In the realm of cybersecurity, managed service providers (MSPs) are the crucial bridge connecting clients and vendors, orchestrating a secure digital ecosystem. Critical to this is the ability for MSPs to implement standards from an external organization such as the Center for Internet Security (CIS), which provides hardening guidelines for common workstations, servers, browsers and software-as-a-service (SaaS) applications or they are from the vendors themselves who have advanced knowledge of their own platforms.
Aligning your organization to a framework or set of standards like the CompTIA Cybersecurity Trustmark is another way to help you with hardening guidelines.
Even if you consider yourself a cybersecurity professional or expert, it’s a good to review or refresh these standards to make sure nothing is slipping through cracks. With that in mind, here’s a quick reminder of 10 guidelines or areas that MSPs should remember when it comes to protecting against the latest threats.
Secure Configuration Guidelines
Secure configuration guidelines (one of the control domains within the CompTIA Cybersecurity Trustmark) are a set of practices and settings that aim to harden systems and applications against unauthorized access and vulnerabilities. These guidelines cover various aspects, including setting strong passwords, disabling unnecessary services and applying the principle of least privilege. By adhering to these practices, organizations can significantly reduce their attack surface and mitigate the risk of cyber threats.
Related: Learn more about cybersecurity controls and frameworks in the CompTIA Cybersecurity Trustmark.
The Importance of Implementation
Implementing secure configuration guidelines is not just a one-time task but an ongoing process that requires regular updates and reviews. As new vulnerabilities are discovered and technologies evolve, these guidelines must be updated to ensure they remain effective in protecting against current and emerging threats. Organizations should also conduct periodic audits and compliance checks to ensure that the guidelines are being properly implemented and followed.
The Role of Third-Party Vendors
When incorporating products from third-party vendors, it's crucial that these products come with their own specific secure implementation guidelines. Vendors should provide comprehensive documentation that outlines how to securely configure and deploy their products. This not only helps in maintaining a strong security posture but also ensures that the products can be integrated into the organization's existing security framework without introducing new vulnerabilities.
Vendor Responsibility and Transparency
Third-party vendors have a responsibility to not only provide secure products but also to be transparent about the potential exposures their products might have. This includes detailing known vulnerabilities, patches and workarounds, as well as providing timely updates to address security issues. By doing so, vendors help organizations make informed decisions about the risks associated with using their products and how to mitigate them effectively. Make sure you talk to your vendor partners regularly about potential exposures.
CIS Hardening Guidelines Fill in the Gaps
Outside of the vendors themselves, besides the CIS benchmarks which provide a comprehensive set of controls for companies to implement regardless of their security maturity level, CIS puts out hardening guidelines for major operating systems, cloud infrastructure and software including SaaS.
These guidelines, as well as others from industry-recognized organizations, can provide a blueprint against a company or a MSP supporting a company can implement a security-first approach toward building a more defensible infrastructure. The reality is that most software has multiple use cases from consumer, commercial, public sector and defense and as a result, do not typically deploy securely “out of the box.”
A Tripartite Approach to Cybersecurity
Cybersecurity must be a collaborative journey with participation from the MSP, their clients and third-party vendors. Implementing CIS hardening guidelines is not merely a procedural task; it requires continuous adaptation and vigilance to counter evolving cyber threats. MSPs play a vital role in guiding clients through the intricacies of CIS benchmarks, ensuring their IT infrastructure is optimized for security. Senior management and their employees also need to take part to ensure success as long as they are properly educated on the risks associated with their decisions and actions.
The MSP's Role in Secure Configuration Guidelines
MSPs are tasked with the strategic implementation of secure configuration guidelines, fostering a secure environment for clients. This involves conducting regular audits, applying updates and facilitating training sessions. Additionally, MSPs ensure that the products and tools provided by third-party vendors either directly with the client or through the MSP, such as Office 365 or Salesforce, or the tools that the MSP uses to service their customers such as their remote monitoring and management (RMM) and professional services automation (PSA) systems, adhere to these security standards. Ask your RMM, PSA and other vendors which standards they use.
Collaborating with Vendors for Enhanced Security
Partnerships with vendors are instrumental in reinforcing cybersecurity measures. Vendors must ensure their products do not violate the guidelines set forth by the client, their industry or the MSP, and must assist in providing the best practices to secure their product. Who better knows but the developers of the software or solution, what it would take to reduce the risk associated with its use. Reach out to your critical vendor partners whether they are used internally to service clients or if they are used by your clients directly to ensure you are following any secure best practices they have developed.
Shared Responsibility: MSPs, Clients and Vendors
Cybersecurity is a shared responsibility, with each stakeholder playing a unique role. Vendors are expected to provide secure, compliant products, be forthright about any potential security issues and provide guidelines on how to secure it. Clients, for their part, are encouraged to engage in cybersecurity awareness and adhere to best practices. The MSP ultimately pulls it all together, ensures that each group is aware of their roles and is forthright about what gaps may exist. Together, this synergistic approach amplifies the effectiveness of cybersecurity strategies, creating a resilient business.
Fortifying Cybersecurity Through Collective Action
Secure configuration guidelines play a vital role in cybersecurity, offering a roadmap to securing systems and applications against threats. The implementation of these guidelines is a critical step in building a robust security posture. Moreover, the involvement of external vendors in providing secure products, being transparent about potential risk and providing guidance on how to reduce exposure are paramount. Organizations must work closely with vendors to ensure that the products they use meet the highest security standards and contribute to the overall security of their information systems.
Looking to Embed Cybersecurity into Your Culture?
Download a CompTIA Community whitepaper to learn how to get executive buy-in, create the right documents and processes and position yourself as a security-first company.
Raffi Jamgotchian is founder and CEO of Triada Networks and chair of the CompTIA Community Cybersecurity Interest Group in North America.