MSPAlliance, the international association for cloud and managed service providers, has announced a “breakthrough” in the fight against managed services supply chain vendor attacks.
MSPs and their end customers were hit by the supply chain security attacks launched on SolarWinds last year and Kaseya earlier this year, for instance.
MSPAlliance has created Vendor Verify, a new certification designed to raise transparency and cyber security resiliency amongst supply chain vendors commonly used by MSPs.
The MSPAlliance Leadership Council, comprised of hundreds of certified MSPs from around the world, have acted to secure their own supply chain by involving and working with hardware and software vendors. These vendors deliver the products and services to them, which they themselves distribute to end customers.
“Collaboration among MSPs and vendors is a vital step in meeting our ultimate goals of securing the shared infrastructure and systems we use to provide the best possible cyber security for our customers,” said Corey Nachreiner, chief security officer of WatchGuard Technologies. “WatchGuard is proud to join with the MSPAlliance, and the other participating vendors, to bring the Vendor Verify certification to life.”
“MSPs are an important part of the LogMeIn and LastPass partner ecosystem,” said Patrick McCue, vice president of global channel sales at LogMeIn. “LastPass MSP was designed to be easily deployed so MSPs can seamlessly manage their client's LastPass accounts. Vendor Verify will be a valuable tool for MSPs.”
Participating members of the MSPAlliance Vendor Verify Council, so far, include senior level executives from PC Matic, WatchGuard, LastPass by LogMeIn, Tigerpaw, Axcient, Loop Communications, CryptoStopper, bvoip, Intotoware, Vultr and INKY.
“We are honoured to see this level of support from the vendor community,” said Celia Weaver, president of MSPAlliance. “It's a big win for the industry.”
While still being thrashed out, the objectives of the programme include:
-Transparency enhancements from vendors to their MSP partners. Such transparency will be delivered through a centralised vendor database showing relevant certifications, audits and security practices. MSPs will be able to make better and more informed purchasing decisions, as well as relaying the information to end customers and their compliance personnel
-Cyber security channel best practices. Leveraging existing cyber security frameworks, such as MSP and Cloud Verify, SOC 2, ISO 27001, CMMC and others, the Vendor Verify programme will use this data to build cyber security profiles and ratings, all designed to make it easier for MSPs to make “sound purchasing decisions”
-Assurance to the MSP and end-user communities. By establishing and communicating these cyber security practices, MSPs can make more informed decisions about the vendors with whom they work with, but so can end-user organisations. As more end-users make decisions to work with MSPs, they want to know their MSP (and their suppliers) are safe and taking every available precaution when it comes to cyber security preparedness
-Risk alignment. Part of the Vendor Verify programme will involve contract and insurance best practices. Contracts between MSP and vendors need to be revised to ensure proper alignment of risk in the managed services supply chain, as well as to communicate these measures to customers who rely on such information when making their own risk decisions. A “crucial benefit” arising from the programme will involve more effective information, which can be delivered to insurance underwriters, who issue cyber insurance policies to vendors, MSPs and their customers.
Completion of the project is expected to occur before the end of this year. Further details will be released in “early 2022”, said MSPAlliance.