To offer security to clients, MSPs must start at the very beginning - with client data.
The problem(s)
The first principle of protecting client data is that you must be able to identify and locate it. As common sense as that sounds, at how many sites can you say you really know this? At even our smallest, premise-centric sites with a server and just a handful of endpoints, how many of us are truly certain where all data resides? And once we’ve identified where the data resides, we next must tackle the challenge of tracking this moving target of data location. And what of all their hosted data?
To start, we will break this down into three steps.
1. Identify the data
I cannot remember meeting with a company that knows where all their data resides. They cannot answer the question “where is your data” We never hear, “I don’t know,” but many tell us “in the cloud.” As MSPs and service providers, we know what that means is actually “on the server, the endpoints and who knows where else?”
I take this reality to mean that our first effort must be one of business processes, in that we need to work with clients to help them understand how data gets created and where it ends up. The next step is to create some controls around this, by creating policies (“no data should exist in only one location” or “here is a list of acceptable data locations”). Only once these policies are in place can you hope to start enforcing these strictures. Only then can we confidently say we have identified their data and move on to locating and that we are fully protecting it.
Related reading: Read part one, part two, part three, and part four of the ideal security stack series.
2. Locate the data
Once you are confident you have identified the data, the next step is to locate it, and proscribe its future access and management. That is easy to say, but hard to execute. For many small operations, especially those without a hosted line of business applications, this might be as simple as mandating the use of OneDrive or whatever your corporate preference is, and then making sure that you have the technology in place to enforce this mandate. I am referring to the ability to control access and permissions to the data, and the enforcement of this.
Once again, many smaller businesses get by with one or two “official” locations such as M365 and a chosen “box” such as DropBox, Google Drive, or OneDrive. Of course, policies do not control where data ends up, they only proscribe, enforcement is another issue entirely. And with remote work of one sort or another so ubiquitous, this problem has only gotten worse. But even if you could limit your data to just “three locations” (premise server, endpoints, and perhaps a few proscribed cloud locations), how do you ensure that is secured and backed up?
3. Protect the data
If you have the idea that I am going to deliver a knockout blow that will resolve these issues in a single stroke, I am going to have to disappoint you. My purpose here is to identify what we are missing as providers, not to provide a single, comprehensive answer. Most of us in IT services know how fragmented the hosted application data backup market is. While M365 has many different providers (and Google Workplace is nearly as well served), with many “cloud data repositories” backup is an entirely different matter.
Part of this is because there is not yet any universal API to build these applications to. While there are some “middleware-like” offerings out there, many hosted providers lock down access to their data for reasons of security (in the best case). Others keep that data locked down and in a proprietary format with minimal external access to help ensure the “stickiness” of their solutions. Whatever drives these data silo attitudes, most vendors make it very difficult to access their data, whether it be for reasons of security or to protect their own revenue streams.
There is an emerging space with some very good solutions to attack some of these issues. As mentioned earlier, M365 and Google Workplace are particularly well served, with dozens of vendors serving these needs. Some players also address several widely used hosted applications such as Quickbooks Online, Xero Accounting, and in the high end of the SMB market, Salesforce as well. There is no universal solution yet, and there probably won’t be until the industry decides to present a unified backup API, we are at least moving in the right direction.
Summary
There is no easy solution to identifying, locating, and backing up your clients’ data. These efforts must be collaborative, beginning with business data discovery and process analysis. Once this is done you will need to work with them to proscribe how that data will be stored going forward. Only after all of this can you be sure you can locate, protect, and backup their data.