Cloud App SecurityOffice 365, Google Drive, Sharepoint: businesses love them, but we ask if security vendors do enough to help partners address their known vulnerabilities – profitably!

In a recent post, we looked at the known security limitations of cloud-delivered applications like Office 365, Google Drive, Sharepoint, and others.

As we pointed out, identifying security weaknesses in these platforms and providing cloud app customers with solutions to them can prove profitable, according to industry commentators – but are security vendors even addressing this space in the first place, let alone in a way that enables vendors to make viable margins out of it?

Cloud application security: how big is the pie?

The first point we need to make here is that the potential market for these kind of security solutions is big and growing. Since 2011, as this Worldwide Cloud Applications Market Forecast 2015 – 2019 shows, the Cloud applications market has more than doubled, and now accounts for 20% of the overall enterprise applications space.

By 2019, Cloud applications subscription revenues could make up 35% of the total addressable market opportunity.

Captured amongst all that, of course, are the very applications businesses most want MSPs and other partners to provide – hosted email, file sharing, collaboration, and so on.

And these are the very applications that, whilst delivered in a secure manner, are not fully able to secure the content that passes through them, making them vulnerable to risks like advanced and hidden malware, ransomware, phishing attacks, leaking of sensitive data, file sharing on unauthorised devices, and remote user network breaches.

In short, there’s plenty of pie available – and cloud application security is potentially the utensil that enables MSPs and other partners to carve themselves a sizeable slice of it!

Delivering security for cloud apps: how hard can it be?

But the second point we have to consider is that cloud applications need security that is built expressly for cloud computing conditions – and existing security techniques fall down badly in this respect, resulting in few solutions that are fit for purpose.

Just take a look at traditional web monitoring, for example – it funnels traffic out of the cloud and into a separate service, adding significant latency that negatively impacts both performance and capacity.

Only if pre-cloud approaches are consigned to the dustbin, and direct cloud-to-cloud API integration is offered in its stead, can vendors play strongly in this space, and partners reap the benefits.

In this scenario, a literally instant cloud app security deployment is possible, requiring nothing more than the submission of administrator credentials for the apps in question.

Bundling, licensing, pricing – can partners make money out of cloud app security?

Quite apart from the fact that very few vendors are actually active in the cloud app security space in any serious way, my third point is as much to do with the partner model as it is with the scarcity of those offerings.

Even if solutions were plentiful, reselling them in a subscription or perpetual licensing model produces the same challenges that any other reseller in any other IT market encounters – high upfront subscription costs, unpredictable income, lack of flexibility to scale services up and down (and missing out on the additional revenue that such upscaling generates).

The risks of this approach are well documented - but then if so few vendors are in this space in the first place, how many of them do we think are in a position to offer the potentially more profitable MSP alternative?

Then there’s the question of how vendors actually incorporate cloud app security offerings into their overall security portfolio – or don’t! Currently, the view from the bridge here is that one prominent vendor is now bundling cloud app security within its existing security services, in a cloud-based MSP model, at no extra licensing charge – but other vendors haven’t even started to play catch-up on this.

In conclusion: cloud app security vendors could do better

There it is, then: cloud app security solutions are rarer than hen’s teeth!

They demand an instantly deployable, cloud-centric architecture that most security vendors simply haven’t applied to this space, a margin-rich partner model that the vast majority of vendors seem unready to offer, and a “business as usual” attitude to bundling that, for many vendors, seems too radical a string to add to their bow.

That massive cloud app pie is there for the securing – but, as it stands, most vendors aren’t even making a dent in the crust, still less serving up anything that profit-hungry partners would find a tasty proposition.

Businessman pushing virtual security button on digital background

The Web opens a window between networks and the world, creating risks businesses can’t manage. We look at 3 killer web security features that put MSPs in this space.

According to the Threat Landscape 2015 report published by the European Union Agency for Network and Information Security (ENISA), the “observed current trend” for web attacks is described, simply and rather ominously, as “increasing”.

Of course, what this also means is that the opportunity for MSPs to play into this space, by managing organisations’ web security headaches for them, is potentially huge.

But the market is crowded - so what are the killer web security innovations MSPs need to offer to really differentiate themselves from competitors?

Innovation 1: defeating outbound threats in a pure service model

Web attacks aren’t just inbound – in fact, the most devastating consequences can occur as a result of outbound traffic, for example if a Botnet, Key Logger, or other malicious program sends out information from within the customer’s network.

The innovation here is happening on multiple levels.

MSP solutions are now taking over the role of constant outbound web security monitoring that customers’ teams often simply do not have the capacity to provide.

Immediate alerts, by email or SMS, when a threat is detected, plus automatic blocking of malicious requests, protect the business from haemorrhaging its own IP and sensitive data, and safeguard teams’ core productivity.

Network usage and threat analysis reports, delivered to inboxes, then enable stakeholders to understand top threats, overall network traffic, and trends, enabling them to adjust security policies and manage future risk.

Ease of deployment: we are now looking at MSP solutions that require no on-site hardware or software, and can protect the entire customer network instantaneously simply by being “pointed” at the security vendor’s DNS structure.

