Best Cyber Security Practices for MSPs

Over 30 millions businesses have fewer than 1,000 employees and many don’t have the IT budget to provide effective network security. Managed Service Providers (MSP) are a godsend for small businesses because they assist or take over IT infrastructures for companies that don’t have the overhead.

However, this also means MSPs are gold mines for cyber criminals. Among small businesses that have been targeted by cyber-criminals, 70% were used as an entry point into a larger enterprise system they supply to. Nearly half (48%) of the cases negatively impacted relationships with larger business counterparts, with nearly a quarter (22%) admitting they are no longer a supplier as a result.

Fortunately there are solutions out there, one of them being a RADIUS server that services multiple clients and keeps them isolated from one another to prevent data breaches. With SecureW2, it’s incredibly easy to set up our turnkey Cloud RADIUS and Cloud PKI services, just see what our customers have to say about it.

Why are MSPs Vulnerable?

The simple answer is that MSPs service multiple organizations who put their trust into MSPs, giving them high-level access to their networks. If one were to hack into an MSP, that MSP then serves as a gateway to all the client networks and data.

So what are some best cyber security practices MSPs can follow?

Leave Behind On-Premise Legacy Systems

Once the cloud was introduced, on-premise legacy systems started becoming obsolete. Network administrators want to completely migrate their network to the cloud, but many on-premise systems can’t function in the cloud, forcing admins to create a hybrid network with both cloud and on-prem components.

While this may work for some businesses, it’s not recommended for MSPs because outdated software is a prime target for cybercrime. On-prem systems can’t match the performance benchmarks being set by modern IT solutions. Plus, the software industry is constantly changing and new products are being released regularly. Software companies will stop supporting legacy products, instead only support newly released products.

Finding workarounds and maintaining legacy systems would be a daily task, so MSPs are encouraged to stick to cloud-based software with support.

Enable WPA2-Enterprise with 802.1x authentication

WPA2-Enterprise is the gold standard for wireless security for good reason. It is used by major enterprises with valuable company data – data that is sought after by cyber criminals. Large companies require the best network security protocols and WPA2-Enterprise does that by following the IEEE 802.1x standard to authenticate users for LAN or WLAN.

802.1x brings powerful authentication methods ensuring that only approved users can access the network. A crucial part of the 802.1x authentication standard is RADIUS, a protocol that checks user credentials to make sure they’re approved and active in the network.

However, implementing a RADIUS server isn’t enough for the best network security, it matters what type of RADIUS server is used.

Configure A Multi-Tenant RADIUS Server For All Clients

MSPs typically offer network security for their clients, but rarely utilize RADIUS authentication because it can be too expensive for thousands of small business clients. Both the MSP and client have to resort to network solutions with shoddy security protocols.

Fortunately, MSPs can incorporate SecureW2’s Cloud RADIUS, a multi-tenant RADIUS solution. Now, MSPs can use just one RADIUS server for all their clients while still maintaining resource isolation.

The main benefit for MSPs is that Cloud RADIUS can segment authentication requests by client before users can access their organization’s network resources. Every MSP client is shielded from one another, further securing client privacy. For more information, check out our page on the benefits of a shared hosted RADIUS for MSPs.

What makes our Cloud RADIUS a best security practice is using certificates to authenticate, which we’ll discuss next.

Authenticate Users with Certificates, Not Credentials

Even though a RADIUS server provides strong security, it can be undermined with credential-based authentication. Authenticating users with unique credentials relies on end users not giving away their passwords, which is unfortunately commonplace. Coupled with that is the severity of modern social engineering attacks like phishing, which has risen to astronomical rates during the Covid-19 pandemic. Since passwords can be shared and stolen, they aren’t an accurate method for identification.

Credential-based authentication methods like EAP-TTLS/PAP and PEAP-MSCHAPv2 suffer from major drawbacks that could allow malicious actors to compromise an entire network. MSPs are worse off because all their clients are at risk if an MSP is hit with a cyber attack.

EAP-TTLS/PAP provides an encrypted tunnel during a client-server connection, but doesn’t encrypt the data being passed through the tunnel. Dozens of cyber attacks can impersonate a server, so the tunnel is useless if a client connects to a rogue Access Point.

While PEAP-MSCHAPv2 does encrypt shared data, there’s a vulnerability that can be easily exploited, making PEAP an ineffective security measure as well.

The best security practice is enrolling client network users with digital certificates and using them as identification. Certificates use public-private key cryptography to encrypt information stored within them so no outside entities can access the data. Certificates require a Public Key Infrastructure (PKI) to operate, which is daunting for admins to build and implement. Luckily, SecureW2’s Managed PKI is a turnkey PKI solution that offers all the components an MSP needs to integrate a PKI with their networks.

