Whether you are a managed service provider using a remote monitoring and management (RMM) system to monitor client infrastructures, or an IT Operations group monitoring your company’s internal infrastructure, your IT management system is an important infrastructure component that needs to be secured. It’s also a key tool that you can use as part of your security apparatus to help protect the remaining infrastructure. Without strong security capabilities, your RMM system can easily become a tool for hackers and cyber criminals instead of serving its intended purpose.
PCI DSS Compliance
This is particularly important for businesses where industry security compliance is required. For retail and financial businesses, the Payment Card Industry Data Security Standards (PCI DSS) require that cardholder data be protected behind a firewall, yet the monitoring system, especially if it’s remote, is likely to operate through the firewall. Hackers gaining access to the system can have an immediate entry to the core of your infrastructure – or to your end devices such as POS terminals and self-service kiosks. Beyond direct access, remote management systems can obviously be used to change configurations and security settings on communications devices and firewalls, to download software (or malware) to end devices, and patch (or to indicate as patched) existing applications any or all of which can be used to open further vulnerabilities.
To further protect against communication with “untrusted networks” (the term used for any network not under direct control), the PCI DSS standards also require the securing of infrastructure information, the maintenance of an accurate and up-to-date inventory of all components that are in scope for PCI DSS requirements, and the development and maintenance of standard configurations for those components, along with many other factors. Your RMM system is likely to be a significant help in meeting these expectations and in helping with ongoing audits. For example, policy management can be used to ensure configuration standards are maintained and that only approved applications are able to be run on protected end devices. It can also be used to periodically ensure that mobile laptop computers have encryption technology installed and enabled to protect health records from disclosure in the event of theft.
For IT professionals in the healthcare field, securing protected healthcare information (PHI) is a major issue. While HIPAA and its related regulations do not spell out how patient data should be protected, it goes beyond technical recommendations to legally mandate that it must be protected. Both healthcare organizations (HIPAA’s “covered entities”) and their business associates (organizations supplying healthcare-related services that require access to patient data) are subject to HIPAA regulations. From an IT perspective this certainly means that the IT Operations personnel of both covered entities and any business associate organizations must take every precaution to maintain security and patient privacy when managing electronic systems that contain or process PHI.
Perhaps more interesting is the case of MSPs who provide managed services to healthcare organizations. It can be argued that, by the letter of the law, they are not considered business associates for the purposes of HIPAA on the ground that they do not require access to patient data to do their work. However, in practice, it’s unlikely that a healthcare provider would contract for their managed services without the requisite guarantees of security and data protection. Certainly it’s been a common Kaseya experience that when raising the need for strong security capabilities and processes, MSPs who service healthcare clients have immediately recognized the need.
So in either case, whether you are an internal or an external IT service provider, you should be taking all necessary steps to secure your monitoring capabilities and to use them, appropriately, to ensure the security of the systems you monitor and manage. And it’s our belief that MSP’s seeking healthcare clients will find that strong security capabilities and processes are the price of entry into that market.
Beyond securing their technology, those providing IT services must also ensure that their own policies and procedures support their (internal or external) customer needs. The use of strong passwords, single sign-on, multi-factor authentication, cyclical password updates, regular threat assessments, defined device configurations, test-before-going-live reviews, frequent security education etc., should be documented and adhered to requirements for all systems and personnel.
Kaseya is the leader in cloud-based remote monitoring and management and offers a comprehensive monitoring solution used by MSPs and SMBs worldwide. To find out more about what you can accomplish from a single pane of glass and how your monitoring solution can help protect your infrastructure click here.
To find out how best to control access to your secure assets and applications and how you can log who can access what, then click here.
If you’re looking for even more ways to improve the efficiency of your IT staff, why not take a look at a system which offers innumerable utilities from a single pane of glass.
Are you using your IT monitoring systems to enhance the security of your IT infrastructure?
Author: Ray Wright