Fundamental Security Offerings Your MSP Needs To Be Providing Your Clients
By John Watkins, Capital Business Systems, Inc.
Regardless of how large your client is or the industry that they work in, there are certain things that you should be doing for them. The following list can be considered the foundation of an SMB’s IT needs. Some industries that are regulated may require additional technologies or IT policies to become compliant, but this list provides a starting point for MSPs to evaluate their client’s IT health.
Security in the IT world is a vast topic, but arguably the most important. You could spend your entire career in the Cyber Security field and still learn something new every day, as hackers and malware coders are constantly working on finding new ways to break into systems. But there are a few steps that every business should take to reduce their companies attack surface and limit the damage that malicious actors can inflict. To keep things simple, lets break security down into two parts; Network Security and Endpoint Security.
Network Security
Network Security encompasses all aspects of your client’s network, from the internet box provided by their ISP to the wireless network their phones connect to when they come in in the morning. Let’s start with that ISP internet box (router). This is what connects the local office network (LAN) to the internet and is supposed to keep your network secure. The problem is that the routers provided by ISP are not designed with security in mind, they are often using a default admin password that can be found on Google and they don’t have the capability to preform security scans on the data passing through them.
The answer to these shortcomings is to use a Unified Threat Management (UTM) device either in the place of, or directly behind, the ISP router. UTMs act as a firewall and have advanced network scanning technologies built in, like Deep Packet Inspection (DPI) that will inspect all data coming into your client’s network and Intrusion Prevention Systems (IPS) which monitor for malicious traffic trying to enter their network. UTMs also provide your clients with secure remote access to resources on their LAN via Virtual Private Networks (VPNs), include advanced web filtering features and other advanced networking capabilities that work to keep your client’s network secure.
We require all of our clients to have a Sophos UTM in place, regardless if they are a large automotive dealership or a small insurance office. The Sophos XG line of UTMs is perfect for MSPs, partly due to the wide variety of UTM form factors available.
The next piece of the Network Security puzzle is to ensure that your clients’ local network is properly segmented. Segmentation of networks helps to keep the different types of network traffic isolated by only allowing specific types of packets to cross into other segments. This is commonly achieved by creating a Virtual LAN (vLAN) for various types of network traffic, then defining which vLANs can communicate with each other using firewall rules. You can then “shape” the traffic with using Quality of Service (QOS) rules to prioritize one type of traffic over another.
For example, say you have a vLAN for your workstations, one for your servers and another for your Voice over IP (VoIP) phones. You can use vLANs to only allow access from your workstation vLAN to your server vLAN when using HTTPS, so that your users can still use their CRM solution, but if a workstation is infected it wont be able to spread to the servers over common infection ports (SSH, RDP, etc.). For offices that use VoIP phones, network noise can significantly impact the clarity of calls. Separating the phones into their own vLAN and using QOS rules to prioritize the traffic on that vLAN will ensure that calls come in clear, even if users are streaming Netflix and Spotify on their workstations.
Wireless network communication is a technology that is widely used in both the consumer and business markets, but don’t make the mistake of thinking that they are the same. While consumer wireless products (like the wifi provided by your ISP) are designed to be simple to use (built in WPS for example), business class wireless solutions focus extensively on security and reliability when designing their products. Some features that set the business class products apart from the consumer products include Client Isolation, Mesh Wireless, RADIUS Authentication and time-based access.
For our clients, we setup three separate wireless networks; Internal, User and Guest. The Internal network is the most secure and used for connecting devices that need to communicate with resources on the LAN. We set these networks to not broadcast their SSID and use a complex password that’s regularly rotated. The User wireless network is used for employee phones, Alexa’s and other IOT devices. It’s SSID is broadcasted and the network is isolated from the LAN resources but can still communicate to the internet with normal web filtering. The Guest network’s SSID is broadcasted (but only during the times we set, usually business hours) and isolated from any internal networks. We also tighten down the web filtering and isolate each individual client that connects to the Guest wireless.
Endpoint Security
Now that your network is segmented and being guarded by a powerful UTM, its time to look at security from the endpoint perspective. There are hundreds of companies that offer general Anti-Virus solutions and even dozens that offer solutions that are catered to MSPs specifically. While most of these solutions may look the same on paper, it’s important that you don’t settle on a solution based solely on price. While cost should be a factor in your decision, don’t forget to look into the product’s effectiveness in 3rd party tests, learn what features are included and verify the level of support that the vendor provides you as a partner. For example, Windows Defender is free, but its performance in independent tests isn’t the best, it has a limited feature set and if you run into a problem, you’re largely on your own to get it resolved.
While there are a lot of features offered in various AV solutions, there are a few that are good to have no matter which solution you end up with. As we are a Sophos Security shop, I’ll be using their terminology, but similar features may be available from other solutions as well. Peripheral Control allows you to block specific peripherals, such as flash drives, Bluetooth devices and MTP/PTP devices from connecting to an endpoint. We find this very useful for public kiosk PCs and problem users who like to connect every flash drive they find on the ground to their workstation. The built in Web Control feature is helpful for filtering websites that a user can access, even when they aren’t behind a UTM. This is very helpful for remote workers and executives that often travel for business.
Moving off of the basic features offered in various endpoint security solutions, lets take a look at Sophos’ InterceptX product. This is an optional, additional component to the Sophos endpoint AV solution, but is absolutely worth the investment. InterceptX is an anti-crypto AV that leverages machine learning and AI to identify cryptoware attacks in real time. Once an attack is identified, InterceptX will stop the encryption of files and even revert files to their last clean state. There are a couple other AV vendors who offer products that claim to provide similar protection, but Sophos was the first to bring their product to market (that I had heard of anyway). We have used InterceptX since it was made available to partners a couple years ago, and since that time we have not had a single client fall victim to a cryptoware attack (even though some users gave it their all!).
The last big component of endpoint security that I want to address is Encryption. While required by some industry regulations (PCI, HIPAA, etc.), encryption should be put into place at all of your clients regardless of any regulations. We encrypt all laptops and mobile devices as part of our base client policy, and encrypt all devices (workstations, servers, etc.) for clients that fall under additional regulations. Once again, Sophos makes this easy for us with their Central Encryption solution, which allows us to centrally manage Bitlocker across all of our client’s endpoints.
About The Author
John Watkins is a seasoned expert in SMB technologies, having spent over a decade helping businesses grow by leveraging new technology and IT processes. While his focus has been primarily in IT Management, he is also well-versed in Unified Communications/VoIP, Cloud Technologies and Cyber Security. Currently, John works for Capital Business Systems, providing vCIO services to clients across the Midwestern United States. For more information visit www.NebraskaITServices.com.