With our Managed PKI, MSPs can enable certificate-based EAP-TLS authentication for network resources, Wi-Fi, VPN, applications, desktop logon and much more. Our PKI comes with JoinNow onboarding software, allowing MSPs to configure all devices to self-service themselves for secure network connectivity.

Backup Data Regularly

Backups are essential for companies to protect their assets from cyber threats. Unfortunately, data backups are largely overlooked by many MSPs with a 2017 report finding that only 29% of MSPs backup their data. In today’s age, it’s imperative that companies have a data backup strategy in place.

The best solution for data backups is the built-in redundancy mechanic of SecureW2’s Cloud RADIUS. While data backup and recovery aren’t exactly the same, built-in redundancy provides a solution in the case of data loss.

Redundancy ensures that company data is still available in the case of a high-traffic event, data breach, or a server going down. Many RADIUS servers don’t even offer redundancy and admins would have to find their own solution.

Enable Multi-Factor Authentication

Multi-Factor Authentication (MFA) improves network security by requiring more than one form of identity to authenticate users for network access. The three factors of MFA are something you know (such as a password), something you have (such as a certificate/smart card), and something you are (such as biometrics). MFA is an excellent tool for MSPs to secure client networks.

However, MFA is only as strong as the weakest form of authentication. MFA security can be undermined if a network relies on end users creating their own credentials for authentication. Successful cyber attacks occur when networks rely on end users to uphold security standards.

Again, the key is using digital certificates as a form of identification. Furthermore, certificates from SecureW2 cannot be stolen or transferred from a device. Once a certificate is equipped onto a device, it can only be removed by an approved IT department head.

Vulnerability Monitoring

MSP admins should regularly test for vulnerabilities in client systems to determine if they’re security measures are outdated or need to be patched.

A common method for vulnerability testing is running a mock cyber attack to see how the client network reacts. For more information, check out our article on the best tools for testing man-in-the-middle attacks on Wi-Fi.

Review Network Access Privileges

Any IT admin will tell you that employees are constantly being onboarded, offloaded, and moved around in an organization. That means user privileges require regular review and adjustment. Admins could discover that a user has access to mission-critical information and sensitive network locations when they’re not supposed to, which is a major security risk.

Again, our Cloud RADIUS performs runtime-level policy decisions by directly communicating with directories and referencing user entries. This solution is the fastest way to correct the above mistakes, minimizing the window of vulnerability in your network.

Standard certificate-based RADIUS authentication works by the RADIUS server referencing the Certificate Revocation List (CRL) if the client provides a trusted root CA-signed certificate. With this process, the RADIUS server can only see the information input onto the certificate, which isn’t much. On top of that, certificates are usually static, meaning admins have to revoke and enroll users for a new certificate if they’re permissions change.

With Dynamic RADIUS, the data can be stored in the directory, which the RADIUS server then uses to enforce policy decisions based on user permissions. This system is much more efficient and secure because it’s easier to authenticate clients for network access.

Monitor Network Logs

MSPs admins should always monitor logs to look for anything suspicious. By doing so, admins can identify threat patterns and fix any security gaps. Since MSPs are tasked with monitoring several networks, admins can use security information and event management (SIEM) that make it easier to monitor logs for multiple networks.

With SecureW2, MSPs admins will always be able to know who’s on the network by leveraging certificates to track each user and device to every network connection/session. Our software comes with an AI that detects and alerts you to any anomalies.

Secure Email Client

Sensitive information is shared through email everyday, so it’s vital that organizations keep email messaging private. However, phishing tactics have become harder to identify, so securing email has been a challenge for many MSPs.

The best solution to secure email is with Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME is a public encryption method that is used to digitally sign email messages, identifying the sender. Emails sent from trusted sources are automatically decrypted while emails from untrusted sources are immediately flagged.

S/MIME uses certificates and requires a PKI to implement. SecureW2’s Managed PKI contains all the necessary components for MSPs to enable S/MIME encryption.

Secure Client Networks with SecureW2 PKI and Cloud RADIUS

It’s important for MSPs to take every action to protect client networks because MSPs contain a lot of sensitive data. By integrating their environments with SecureW2’s Managed PKI and Cloud RADIUS, MSPs can secure user authentication and eliminate major cyber threats, like phishing attacks.

SecureW2’s Cloud RADIUS enables MSPs to offer native integrations for any cloud IDP including Azure and Okta. Our unique multi-customer RADIUS allows MSPs to offer affordable, premium authentication security to all of their clients. Click here to see our pricing.