2019: The Year of Partner Security
Looking back at 2019 its safe to say that it was the year of partner (MSP) security. There were several highly publicized intrusions into MSP systems that enabled hackers to get access to hundreds of end clients’ data. As the single point of entry to millions of organizations globally, MSPs are potentially holding the keys to their clients’ “kingdoms” and with it brings the risk of paying enormous ransomware fees, lawsuits or the potential to go out of business. With a 33% increase in such incidents year over year this has unintentionally highlighted partners as the potential weak link into their clients’ data leveraging remote access software used by partners and some of the poor security practices of those software vendors as an intrusion point.
As a vendor ourselves, we had to do an honest evaluation of how we offer our services to our partners and the security practices we had in place while continuing to protect user privacy. After our assessment we had identified a few areas we could increase our security practices to limit the risk to our partners and their clients. In late 2018, Dropsuite released OAuth support when adding backups using Global Admins for Office 365 backup, with this change we stopped storing credentials for global admins and began the transition to Modern authentication.
As the year moved on Microsoft announced new security practices for partners mandating the requirement for partners to enforce multi-factor authentication (MFA) for all global admin users and announced a partner security score feature. These were not optional and meant that partners could no longer us a legacy protocols or stored password to access their customers Office 365 data going forward and would be tracked on how they monitor their partners security. If you want to continue to be a Microsoft partner, you have to take security seriously and do proper security inventory of all your vendors and solutions you provide going forward that access Office 365. Dropsuite then focused development on a solution that supported the partners MFA requirements and went an extra step further to support MFA on the end customers accounts, making the assumption that soon security enhancements would be coming to the customers accounts as well. We now enforce MFA where required for automation that we run on behalf of the partner for their customer fully leveraging modern authentication with Microsoft.
When assessing the risk for our partners we saw the need to further increase end user access security. With Microsoft introducing new security defaults for customers Dropsuite had already released Microsoft authentication support so that users could access their Backup and Archive data using the same login and security practices they already leveraged for their existing Office 365 account.
We will continue to evaluate and make changes that further enhance our partners and their customers security on an ongoing basis and strive to stay at the forefront of security best practices.
It is imperative for MSPs to protect their clients and their own practice from security risks. MSPs should implement a standard set of policies and procedures within their own practice, only work with security-minded software vendors and mandate that their clients deploy an adequate stack of security and backup tools and processes to minimize those security risks.