In a previous blog post, I talked about how MSPs today have many more tools and technology than ever before. Most of these tools provide integrations to other tools. Of course, this is done through APIs. While integration can help efficiency and make a technician’s job easier, it can also create additional security risks.
Security vulnerabilities in one product can migrate to other products via API access. On The Weekly CyberCall a few months ago, Ryan Weeks, Datto’s CISO, discussed these risks. He suggested that MSPs begin to map their APIs. (I had a few customers tell me that they did this for a few products and the result looked like a spiderweb!)
You may find that when products are set up, their default is to use all the available APIs. I suggest you begin mapping your APIs, review each, and turn off any that are not needed. Think about it this way: If you eliminate 20 percent of APIs, you reduce your attack surface by 20 percent.
Look, this process takes time, and time is money. It seems that we’re always talking about something else that you need to do that you didn’t have to do a few years ago. All of this has increased your cost, and not doing more increases your risk — that has a cost as well.
You need to have a process for all of these non-automated tasks. Tony Williams, our Operations Coach, calls this “having a process for process.” Then, you must assign everything to a role and be sure that this role is accounted for in your seat costs.