Lastly, protection is no longer a trade-off against performance. An MSP delivering a web security service like this one benefits from over 2,500 auto-updates to its threat definitions daily, but doesn’t have to funnel checks and traffic through the bottleneck of a proxy server - thus maintaining optimum surfing performance.

Innovation 2: visibility into cloud apps and social media

As one vendor has explained, “Ten years ago, web security meant stopping people going to the wrong website. Today…it has become increasingly about visibility and analysis of activity within cloud applications that employees are accessing,..”

Across services like Facebook, Dropbox, Twitter, and even enterprise applications like Salesforce, what are customers’ employees posting or uploading? Is it appropriate to the audience it reaches? What are they clicking on? How are they storing sensitive data, where are they sending it, and why? Are they using language that could hint at malicious or criminal intent?

Any one of these concerns is a potential reputational and compliance timebomb – but MSP solutions are now available that take the heat out of HTTPS in three ways.

Firstly, it is now possible for MSPs to deliver visibility into cloud application usage, enabling customers to see actions like file uploads, message posts, data storage, and look inside the content of risky or suspicious activity.

Secondly, MSPs can now control access (or enable customers to control access) not only to cloud applications, but to specific features within them – by individual, role, device and location.

These can include, for example, functions that enable users to upload or delete profile images, remove a public link, permanently delete files from a recycle bin, disable a security group, and many other types of actions that can be high-risk in certain contexts, both with and without malicious intent.

The massive productivity gains that cloud apps can deliver are thus largely retained, but at a far lower level of accompanying risk.

Thirdly, this “cloud application control”, to be viable across multiple applications, and, potentially, hundreds or thousands of users, has now evolved into a centralised service that can be controlled from a single dashboard, reducing admin and management overheads, and enabling MSPs to keep their margins keen.

Innovation 3: holistic threat view

Analysis of web attacks in isolation does not always deliver the full web threat picture. Web users are invariably email and collaboration software users too, for example, so web threats often propagate through these channels, via vulnerable endpoints.

The danger for the MSP providing a web security service is that if they don’t have a truly holistic view of each user and the threats that have been ranged against them in the recent past, the true threat pattern – and so the true extent of users’ vulnerability – will not be fully understood. Service fail!

But MSPs are already over this hurdle, for two reasons.

They can now access a centralised management console that makes all the relevant threat data visible in one synopsis, (an example of which is shown in this video).

And the web security application itself can be connected to other security applications (email, collaboration, endpoint) in one integrated service.

The benefits of this approach are immediate, in the sense that the customer is less likely to get caught out by a threat pattern that the MSP’s service hasn’t picked up on!

But they’re also forward-looking, as threat intelligence is actively shared between applications, making detection of multi-channel threats easier in the future.

MSPs and web security – the future

But let’s play devil’s advocate here for a moment. MSPs can deliver services around everything from email provision, to backup and business recovery, to accounting and finance, to business analytics, and more besides. There is no shortage of growth markets for MSPs – so why choose web security?

None of us have a crystal ball, but the view from the bridge at analysts The Radicati Group looks pretty decisive in this summary of their 2015 to 2019 predictions.

“The Corporate Web Security market”, they say, “continues to grow at a fast pace, fueled [sic] by on-going concerns about corporate security… The market is expected to grow from over $2.1 billion revenues in 2015, to over $3.9 billion in 2019.”

The Group also tells us that “Cloud based Web Security solutions are seeing increasingly strong demand”, bolstered by the need for “powerful Web Security protection on the go, without the complexity of connecting back to the corporate network.”

The web security market is on the up. MSPs just need to make sure they’re delivering the right features to get a profitable slice of it.

Keyboard equipped with a red ransomware dollar button.

Ransomware is on the rise, but the authorities struggle to deal with it, so businesses often end up paying the ransom! What are security vendors doing to combat it?

You don’t need to look very far to see the hoo-ha that ransomware has recently caused.

This is not only because the sheer volume of ransomware attacks has swollen as never before (global cases increased by almost 170% in 2015, with the UK “disproportionately hit,” according to this FT.com article), but because the number of cases reported has actually gone down.

This can only lead to one conclusion: businesses are paying the ransom, in an attempt to get their businesses back up and running, because the authorities are failing to help them do so!

It’s one hell of a gamble. Cybercriminals aren’t exactly known for their integrity or willingness to be bound by contract, so where’s the guarantee that they’ll give businesses back the access to their files once they’ve coughed up?

Indeed, as FBI Cyber Division Assistant Director James Trainor has commented,  “Paying a ransom doesn’t guarantee an organisation that it will get its data back—we’ve seen cases where organisations never got a decryption key after having paid the ransom.”

Ransomware: what it is, what it does

Before we go any further, though, let’s clarify terms. All ransomware (CryptoLocker, CryptoWall, and CTBLocker are names that crop up often, but there are many others, some of which are listed here) is about blocking a business’s access to a system and/or its files until a sum of money is paid to the malefactor.

