver.
There are multiple sources that MSPs can turn to help implement the new MSP/CV recommendations. Weaver noted that during the certification process the MSPAlliance and its auditors provide reasonable assistance and advice to members going through the certification process. He also said that there are legal experts in the field or MSPs may have their own in-house or external counsel.
MSP/CV certification holders renew annually. According to Weaver the recertification process is as rigorous as the initial test. Almost 900 organizations, worldwide, hold the MSP/CV certification and more than 95% of certification holders renew successfully every year, especially among MSP companies that got their certification within the past five years, according to the MSPAlliance.
The new enhanced MSP/CV went into effect at the beginning of January.
Read about the importance of training and education in the channel
Get the MSPAlliance's take on managed services trends and vertical opportunities
Learn about the security risks an MSP practice faces