How MSPs Can Leverage the UK’s National Cyber Security Centre’s Cloud Services Guidance to Grow Their Business


A recent release from the Cybersecurity and Infrastructure Security Agency (CISA) caught our eye because we’re always looking for ways to help our Arcserve technology partners thrive.

The release encouraged organizations that use a third party—such as a managed services provider (MSP)—to administer cloud services to implement the guidance offered in a post by the United Kingdom’s National Cyber Security Centre (NCSC-UK).  

Last year, CISA, NCSC-UK, and the cybersecurity authorities of Australia, Canada, and New Zealand issued an alert that threat actors have increasingly targeted MSPs to gain access to their customers’ networks. Those threats are genuine, with a study by N-Able finding that almost all responding MSPs had suffered an attack in the past 18 months, and 90 percent had seen an increase in attacks since the pandemic started. The study also found that 82 percent of MSPs’ customers had seen an increase in attempted cyberattacks.

Cloud Guidance for Customers Equals Guidelines for MSPs

The NCSC-UK post focuses on what customers should verify before they choose an MSP under the subhead, “Check the following sooner rather than later.” Here’s a summary.

Follow the “Least Privilege” Principle

The post suggests that, as an MSP, your cloud privileges “should be proportionate” to what you’ve been tasked to do. CISA describes the least privilege principle as allowing only the minimum necessary rights to be assigned to a subject requesting access to a resource for the minimum duration required. For MSPs, that translates into ensuring your cloud privileges are structured so that your access to sensitive customer data can be limited based on the customer’s need.  

Ensure Transparency

Here, the post recommends that customers with their own security operations center (SOC) have complete visibility into the actions taken on their cloud services by you, as the MSP, your people, and their internal team. It highlights that MSPs should not use generic, shared management accounts. NCSC-UK also offers guidance on secure system administration, noting that monitoring administrator privileges let MSPs’ customers quickly identify when these privileges are being misused.

Follow Secure Admin Practices

Given that MSPs are a ripe target for cybercriminals, the post says customers should expect their MSPs to employ security standards that exceed their own. That includes using multi-factor authentication and limiting work on client accounts to a privileged access workstation.

Disclose Your Partners’ Security Practices

With many MSPs outsourcing the administration of services to cloud service providers (CSPs), the post suggests that customers check that the security-related clauses in your contract also cover your suppliers. Given the shared responsibility model that most cloud providers follow—which leaves the ultimate responsibility for customer data to the customer—it is incumbent on you, as the MSP, to help protect that cloud data.

Inform Customers of Potential Breaches

While this may seem obvious, your contract should include a clause stating that your customers will always be immediately informed about any possible breach that could affect their service or data. That includes breaches that may happen in your supply chain.

Outsourced IT Makes Sense

In 2021, CISA issued a release that said, "outsourcing IT services provides both increased benefits and risk to an organization.” MSPs that align their cloud offerings with global best practices that mitigate the risks listed in the NCSC-UK blog can build confidence with existing customers—and compete more effectively for new ones.

Learn more about the benefits of becoming an Arcserve technology partner.