In practice, this happens in many different ways, varying from scareware, to browser or screen-locking software, to encrypting ransomware. (This Malwarebytes infographic, that our partners can now request to co-brand and use for their own marketing campaigns, explains it very neatly).

In a further malevolent twist, cyberattackers may choose to “leak” the files that they have sequestered if the ransom is not paid, exposing a business’s potentially confidential and legally privileged information to public view online.

Reputationally, this can be shattering, but the financial impact of ransomware is breathtaking too. The Verizon Data Breach Investigations report puts the business cost of losing access to just 1000 records at more than £46,000!

In short, businesses are vulnerable, the authorities are swamped, and there’s no honour among cyber thieves. So it’s down to security vendors to step up to the plate and prevent ransom situations from arising in the first place. Here’s a taste of how three of them are turning the tables on the file felons!

Bitdefender: cross-product protection at startup

Bitdefender’s answer to the ransomware challenge has been to develop a Ransomware Protection module that is included in all Bitdefender 2016 products (including business versions sold through the IT channel).

Clearly, this makes ransomware protection accessible to the end-user, regardless of the product they or their organisation have purchased.

But Bitdefender products also activate the Ransomware Protection module at startup, and scan all critical system areas before files are loaded, with zero impact on the system’s performance.

At the same time, protection is provided from certain attacks that rely on malware code execution, code injections, or hooks inside dynamic libraries, so defence against the ransomware is instant, broad, doesn’t slow end-users’ core computing tasks down, and – most importantly of all – doesn’t let the ransomware get a foothold.

Malwarebytes: ransomware protection throughout the infection timeline

Malwarebytes has built a solid reputation on its ability to detect, monitor and block malware of all kinds, right from the earliest attempts by the malware’s author to probe the most effective delivery methods.

This means it can spot indications of threatening behaviours way before the threat actually deploys – and it has applied this philosophy to its Anti-Ransomware product, too.

In the words of their security blog, it “uses advanced proactive technology that monitors what ransomware is doing and stops it cold before it even touches your files.” The ransomware therefore “has no shot at encrypting.”

Although the product is still in beta, it is based on an already successful application  - CryptoMonitor - that Malwarebytes acquired from EasySync Solutions, so its provenance certainly inspires trust.

We don’t yet know how Malwarebytes will market the general release version for business users through the IT channel. Will businesses be able to buy it standalone? Or as part of the existing Malwarebytes Endpoint Security suite?

The latter is already a truly potent bundle. It includes the powerful Anti-Malware solution that (uniquely!) also comes with an inbuilt remediation tool – that is to say, it can clean up already infected systems, making for some very grateful customers!

It also includes the Anti-Exploit solution, that detects the zero-day exploits that other solutions simply miss. Factoring Anti-Ransomware into this already compelling combination would be something of a coup!

Watch this space…

Trend Micro: fight ransomware at every layer

Ever the source of insightful and sobering security stats, Trend Micro has publicly announced that ransomware infections among UK firms in February 2016 alone far exceeded the figures for the first six months of 2015!

Its approach to fighting ransomware is highly layered, with Ransomware Protection features included in its endpoint products (OfficeScan, Worry-Free Business Security), email and gateway products (ScanMail, Cloud App Security, Hosted Email Security, amongst others) and network products (Deep Discovery).

Trend Micro was named a Leader in the 2016 Endpoint Protection Platforms Magic Quadrant, published by industry analyst Gartner. This covers, amongst other technologies, anti-ransomware, so Trend’s solutions are definitely “up there” when it comes to stopping businesses being held at gunpoint!

Anti-ransomware: a pattern emerges

In all the three vendor cases mentioned above, there is a strong underlying truth: everything turns on being able to stop the ransomware infection happening in the first place. Once files are infected, it’s way too late.

This knowledge has certainly been an incentive for security vendors to act. If it’s not an incentive for businesses and the IT channel partners who supply them to act, too, I don’t know what is.

Benefits of managed IT servicesTwo thirds of companies now use managed service providers (CompTIA survey). But how should MSPs educate customers about the services they provide? See these tips.

In my last post, I wrote about the benefits of selling services through the MSP model, rather than relying on old-fashioned, unpredictable break-fix.

All well and good, but that’s often also about selling your customers on something new and different, when they’re used to something established and familiar – and we all know how difficult that can be!

So I spoke to some customers and some colleagues, and cast around on the internet, and came up with these useful tips to help you convince your customers that MSP is the way forward!

1. Don’t major on the technology. As this article in CRN eloquently argues, the mechanics of features and functions are absolutely not what will prompt your customer to make a decision in favour of MSP.

What your customers are really interested in is how MSP solutions can help them decrease risk, reduce costs, and – perhaps most critically of all – increase productivity.

Industry reports and analysis can strongly support your pitch in this respect. Comptia’s annual Trends In Managed Services research, for example, (you can see a non-gated slideshow summary here), contains some excellent references to productivity gains, savings, and ROI, all of which will be useful to you in a sales situation.


2. Ditch the “jargon monoxide”.
Do you have any idea how downright poisonous some of the language accepted in IT circles can be to someone seeking to make a purchasing decision?

