Selecting managed service providers can be a difficult task for customers, which can easily translate to difficulties for MSPs trying to convince prospects that their services are properly secured and managed. With this challenge in mind, the International Association of Cloud & Managed Service Providers (MSPAlliance), a professional association with more than 20,000 members worldwide, is introducing guidelines for the validation of MSPs, based in part on the Unified Certification Standard for Cloud & Managed Service Providers (UCS), as well as the group's code of conduct.
Key aspects include specific information on the location of customer data, disclosure and policies for the control of any third-party data access, transparency requirements, ethical and financial controls, and also requirements around the use of both public and private clouds.
"This is a vehicle for giving business customers transparency into who their service provider is, and how their data is being managed," said Charles Weaver, CEO of the MSPAlliance. "Businesses have a compelling need to know where their data is located, as well as who is touching their data. The UCS certification requires a full audit, including on-site visits."
[Related: MSPs: Where The Money Is]
In the midst of recent developments with the national security agency and related disclosures, location of data has emerged as a major issue among some circles.
"The Canadians are really freaked out about data leaking south of the border because of the Patriot Act," Weaver said. "They want to know if data that enters the United States might be subjected to further probing. Regardless of your politics, this can be an issue of concern. MSPs need to understand what kinds of cloud environments they are bringing the customer, and be able to answer questions quickly and concisely."
"Customers are asking not just about your infrastructure in the data center, but also about policies and procedures," he continued. "The strength of the data security is only as strong as the weakest link. The MSP operation extends to wherever the MSP personnel are logging in from, how they login, whether they go through a firewall, or whether they are leveraging third-party NOCs, help desks and after-hours support. People want to know who is touching their data. Are you handling credentials properly? We also talk about financial health a lot. It goes beyond [profit and loss], but also goes to financial risk tolerance, insurance, [service-level agreements] and cash flow."
NEXT: Potential For Government RegulationAccording to MSPAlliance's Weaver, the group does audits on five continents, leveraging local auditors in each geography.
"We need greater visibility and greater transparency, if we are going to be an unregulated profession," Weaver said. "I am a staunch advocate of non-licensure of managed service and cloud providers. But that's not to say that we don't need transparency, which is fundamental to people having faith and trust in what the MSPs are doing. I'm not aware of any cloud or managed service provider licensing bill making the rounds in Washington. But it only takes one failure of a noteworthy MSP before all this goes sideways on us."
Most MSPs participating in the audits fall into one of three categories. Some plan to use the certification for marketing purposes. Others are trying to fix problems within their businesses. And the third group, according to Weaver, is trying to satisfy compliance requirements for their customers.
John Burgess, president of Mainstream Technologies Inc., a Little Rock, Ark.-based MSP, already completed the process.
"We've found that it has helped us secure a higher grade of client, including those in highly regulated industries and business," Burgess told CRN. "It's probably added 10 or 15 percent to our bottom line. The Unified Certification Standard is fairly rigorous. We were in pretty good shape already, but it was important to formalize and document what we were doing."
PUBLISHED JUNE 20, 2013