Cyber security best practices: Contracting with managed service providers

From: Canadian Centre for Cyber Security

Date: 03 April 2017

Purpose

The purpose of this Information Note is to provide best practices and highlight security considerations when subscribing to services offered by managed service providers.

Assessment

The decision to engage a managed service provider to operate an organization’s information technology services can be cost-effective and create efficiencies. There are two broad categories of service providers which will be referenced in this product: managed service providers (MSPs) who offer a range of information management and information technology services including both physical infrastructure (e.g. servers) and virtual, or cloud, infrastructure; and cloud service providers (CSPs) who manage and store data primarily in a virtual environment. The decision to centralize information with a third-party service provider can present risks to the privacy and integrity of proprietary information. This Information Note is intended to provide an overview of the security and privacy challenges pertinent to public cloud computing, and highlight considerations organizations should take when outsourcing data, applications, and infrastructure to a third-party service provider.

Mitigating the risks associated with using service providers is a responsibility shared between the organization (referred to as the “tenant”) and the MSP or CSP. However, organizations are ultimately responsible for protecting their systems and ensuring the confidentiality, integrity and availability of their data. Organizations that outsource IT infrastructure are recommended to have an open dialogue with their provider and to understand what model they use to manage clients’ services. The information contained in this product is designed to facilitate that dialogue.

Organizations should consider performing a detailed risk assessment and implementing associated mitigations before engaging with a MSP or CSP. Key considerations when using these services include:

Identification of the sensitivity and criticality of the data being stored by conducting a security categorization process for business needs;
the way the cloud service (if applicable) is implemented and managed;
the way in which data will be secured, and who may access this information;
the intended purpose of engaging the service provider; and
potential challenges associated with performing timely incident detection and response (e.g. availability of the service provider during off hours or in other time zones)

Suggested action

CCIRC recommends that organizations review the following best practices and consider their implementation in the context of their business needs:

Keep your operating system and software up-to-date with the latest patches.
Ensure that a MSP/CSP solution satisfies organizational security, privacy and legislative requirements.
Consider asking any service provider to what extent they adhere to an IT security management framework such as “CSE’s Information Technology Security Guidance (ITSG) 33”.
Use designated computers with multi-factor authentication, strong passwords, least access privileges, and encrypted network traffic to administer the cloud service.
Consider implementing two factor authentication and a strong password policy across the organization starting with admin/privileged accounts.
Avoid providing the MSP/CSP with account credentials and / or access to sensitive systems outside of their responsibility.
Use cryptographic controls to protect data in transit between the tenant and the provider.
Consider full data encryption for critical information while at rest, while maintaining control of encryption keys.
Employ full hard drive encryption to ensure data at rest on storage media is not recoverable should the MSP/CSP replace or upgrade physical hard drives.
Consider regular scanning and monitoring for non-standard or suspicious code/files/folders on hosts, and ensure regular audits, even if this is a service provided under contract with the MSP/CSP.
Audit the use network rule/signature based detection tools (e.g. NeoPI, Yara)
Audit the employment of anti-malware and other security tools on corporate assets and/or infrastructure. Consider tools which can both detect and remediate infections. Anti-malware programs and other security tools should be maintained and kept up-to-date, and all executables downloaded to organizations’ infrastructure should be scanned before execution.
Ensure that MSP/CSPs conduct regular reviews of network and system logs for any suspicious activity or traffic which may indicate potential compromise. CCIRC recommends close examination of any unusual network or system activity including:
- Extended periods of increased network or bandwidth utilization;
- Presence of suspicious files/folders;
- Files containing references or suspicious keywords such as cmd.exe or eval; and
- Non-standard network connections (e.g. traffic outside of normal operating hours).
Employ a data backup and recovery plan for all critical information. Ensure that MSP/CSP also employs data backups and recovery plans. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Since network storage can also be affected, this data should be kept on a separate device, and backups should be stored offline.
Contractually retain legal ownership of tenant data. Perform a due diligence review of the MSP/CSP’s contract and financial viability as part of assessing privacy and legal risks. Consider retaining the ability to dissolve the MSP/CSP contact if: the MSP/CSP moves servers/data/backups to a location not agreed upon when the contact was negotiated, if significant changes to security practices occur which undermine the tenant’s confidence in the ability of the MSP/CSP to secure their data, or if the MSP/CSP is acquired by an organization that would not pass due diligence.
Contractually retain the ability to receive a copy of a compromised virtual server for forensic analysis.
Consider asking MSP/CSPs where their infrastructure is located, and whether there may be legal risks in using services which store corporate data internationally.