Simplicity and clarity are watchwords in any sales situation, but when you’re trying to persuade a customer to abandon the break-fix model that they may have trusted for many years, they become critical. Test your pitch on friends, family members, and deeply non-technical colleagues – and if they don’t instantly “get it”, rethink it.

The psychological impact of obscure language is immensely damaging to MSP sales relationships – as this piece in MSPblog explains. Want to make your customer feel stupid? Make them feel like they’re excluded from your clique? Want to make it sound like you’re lying through your teeth? Then carry on using the jargon.

Change is already disruptive and painful for customers – don’t make it unfathomable and repellent too.


3. Get over the monthly rate objection.
From your point of view, the fixed monthly payment for your MSP services makes perfect sense – regular, predictable income in return for always-on monitoring and service.

Only, many customers won’t necessarily get that last part. In their mind, the choice you are giving them is between a monthly outflow of cash to protect them against something that “might never happen”, and an hourly rate that they only have to pay if something goes wrong.

The way to convince them is to highlight just how bad things could get if that something does go wrong. Would they get hit by financial loss if they were to experience more than, say, an hour’s downtime, for example?

How much have they invested in their IT infrastructure and how much more would they have to add to that to cover hourly-rate remediation in the event of something like major data loss or theft?

You won’t have to search very far to find some seriously compelling statistics on this subject. I wrote in another post recently that 58% of SMBs could not withstand any data loss whatsoever.

Consider, in addition, that data loss and downtime cost the UK £10.5 billion per year, according to this piece in TechWeek Europe, and one Gartner analyst has cited an hourly downtime cost, based on company size and type, of between $140,000 and $540,000 per hour!


4. Listen to pain points and tailor solutions.
The MSP model has brought a flexibility to the sales process that previously didn’t exist – particularly when it is teamed with solutions delivered through the cloud that can be switched on and off and scaled up and down on demand.

In fact, the reality is that there are very few solutions you couldn’t offer in an MSP version to meet your customers’ varied needs. From endpoint security, to data backup and recovery, and of course much more, it’s all up for grabs – but you need to understand your customers’ pain points first!

As MSPAlliance recently put it, (my italics), "MSPs must become supremely comfortable interacting with customers on a business level. This means knowing the business of your customers and being able to ask questions and listen to what causes them pain. Once the pain point has been identified, a technical solution to it can be created."


5. Master the proposal process.
It’s not only complex language that turns your MSP prospects off, it’s a sales proposal process that feels like it’s trying to funnel them into a one-size-fits-all solution, exacerbating their fear of the new and unknown.

The MSP model makes possible multiple alternative solutions in multiple combinations, so use them to give your customers a sense of choice and control. This isn’t break-fix-land, where every additional solution ratchets up the risk of an hourly-rate repair job, so don’t pitch it like it is!

For a superb, methodical sales proposal process that will help you to convincingly align solutions options with your MSP customers’ needs, check out this MSP blog post.


Get selling to your MSP customers!

I’ve said enough now – it’s your turn to evangelise! But remember, if you’re asking your customers to turn their back on the devil they know, they might need a little help understanding that MSP solutions could be their guardian angel…

break-fixThe break-fix model is out of date; staying with it means falling behind the competition. So we look at the benefits of moving your business to an MSP model instead.

The IT business is famous for its convoluted language and ever-changing buzzwords, but the essence of the break-fix model adopted by so many IT channel partners is as simple as it ever was – wait for something to break, then get called in to fix it.

Is this really the way forward? The problem, fundamentally, is that no matter how diligently a break-fix company delivers its reactive-only services, the fact that they are reactive-only immediately puts them in the lower branches of the service quality tree.

In short, to move their services up the customer value chain and make them more profitable, break-fix companies have to go proactive instead, preventing the breaks before the fix is even needed! And that means changing to the MSP model.

Here are a just a few core MSP benefits that decisively trump the old-world break-fix approach to doing IT business.

Predictable, recurring revenues

Think billing customers hefty amounts for break-fix intervention is profitable?

Think again. Break-fix is an expensive service to deliver because you can’t predict when something will go wrong. This means multiple ad hoc scrambles to deliver services for which the associated labour and time costs are notoriously hard to estimate and control.

Make no mistake, break-fix renders cost and budget planning almost impossible, and so can quickly turn out to be a drain on the business.

(In fact, for an entertaining tour through no fewer than seventeen separate reasons why break-fix is a bad idea, read this piece from MSPAnswers.com.)

The MSP model, on the other hand, generates a reliable, recurring monthly fee, enabling predictable cash flow month in, month out, and with no requirement for customers’ systems to break!

Ultimately, this supports the planning process that underpins business growth – if you know how much your costs are each month, you know how many contracts you need to bring in to turn a profit.

It’s a far cry from waiting for something to go bang and then frantically working out how much you need to charge the customer for it to cover the lean weeks of recent times and those yet to come!

Higher-value customer relationships

Your core differentiator, as an MSP, is that you are not paid to fix the customers’ systems, you are paid to monitor them and prevent issues from taking hold in the first place, using, for example, RMM (Remote Monitoring and Management) tools, like this one. and PSA (Professional Services Automation) tools, an example of which is shown here.

