Subscribe To Our Daily Enewsletter:

Essential Security Best Practices for MSPs

Datto’s focus has always been to help our partners, managed service providers (MSPs), thrive. To that end, we’ve been proponents of a largely open ecosystem in which vendors work together to make the day to day operations of the MSPs they serve more efficient and successful. In the fall of 2019, we brought together four main vendors in the MSP space to compile a list of security best practices that every MSP should implement to mitigate the risk of ransomware attacks and other cyber threats.

Datto CISO Ryan Weeks

Team members from Huntress, ID Agent, Connectwise, and Datto put their heads together to develop the tips I’m sharing in this article, and so I’d like to thank each and every one of them for their contributions. Below are only highlights that include high-priority items, but please download the full list on our website to ensure your company is doing everything it can to prevent ransomware attacks.

What Should You Do Right Now?

The below items are high-priority security action items that MSPs can execute now to better protect your business, your data, and your clients.

Identity and Access Management

  • Conduct an audit of all technology solutions, user accounts, and roles. Repeat this process on a quarterly basis (at least).
  • Disable accounts upon employee technology offboarding, or update permissions and access upon role change.
  • Disable inactive or underutilized employee accounts if they are unused or inactive for long periods of time.
  • Use a password manager to create strong, unique passwords per technology solution and enable multifactor authentication (MFA) on the password manager. Do not allow storage of credentials in a web browser.
  • Protect any API keys in use.
    • Use different keys for different integrations, rotating them periodically.
    • Use IP restrictions where possible.
    • Store keys securely.
    • Enable MFA on all accounts that are allowed to via API keys anywhere they are configured for use.

Network Access

  • Restrict RDP access to LAN only – do not configure internet access to RDP.
  • Use a VPN to restrict access to admin tools (RMM, Remote Access, etc.). Use MFA on the VPN.

Patching Your Channel Technology

  • Update all endpoints and technology software to versions that are free of known material vulnerabilities.
  • Review vendor practices for discovery, patching, and notification of vulnerabilities.

Protection of Local and Cloud Backups

  • Act on your vendors’ recommended guidance or best practices for the protection of your backup technology.
  • Move away from shared login accounts on appliances and technology portals.
  • Enable MFA on access to technology portals and appliances.
  • Store copies of backups offsite, or in an isolated network or file share location that is inaccessible from servers or workstations, thus making backups harder to access, encrypt, or destroy.
  • Monitor and alert for backup deletion. Some vendors offer “soft” delete so backups are not immediately removed. Understand your vendors’ capabilities.
  • Test your backups. Determine how long it takes to do a restore, and set accurate expectations should the need arise.

To learn more, download the complete checklist of best practices to better prepare for cyber threats, like ransomware.


Author Ryan Weeks is chief information security officer (CISO) at Datto. Read more Datto blogs, views and perspectives here.

Return Home

3 Comments

Comments

    Nathan Taylor:

    Great stuff!

    I wish Datto would allow us to disable the MFA whitelisting on their new SSO platform. It seriously diminishes the security at my office when it’s always whitelisted for MFA on RMN. We disable whitelisting on MFA for all our other tools but Datto does not allow it to be disabled. Thank you.

    Ryan Weeks:

    Nathan – This is Ryan Weeks (Datto CISO). Wanted to chime in here and note that we have plans to provide an alternate policy in Trusted Networks in the first half of next year. Our development and product teams have scoped a second policy option with Trusted Networks that will allow you to require MFA for each login from Trusted IPs and disallow logins from all other Untrusted IPs. There are a few other deliverables we need to ship first as those will set us up to make the second policy option available. For now, I’d note that you can remove any IPs that have been added to your Trusted IP list (via Organizational Settings in Portal) and all future logins will be subject to MFA on every login as they will now be effectively Untrusted IPs. While you can’t disallow logins from foreign or Untrusted IPs yet, thats something we are working toward with this second option. Hope that gives you some confidence in the direction we are heading. Reach out anytime.

    Nathan Taylor:

    Thanks for your reply.

    It’s great to hear about your additional security controls. Conditional access on RMM would be incredible!

Leave a Reply

Your email address will not be published. Required fields are marked *