We talk about security an awful lot here at Beaty Consultancy. We’re a little bit obsessed with it. But isn’t that a good thing? If you’re going to trust us with access to all your data, and data belonging to your clients, shouldn’t we be security draft? I think so. In that spirit, let’s talk about the security precautions as a Managed Service Provider, or MSP.
What Data are we Protecting?
We work with all kinds of companies, and they have all kinds of data. Some of our clients have links with law enforcement. Others store many of their customer’s sensitive documents within their systems while they process them. And other clients don’t have either of them. Does that mean we can be a bit more relaxed with the latter? Absolutely not!
In the case of our clients who don’t have much data to protect, they still have one thing in common with the clients who have lots of sensitive data. They all have a reputation to protect.
Would you deal with a company who had recently lost the details of all of their customers? Absolutely not. So we need to ensure that there are no data leaks, vulnerabilities or bugs in code we run on behalf of our clients. As a managed service provider, a part of the service we deliver is protecting your reputation.
Now we know what data we’re protecting on behalf of our clients. Let’s talk about our security precautions.
Any piece of hardware that client data touches within the Beaty Consultancy estate is controlled and encrypted, without exception. Smartphones, tablets, laptops, servers, everything!
In terms of the hardware we use in general, we tend to stick to one brand, like a lot of folks do. That gives us a few benefits, such as just being sure things work with eachother! When your computer is the tool of your trade, you have to be sure it’s going to work all the time. But also, the hardware vendor we use align themselves with our values as regard security. They’re not in the game of selling data to advertisers, nor are they reliant on external software vendors who set their own privacy rules.
To read about why the Yubikey became our company standard, have a read about the U2F standard and why it’s awesome.
We pick the software we use very carefully. We always try to understand the license agreement for the software we use, and their policies around sharing data and telemetry, since it’s our duty to know where your data might be.
The other big thing we look out for is the ability to set our own encryption passwords, or choose our own certificates. This isn’t always possible, but where it is, we want to be the ones to control the secrets, not an external company. So in the case of our trusted backup partner, they can’t actually get into our data because it is encrypted with keys which only we hold, before it leaves our office. To them, they’re storing jibberish, which only makes sense again when we decrypt it.
Backups and Encryption
It should go without saying at this point that we have backups and they’re encrypted. Well I’ll say it anyway. We have backups (on site and off site), and yep, they’re encrypted.
Things We Don’t Do as a Managed Service Provider
We don’t use superfluous devices which we can’t trust. That USB powered dancing daisy in a flower pot we got for Secret Santa – nope! We don’t know what’s in there, and while our software defences should protect us from anything in there trying to pull data from our systems, I think I can probably live without a dancing flower.
We don’t use smart speakers for any line of business data. I personally won’t have one in our home, but I can’t control other environments we might do business in, like client’s offices etc. But I can ensure we just don’t use them for work stuff. I know from first hand experience that the makers of these amazing voice assistant products work super hard to make sure their security is as robust as it possibly can be, but it’s just another case of taking things out of our security equasion. If we don’t have any voice assistants, we can’t ever be hacked if there does emerge a vulnerability in one.
We don’t connect directly to any network we don’t control. Again, like the voice assistant piece, we can’t always control the environment, and we might have to use public WiFi, or even a client’s WiFi, but you better believe all our traffic leaves via a VPN.
So as you can gather by now, we don’t just do one thing, or have one policy to cover our security concerns, we have a culture. security precautions as a managed service provider don’t start and end with a password manager and 2 factor authentication on accounts, it’s about the role that security plays in the day to day running of the business. In turn, that translates to how we help you run your business, and help you secure your data assets.
You can read more about how we work in our recent post – A day in the life of a cloud consultant