What this in turn means is that you are no longer relying on your customers to fail in order for you to succeed; this positions you as a “trusted adviser” and enables you to forge stronger business relationships with them.

These stronger relationshjps pave the way for you to expand your service offering, grow those all-important monthly revenues (and the margin you’re making on them), and they also make your customers more likely to recommend you to other prospects!

Lower staff costs, higher productivity

The much-vaunted “single pane of glass” – a portal or console that enables you to easily onboard and manage devices, customers and users, no matter how many of them there are – is now a firm reality in the MSP universe.

Consequently, it takes far fewer staff to manage customers’ systems, which in turn delivers higher productivity at much lower cost. Needless to say, the same console can typically be used to deliver additional services to existing clients, on demand, instantly swelling your revenues and binding your customers closer to you.

Stops you cutting your own business’s throat…

With traditional break-fix services, the only way to make money is if something goes wrong. This is a double-edged sword; the danger is that if you do your job too well, you’re out of business (as if to reaffirm this, insolvencies amongst IT and communications companies rose by 22% at the end of 2014, compared to the previous year, according to research from Exaro).

Don’t do the job well, however, and the customer will soon see through it and be off consulting another provider.

With the MSP model, of course, all of this ceases to be an issue, because you are measured on your ability to monitor and to prevent disruption, not on your ability to clean up a mess once it’s already happened. You’re delivering a service that is always on and always revenue-generative, not sporadic correctives that temporarily plug urgent holes in your cash flow!

In conclusion: tips for moving from break-fix to MSP

Nobody’s suggesting moving from the break-fix model to the MSP model is painless – it isn’t (not least because you’re actually moving from one mentality to a fundamentally very different one).

But the Web is well stocked with helpful articles (like this one) calling out the essentials, others (like this one) giving more detailed advice on how you should actually price your MSP services, and discussion forums (like this one) that share the experiences of companies that have already made the transition.

Break-fix is broken. Talk to an MSP vendor about it, talk to an MSP distributor about it, talk to an MSP customer about it, but talk to someone, and soon.

Otherwise the next thing that breaks could be your bottom line.

Why Backup is not Business ContinuityBusiness runs on data, but how many businesses have acted to actually protect their lifeblood if and when disaster strikes?

Only about 35% of businesses have data backup in place, and at the SMB end of the market, some 75% of SMBs have no disaster recovery plan at all.

This is playing with fire. According to this article, 58% of small businesses couldn’t withstand any amount of data loss whatsoever.

It’s a revealing statistic, because it hints that the challenge is not only in backing up the data somewhere safe, but also in reinstating it to enable the business to “withstand” the outage, and get the wheels turning again.

That, in a nutshell, is the difference between data backup and disaster recovery (often termed, somewhat loosely, business continuity, as I’ll explain later) – and here’s what SMBs should be focusing on to get their data disaster ducks in a row!

Speccing the Backup Process: Recovery Point Objective (RPO)

How much data can an SMB afford to lose before it starts to damage their business?

This is the critical question SMBs need to answer, because it is this RPO (Recovery Point Objective) calculation, explained in more detail here, that informs all elements of the data backup process.

How often do backups need to be performed? (Every hour? Every minute?) What volumes and formats of data need to be involved, and what kind of data backup system or service partner can achieve this?

Evidence suggests this is where smaller businesses really struggle, as 71% of UK SMBs, according to research from Onyx Group in this article, only manage to back up part of their data.

It seems that limited bandwidth, mixed IT environments (Windows/Unix/Linux) and disparate file formats conspire to reduce the scope of the RPO, and so dilute its effectiveness as a measure of true backup capability.

The value of the RPO is also diminished by the realities of where the data is being backed up to.

Locally? The fire that took out the core systems just took out the backups, too!

The cloud? Data backup is just as vulnerable to the potential limitations of the cloud as any other service is. How will the data centre be powered in the event of its own outage, and for how long? Is it covered by EU data regulations, and certified to industry-recognised standards like ISO 9001 and ISO 27001? And how secure are the data centres it “mirrors” to, to back up the backups?

Tape? Inherently RPO-unfriendly (you can’t very well create and send off a new tape every hour!), it is also cumbersome and expensive, often funded by an insurance policy and requiring a full-time employee just to manage it. (Read this article, written by one SMB owner, explaining how he improved his disaster recovery capability by getting away from tape!)

The process of deciding on the RPO can expose far greater backup shortfall than the SMB has thus far been forced to confront!

Getting back to business: Recovery Time Objective (RTO)

But the most demanding RPO in the world will only ever address one side of the business continuity equation – the need to back the data up.

The other, equally crucial side of the equation is being able to get to that backed-up data, reinstate it into the organisation, and rapidly rebuild any of the infrastructure that is needed to make it work.

The speed with which this can be achieved is called the Recovery Time Objective (RTO), and is usually set by working backwards from how much a data loss would cost the company (by adding up the average per-hour wage and overheads of the employees who need to work with the data, and the per-hour revenue).

