Bekker's Blog

Blog archive

4 Tricks MSPs Can Use to Check the Security of Their Vendors

When a managed service provider installs agents or sets up other tools at a customer site, the customer is trusting them at a deep -- let's call it what it is, an administrative -- level.

That makes it incumbent upon the MSP to ensure the vendor tools they're using are highly secure. How can an MSP, often challenged with a small staff and many other priorities, be confident that their much larger vendor partners are operating in a secure fashion?

During an Acronis virtual partner event Tuesday, Amy Luby, who leads community efforts for Acronis' channel, put that question to Bobby Kuzma, practice director of assessment and testing at the Herjavec Group, a Toronto-based MSP that specializes in security services and training.

Kuzma provided four shortcuts that MSPs can use to assess how serious their vendors are about security.

1. A Leader at the Company Whose Sole Job Is Security
"The CISO role has been around since the late '90s. And there are still organizations that don't believe that security is someone's job. If a vendor doesn't share that belief that that's a responsibility that's worthy of having a dedicated professional for," Kuzma says, it should be a red flag.

That person doesn't have to be listed on the Web site, or in the C-suite or even at the VP level, although any of those attributes would be a good indicator of seriousness. "If you don't see a CISO, ask," Kuzma says. "LinkedIn is your friend. Flat-out ask them, 'Who owns security in your org, and can I get an introduction?'"

2. A Clear Process for Reporting Bugs in Their Code
"If they are a vendor that produces a tool or has a service that is offered, do they have some non-trivial way for people to report vulnerabilities? This isn't necessarily a bug bounty program, although those are nice," Kuzma says. "Is there a way to let them know without blasting it out on the Internet? If a vendor doesn't have a way of doing that, that's a thing that would concern me greatly."

It's OK if vendors outsource triage of bugs to a third-party specialist, and bug tracking can be done through routine service tickets if bug reports are a clearly-defined procedure in the ticketing process, he says.

3. A Way To Get Your Customers' Risk Questionnaires Handled
"In this day and age, you probably have customers that want you as a vendor to them to fill out their risk questionnaires. Let's face it, they're silly [and] repetitive. No one likes doing them. You want to make sure that there's a sane process in doing that that doesn't involve a week in ticketing hell," Kuzma says.

Good enough much of the time, in Kuzma's view, is an NDA-protected FAQ available about the vendor's security operations center.

4. Evidence of a Recent Pentest
"You may want to ask the vendor when was the last time they had their organization itself pentested and the product itself pentested?" Kuzma suggests.

He'll go so far as to ask for a copy, but he views an executive summary as good enough in many cases. "I wouldn't downcheck them if they're unwilling to share the full report," he says. "If they're willing to open the doors and let you peek your head in, that shows a level of maturity."

Kuzma had one final piece of advice for MSPs who may struggle to get answers to their security questions: Leverage your relationship with the salesperson who is trying to get you to sign up for the service. If their commission depends on your satisfaction, you're more likely to get answers.

"Your sales point of contact that you may be in touch with is probably your greatest ally in trying to get information," he says. "They'll start asking questions to make you happy."

Posted by Scott Bekker on February 02, 2021