We work with hundreds of growing MSPs and IT providers who are automating much of their business. When you think of your favorite PSA platform (such as ConnectWise and AutoTask to name a few) what we really are talking about is the concept of Information Technology Service Management (ITSM).
ITSM in itself may be a foreign concept to you. It’s the process of improving your IT service delivery though best practices. Well, you probably understand what it's about if you have invested in a PSA solution already, but you may not know what it's officially called. In larger companies meeting the industry standards and compliance of ITSM, this is accomplished through the Information Technology Infrastructure Library (ITIL). It is typically focused on the processes and management within a single organization, which leaves service delivery through external parties across multiple business units (or entirely different companies for that matter) hard to measure. And the ideals to meet certification objectives of standards like ISO/IEC 20000 is just not practical with many of our partners.
Most PSA tools do a good job to focus on the ITIL best practices for the core competency of MSPs and IT providers. That usually covers such things as Service Management, Asset Management, Change Management, Problem Management and Incident Management. Typically though, Information Security Management (ISM) is completely missing, or woefully inadequate. Normally this is under the guise that security doesn't matter, or that service providers simply aren't big enough to need to fret about the liability they may face, or the accountability that they may not currently hold or audit.
By its very nature, the purpose of ISM is to ensure that the risks to the business are being managed appropriately. After all, that IS what security is supposed to be about... reducing risk to an acceptable level for the organization. It actually goes deeper than ISO/IEC 20000, having its own standards in ISO/IEC 27000, but has a general purpose across both standards. The ISM process is meant to align IT security with business security to ensure information security is effectively managed in all service and service management activities, such that:
- Information is kept confidential, observed and disclosed only to those people with the right to know. (Confidentiality)
- Information is complete, accurate and protected against unauthorized access or modification (Integrity)
- Information is always available and usable when it is required. (Availability)
- Business transactions, as well as all information exchanges, can always be trusted, authentic and non-reputable. (Authenticity)
If you have ever studied information security, you know this falls under the "three pillars of infosec", or sometimes referred to as the CIA triad. Confidentiality. Integrity. Availability. All three must be maintained to assure a secure system that can properly address risk to an acceptable level. Without it, you simply cannot meet the objectives in ISM.
Now back to PSA tools like ConnectWise and AutoTask. The very nature of the confidential information being stored there is so sensitive, and so vital to the business it must be protected at all times. Think about it for a minute. If a staff member was to leave your organization, are you certain he has no way to gain access back to your PSA system? Weak static passwords used to provide authentication to these systems are easy to share, steal or circumvent. Can you be sure that when “Bob” leaves the company that he doesn’t know “Alice's” typical password, giving him access to the very information ISM is supposed to protect? Can you be sure that the desktop Alice is doing work on doesn’t have malware that may collect your critical RMM and PSA passwords as she accesses the systems?
This is where two-factor authentication comes in. It provides a level of identity assurance so you can be confident that when a staff member accesses your RMM and PSA tools, they are actually who they say they are, and that they are permitted to access the information. That directly meets the goals of ISM, and therefore meets the best practice objectives of ITSM as a whole. And both ConnectWise and AutoTask support this, BUILT IN to their software. So why aren’t you using it?
The good news is that partners who have already invested in their AuthAnvil architecture can probably do this right out of the box with their favorite PSA solution of choice. There is no extra cost to gain the identity assurance benefits of AuthAnvil while reducing your business liability across all your client networks, and increase accountability of all your staff when accessing these systems and that confidential information stored in your PSA toolset we have been talking about.
So my challenge to the MSP and IT provider community at large is this... WHY don't you think ISM is important to you? Your entire business rests in the protection and safeguarding of the systems, processes and information being stored in your RMM and PSA tools, which you are willing to protect with a weak password which may very well be shared, stolen or circumvented. If you are planning to grow your business and add more clients and staff, are you really OK with that?
Want to discuss ITSM, ISM and/or AuthAnvil in more detail? Let's talk.
P.S. If you would like to pick up a good book on this, I highly recommend Information Security Management with ITIL V3. It's a hard book to come by, but really hits home if you are a progressive IT services company with growing concerns about ISM and ITIL, and needs to meet the compliance objectives as set forth in ISO/IEC 27000. This won't be a read for those one man shops managing a handful of clients. But if you have several staff members managing hundreds or thousands of endpoints across many different companies and use a PSA system that follows ITIL best practices, this may be a good read for you. Enjoy.