Hardware, physical media and software issues can all mess with the RTO. Imagine you’re an SMB, and all your data is backed up to a physical tape at an offsite location somewhere, that has to be manually shipped back to you before you can reinstate it. #RTOfail

Or imagine you’ve successfully saved all your critical files to your backup service, but you haven’t saved any system images – so the accompanying settings and system data that you need to make the files quickly work again are missing. #RTOfail

Or imagine you’re doing all your backup locally and the hardware that does the backup breaks down, so you first have to repair or replace the machine(s) before you can get to the data – if indeed you then can at all! #RTOfail

What’s emerging here is that no one approach necessarily delivers maximally RTO-friendly use of backed-up data. Instead, a combined strategy can often work better, to minimise the risk in each component of the approach, and deliver:

  • Local, image-based backup that is complete and rapid to recover
  • Rapid replication to and from the cloud through bandwidth-efficient streaming that only transmits changes, not entire datasets
  • Instant local and cloud virtualisation, to vastly reduce the risk posed by fault-prone hardware and cumbersome, inaccessible physical media.

SMB backup and recovery budgets are often meagre. So when the chips are down, the data’s gone, and it’s time to pull business continuity out of thin air, the ability to recover, say, a 70Gb SQL server in a few seconds flat, in return for a modest monthly fee, is a big shout in favour of the cloud.

Summary: Disaster Recovery vs. Business Continuity

Of course, it’s not just using the right tools to meet the commitments of RPO and RTO that will help ensure business continuity. It takes a much longer-term view than that, embracing succession planning, recruitment, supply chain management, and a whole host of human skills to which technology is only peripheral, as this piece explains.

But the facts stand. Backing up data “somewhere safe” is useless unless it’s achieved at sufficient frequency, with sufficient comprehensiveness (system images and data formats), sufficient ease and speed of reinstatement, and with a high degree of freedom from the weaknesses of hardware and physical media dependencies.

There’s a marketable SMB cloud solution in there, somewhere…

What You Need To Tell & Sell To Office 365 CustomersIt seems that industry commentators everywhere have come out in support of Office365, for MSPs, resellers, and end-users alike. In a recent TechTarget Search Cloud Provider piece, for example, one interviewee called it “the single greatest opportunity for MSPs and VARs to enter into the cloud” and “a no-brainer for 99% of customers”.

He goes on: "There are two different categories of MSP and VAR when it comes to Office 365: one that embraces it and one that fights it. Within the fighting group, it's a losing battle … Their customers are getting picked off one at a time."

Sobering stuff. But selling Office 365 is not just about pushing the benefits - there’s money to be made out of its weaknesses, too.

 

Office 365: strengths, benefits, and scary weaknesses

From the end-user perspective, the benefits of Office 365 are legion. Amongst others, it eliminates the need for internal email management, and ensures one consistent environment, no matter how widely distributed the IT infrastructure. Updates happen automatically – so there’s no need for costly, time-consuming manual management of upgrades or patches.

This blog quotes a number of smaller businesses enthusing about the cost benefits of the solution, with one manager saying it costs him “just a few dollars a month per user”, and another projecting “25 to 30 percent cost savings” after transitioning to Office 365.

Seen from the MSP point of view, the benefits are equally persuasive. This piece in Insight.com talks of the budgetary advantages to be had by moving from owning licences (capital expenditure) to subscribing to a service (operational expenditure).

It also emphasises Office 365’s scalability. You pay only for what you use, but what you use can scale up or down based on user count. And then there’s the drastic reduction of hardware and facilities costs, of course...

All good, then. But actually, not. Because Office 365 suffers from some significant weaknesses that put your customers at risk and threaten their reputation.


From weakness to wealth: how partners can monetise Office 365

But the happy news is that, as technology writer Crystal Bedell nails it, partners can “Identify a weakness in the platform and provide customers with a solution” – an approach that she pronounces “profitable” (the partners’ magic word!)

The weaknesses in question relate to known security limitations within the Office 365 solution set. Type “Office 365 vulnerabilities” into Google and you will find no shortage of past security gaps. And although Office365 supposedly boasts integral security, what Microsoft calls “Advanced security for your data” is actually only available in its premium-level E5 plan, as this page shows.

Hardly surprising, then, that many vendors have realised there is demand from partners and end-users alike to extend Office 365’s standard security features.

Spam and virus filtering appears to be an area of concern, with vendors offering “Plus”-type solutions (like the one in this video), rather than trusting to Office 365’s inbuilt defences.

Perhaps most excitingly of all, “sandbox” malware detection developed for Office 365, like this solution, can now monitor the actual behaviour of suspect files in multiple virtual sandbox environments using multiple operating systems.

This effectively turns the tables on the malware, uncovering how it targets different kinds of Office 365 users, before it can actually do so.

 

Tell your customers, sell the solutions

All in all, then, it seems that Office 365 isn’t lacking in security issues – but then it isn’t exactly lacking in solutions that partners can sell to fix them, either!

All you have to do is make sure your customers know about them. So what say you share this blog with them?

buy-rentAs far back as 2009, industry media (in articles like this one) were announcing the factors that were already triggering a critical move from the reseller model to the MSP model.

