November 22, 2019
RMM Security: More Than Just Cloud vs. On-Prem
When selecting a remote monitoring and management (RMM) solution, there are many considerations. You’ll obviously start with monitoring and management capabilities and integration with the rest of your tech stack. Security will likely follow soon after because remote monitoring and RMM software can be a common target of threat actors looking to deploy ransomware. You may have seen examples of this type of attack in the news recently. In one highly publicized attack, an MSP was forced to pay $150,000 to unlock client data.
There is an ongoing debate among MSPs about which is more secure—cloud or on-premises RMM. We hear this question all the time. However, according to Datto CISO Ryan Weeks, cloud vs. on-prem isn’t the right question. “You can’t make a general statement that one is more secure than the other,” he said. “In a perfect world, both would be secure. It really depends on who is configuring and administering it. That’s the X factor.”
In other words, RMM security isn’t just about the RMM solution, it’s also about you. As an MSP, you bear the responsibility for your clients’ IT security. For this reason, many MSPs choose to host RMM in-house. They think: ‘well if I’m responsible for this thing, why would I put it in someone else’s hands and lose control?’. This, of course, is a completely valid question. And for some MSPs, on-premises RMM may be the right choice—particularly those with strong security chops.
However, not every MSP has a security background, and that’s where things can get dicey. When compared with cloud-based tools, on-premises RMM solutions are inherently more complicated to deploy and manage. This increases the chance for user error. For example, leaving a port directly exposed to the Internet, or setting up user credentials incorrectly.
“Complexity is the enemy of security,” said Weeks. “With on-premises solutions, MSPs must perform important up-front configuration and ongoing maintenance of networking, software, and hardware that affect the security posture of the deployment. Cloud-based solutions take the infrastructure and networking configuration piece off the table, reducing complexity and potentially increasing security.”
On the flip side, not all cloud-based RMM solutions (or vendors) are created equally. So, you really need to do your due diligence regardless of where the solution is hosted.
Choosing the Right Solution
Ultimately, the RMM software you choose will depend on your specific business needs. There is no single “right” solution for every business. However, the following guidelines can help ensure you get a product that meets your needs:
- Take a hard look at your team’s skill set. Do you currently have the in-house resources necessary for the product’s administration? If not, what would it take to acquire those skills? For example, how much training would it require and how long would it take? Would you need to hire additional staff to obtain the skills necessary to manage the solution? Would managing the solution in-house introduce risk to your business?
- Consider the amount of time and effort required to manage the solution. Do you have the bandwidth to ensure that the complete solution (including hardware if on-premises) is secure? Do you currently have enough staff to properly manage the solution over time? Would it take employees away from other important tasks or prevent them from taking on additional work? Remember, configuration errors are a common source of security vulnerabilities. Is the product easy to configure or pre-configured in a secure manner?
- Evaluate the vendor as well as the solution. Do you have confidence that the vendor will deliver the support you need to properly deploy the product? Does the vendor have a good reputation for tech support? Does the vendor have a strong roadmap for security-related enhancements to keep pace with the changing threat landscape? Does the product enable secure practices? For example, does it offer two-factor authentication? Are patching and updates straightforward, or even better, automated?
Ultimately, a product that reduces complexity from a vendor that eases deployment and maintenance can help you keep clients secure. Datto RMM is one such solution.
If you are currently evaluating RMM tools, you can learn more about Datto RMM here.