How To Earn Maximum Trust From Your Managed Services Clients
April 30, 2007 12:00 AM ET
Page 1 of 3
Imagine, for a moment: One morning, a technician wakes up, goes to work, hatches a plan. He works for a managed service provider (MSP) that develops and manages grocery store inventory-control systems, remotely maintaining and updating those systems for clients spread across several time zones. He recently learned that his company is changing the employee bonus structure and he's unhappy with the result, to put it mildly. His response? Retaliatory and unconventional; he inserts a particularly malicious bit of code into the inventory-control software developed by his employer and installed on all of its clients' networks.
So, one morning, employees of two different East Coast grocery-store chains go to work and start up their inventory-control software, only to watch those systems first crash, then refuse to reboot. The MSP responds very quickly, moving to head off the infection before the morning shift starts at three more chains farther West. Where the damage has already been done, however, options are limited; the MSP is forced to fly staff out to rebuild the systems at each of the affected client sites. All in all, those systems are offline for two days.
Unfortunately, this isn't a fairy tale, or even hypothetical, according to Dawn Cappelli of the Computer Emergency Response Team (CERT) at Carnegie Mellon University's Software Engineering Institute. Though barred by CERT's confidentiality rules from disclosing names and other identifying details, Cappelli describes this true story drawn from CERT's files as "an illustrative case."
The very nature of the services MSPs provide demands a qualitatively different type of trust relationship with their clients than other solution providers typically maintain. When a business hires an MSP, it opens up its own security perimeter to allow that MSP in. The client isn't just betting on the MSP's competence and capacity to carry out specified tasks. The two companies are entering into an ongoing relationship, in which the client places a great deal of faith in the MSP's leadership, employees, partners and technical capacity to defend itself from attack. As Doug Howard, COO of Mountain View, Calif.-based managed security services provider Counterpane, puts it, "We're the guys watching your network, so who's watching us?"
In a very real sense, the client is putting its head into the lion's mouth; as an MSP, it's up to you to make sure they feel justifiably safe in doing so.
'Incidents' That Highlight the Trust IssueThere have been no recent publicized client security breaches that are traceable to an MSP, and neither MSPs nor their clients are eager to speak up about unpublicized ones. Indeed, almost no one in the industry really wants to talk about the security and trust issues inherent in managed services, and understandably so. Given the public's inclination to react to perceived IT security issues out of fear, uncertainty and doubt rather than informed analysis, many are rightfully concerned that MSPs as a whole might be tarred--unfairly--as an inherent security risk.
Several recent incidents have highlighted the trust issue, however, and its increasing significance in the growing MSP market. On Oct. 31, 2006, federal agents arrested the CEO of White Plains, N.Y.-based MSP Compulinx on charges stemming from an alleged scheme to use personal client and employee information in fraudulent credit applications at a number of banks between 2003 and 2006. On March 30, the Chico, Calif.-based MSPAlliance held an emergency meeting to assess its membership approval and accreditation processes after discovering that two members and one applicant may have engaged in questionable business practices; the applicant in question had, among other things, an employee awaiting trial for allegedly embezzling more than $100,000 from a previous employer. The MSPAlliance also reports receiving hundreds of applications from "MSPs" in Nigeria, the Middle East and Russia that lack verifiable credentials.
In the long run, silence on this front could prove an extremely costly strategy both for individual MSPs and the industry as a whole. Sooner or later, a high-profile public incident is inevitable. When that time comes, if MSPs haven't already educated the public and built strong trust relationships with their clients by engaging with them on this issue, the reaction is likely to be swift and harsh. In 2005, for example, three employees at an India-based outsourced call center allegedly stole more than $350,000 from four Citibank customers. The resulting crisis of trust in the entire Indian business-process outsourcing industry threatened to cost it as much as 30 percent of its growth, according to a Forrester report, although the loss was largely mitigated by a nationwide scramble to improve security and shore up confidence.
NEXT: Why your reputation is on the line.
|
HP Launches Managed Print Services Programs With the help of Ben Stein, HP rolled out its Managed Print Services programs. |
|
Catching Up With The Kaseya Crew Kaseya partners were out in full force for last week's partner conference in Las Vegas to tell the world that managed IT services are going great guns despite the economy. |
|
2009 Channel Chiefs: Who's Who In PSA/MSP Platforms Our annual guide to Who's Who in professional services automation and managed services provider platforms. |
 More
Slide Shows |
- IBM Expands Managed Service Offerings For Partners
- MSP And PSA Tools: Who Plays Well Together?
- MSP Minded? What You Must Know About Remote Monitoring & Management
- Cloud Computing Services Market To Near $150 Billion In 2014
- N-able Names New COO
- The Daily App: KyWiki for iPad
- The Daily App: Scan To PDF Free For Android