Customers’ reduction in staff and IT budget, hardware end of life, and the rise in remote and virtual working were foremost amongst them.

None of these things have gone away. So if you’re still a traditional reseller, how do you break out of break-fix and into this thriving MSP market? What are the benefits? And is your business really suited to doing it anyway?
 

From reseller to MSP: the benefits

Let’s start with the upside, distilled from these points, previously identified by IT channel analyst Paul Myerson (with some caveats!):

  • Recurring revenue – The MSP model is based around an established monthly income that can increase as more users are brought on board, whilst keeping the costs of that onboarding extremely low. Result: more predictable budgetary planning, but also keener margins!
  • Add-on sales – The delivery of MSP solutions, particularly in a cloud context, is much easier to “build out” than in a traditional reseller scenario. The MSP can bundle additional products and services during the term, which enables them to extend the contract.
  • Brand trust or marketing muscle? – Many major vendors now sell solutions that were designed from the ground up for the MSP and cloud market, so there is a strong baseline of credibility in these offerings.

But if you choose to white-label your service (and many MSPs now do) you lose much of this brand association, so you need to hook up with a vendor that helps you to plug the credibility gap by giving you ready-made end-user marketing campaigns and content.

These help position you as a knowledgeable, trusted advisor. And, as Myerson notes, “The trusted advisor can charge more…”

  • Customer penetration – The MSP model is often seen as a “hands-off” approach, but the fact that an MSP can quickly spin up and remotely support new services is a catalyst to further customer demand. The MSP model doesn’t eliminate customer touch-point - it gives the ones that remain the potential to be much more lucrative!

In addition, as we’ve noted in a previous post, as the MSP model essentially allows you to move from owning reseller licences (capital expenditure) to subscribing to a service (operational expenditure), it avoids those big upfront licensing hits to your bottom line.


But is the MSP model right for my business?

All that said, the MSP model is not a panacea for all resellers’ ills. As this excellent piece in SearchITChannel explains, you might struggle if you have issues with:

  • Technical and support expertise – You can buy this expertise in from the vendor if you can’t front it yourself, but if you’re sourcing the solutions from a distributor then relying on the vendor adds an extra dependency into your service capability. Look for a distributor with their own in-house technical and support expertise.
  • Complexity of service delivery – Acccording to research from Markets and Markets2, the annual growth of the SMB managed services market will exceed 20% by 2020. So even if you don’t focus on enterprise clients, as an MSP you would likely be delivering more services and managing more customers and users than you ever were in the reseller regime.

If your reseller business can’t shift, technically and culturally, to using more automated methods to accommodate this, such as the RMM (Remote Monitoring and Management) tools that we explored in an earlier post, it’s heading for meltdown.

As one RMM vendor opined in this piece, “…a new MSP must be careful not to over-commit themselves; doing so may put them at risk of losing money very quickly”.

But if they can avoid this by being “proactive” and automating “some of the routine IT support responses”, they can “offer far more value to their customers.”

  • Change and evolution – Lack of MSP market knowledge and skills can be a serious hindrance, but many partners have been reluctant to embrace MSP and cloud learnings, even though they are capable of boosting their business.

 Market researcher ESG, for example, cited in this piece in MSPMentor, found that “most partners remain dependent on traditional product resale and express discomfort when it comes to the financial risk of change.”

Again, this is a strong argument for working with distributors who have extensive MSP market knowledge and can help influence internal stakeholders by “hand-holding” them - from validating prospects to providing support when the service is up and running

But it’s also a strong argument for going for the low-hanging fruit first. According to this piece in MSP Alliance, for example, “Even the least skilled MSPs can deploy an effective cloud backup solution… Backup can be a very lucrative business line for MSPs… it does have the potential to be a big part of any MSP's service catalog.”

And that data backup is just one part of a much wider cloud security opportunity; one that, according to the same publication, is “set to experience double-digit growth” from 2014 to 2017, with “everything from email security to identity and access management heading to the cloud.”

Focus here first, then, perhaps?

Conclusion: MSP is not without its challenges

But the MSP market’s not all fat margins and cake for everybody. In fact, as this recent article argues, it’s becoming something of a bear pit.

Companies that previously had no MSP aspirations or skills at all – office equipment dealers, print companies, and so on – have all “thrown their hats into the ring as managed service companies.”

On the one hand, perhaps if they’ve made the leap to MSP, you can. But unless you can differentiate yourself in a crowded market – through vendors, solutions and distributors that give your services some kind of distinctive edge – you could find the going rough.

BS-RMM

What’s behind the importance of Remote Monitoring and Management (RMM) tools in the partner universe?

As Techopedia helpfully explains, RMM is the “proactive, remote tracking of network and computer health”, and typically delivers a set of IT management tools that enable technical staff to maintain service delivery more efficiently and productively - like trouble ticket tracking, and remote desktop monitoring and support.

But, inevitably, not all RMM solutions are created equal. So what is it that makes for a RMM tool that keeps your customers happy and your support teams’ productivity keen?

We looked into a number of recent comparative articles and reviews (like this one in Business Solutions and this one in TechTarget’s SearchIT Channel, amongst others) and came up with this (hopefully!) helpful wish-list:

1. Ease of deployment

“The choice you make when selecting RMM software often boils down to the best combination of integration, deployment and automation characteristics”, writes SearchIT Channel’s John Moore, and to my mind, deployment ranks right at the top of this hierarchy.

Why? Because the less you can disrupt your (and, by potential extension, your customers’) business with your RMM deployment, the better.

So look for solutions that can deploy selectively to one device or a group of devices, and to one location or multiple locations, in one smooth movement.

Consider the hardware onboarding, too; automatic provisioning is far less disruptive than manual, but Mobile Device Management (MDM), for example, will need to be cross-platform (iOS and Android) and offer easy enrolment and configuration functions.

Ultimately, you need to be comfortable with the vendor’s and solution provider’s role in all this, too. What sort of hand-holding or on-boarding will you receive during those crucial first few weeks? Is it restricted to self-help online tutorials, or will it follow a structured statement of work delivered by an engineer on a 1-to-1 basis?

And will they offer you any kind of satisfaction guarantee to protect you against the potential infelicities that shifting a hefty slice of your business productivity to a single platform could occasion?

Much of this is driven, in reality, by whether you choose a cloud-based RMM platform or an on-premise one – so shop around for solutions providers who offer options, to enable you to properly balance risk and return.

 2. Asset coverage and management

RMM can’t effectively monitor or manage anything unless it’s pointing to the right sources of information, and has within it the appropriate management tools.

Your RMM solution needs to work tightly with customers’ workstations, servers, printers, routers and mobile devices, but you also need to be able to slice and dice the monitoring and management by whatever criteria suit you best in any particular situation – by OS, by application, by location, and so forth.

The more geographically, technically, and logistically complex your and your customers’ operations, the more beef you need under your RMM bonnet!


3. Usability and minimal training requirements

Whichever kind of RMM you deploy, users have to be able to use it! For partners and MSPs, that’s principally operators in their own organisation (technical support staff, or perhaps, on occasion, account managers) but customers might need access to the solution, too (in a corporate enterprise deployment scenario, for example)          .

Either way, complexity can spell disaster. The Standish Group, a research outfit that tracks corporate IT purchases, has found that complexity is at the root of some 66% of all IT project failures or late deliveries.

Consequently, your RMM solution has to be built on intuitive features that are easy to master, should be able to orchestrate workflows to prevent human error, and must generally reduce the learning curve for the operators.

Look in particular for features like pre-configured groups, searches, templates and schedules, so that your teams don’t have to hand-craft monitoring and corrective routines on a day-to-day basis.

4. Automation

Related to what I said above about training, automation is the secret ingredient in making an RMM solution function effectively out of the box, and therefore enhancing the productivity and customer satisfaction it can deliver.

In any event, insist on pre-loaded monitors and alerts (so that you can go from both proactive and reactive investigation.)

But be wary: you need to get to the bottom of how quickly and precisely you can choose which of the hundreds of automated elements should be ‘on’ and which should be ‘off’. Does it involve cumbersome, costly trawling through countless groups, and individually cherry-picking the elements?

Or is there a more business-driven approach (such as allowing you to selectively turn off, say, all the Exchange or SQL server performance monitors at once, as opposed to their individual constituents?)

In the search for RMM zen, not all automation is nirvana!

5. Remote capability

Of course, none of this really works for your customers at all if your RMM solution’s remote support capability is lacking. If you can’t easily deliver support straight to a user’s screen, you’re not providing much of a service.

In an ideal world, the “stealth” functions of the RMM platform – the ones that enable you to support customers by making helpful changes and adjustments to their machines without them even knowing, and without interrupting their work – rule.

But sometimes, interrupting the user is unavoidable. Whichever situation you find yourself in, prefer a RMM solution with a native remote support capability, rather than a connection to a third-party one.

The former is controllable from within the solution itself, with one click, alongside all the solution’s other functions (the oft-cited “single pane of glass” approach) and will deliver a more seamless support experience to the end-user.

6. Integration capability

Finally, integration looms large on many MSPs’ and resellers’ RMM agendas. The ability to work with a “supporting cast” of existing applications (including security) not only diminishes customers’ operational headaches, it also creates a three-stage virtuous commercial circle.

The RMM solution becomes saleable because it works securely with existing applications sold by the partner, enabling it to potentially add an extra revenue stream to each customer.

New applications become saleable because they can be easily controlled thanks to the RMM solution, enabling the partner to into existing customers.

And for new customers? Rinse and repeat on both counts!

RMM: which solution to choose?

Essentially, it boils down to this: MSPs and resellers don’t know how their markets are going to diversify in the future. They may be selling one kind of service today, tomorrow it could be another, depending on where there’s profit to be made.

But they’ll all be online, they’ll all be remote, and they’ll all bankrupt the partner if they don’t integrate with a RMM solution that helps to transform the burden of keeping the service running into a highly automated – rather than costly manual – process.

One RMM solution to serve them all? Now that would be a great thing to sell.