CISA's Secure by Design, Delta vs. CrowdStrike, Apple AI Cloud, Kaseya's New Security Solutions

[00:00:02] It's Wednesday, October 30th, 2024 and I'm Dave Solt. Four things to know today.

[00:00:06] CISAs Secure by Design initiative is gaining momentum as Delta sues CrowdStrike. Security experts gain new access as Apple releases their private cloud compute environment for AI and privacy verification.

[00:00:20] Kaseya acquires SaaS alerts and launches an affordable user security solution at $279 per user.

[00:00:27] And MSPs shift their focus as cloud vulnerabilities surpass ransomware as the top security threat, per a channel mastered survey.

[00:00:36] This is the business of tech.

[00:00:41] The Cybersecurity and Infrastructure Security Agency is shifting its focus to eliminating risky software building practices after securing over 230 voluntary commitments from software manufacturers to adhere to its Secure by Design.

[00:00:55] Reena Rakipi, who leads the program, announced this at the ACT-IAC Imagine Nation ELC 2024 conference.

[00:01:05] CISA, along with the FBI, has released a document titled Product Security Bad Practices, which addresses critical issues such as the use of default passwords and memory-unsafe programming languages.

[00:01:17] Keelan Sweeney from CISA highlighted that 60 to 70% of vulnerabilities are due to memory-unsafe languages, stressing the importance of prioritizing memory-safe coding practices.

[00:01:30] The document is open for public comment until December 2, aiming to guide vendors on best practices and enhance software security from the outset.

[00:01:39] And Delta Airlines has filed a lawsuit against CrowdStrike, seeking $500 million in damages following a software update that caused a massive outage on July 19, 2024, affecting 8.5 million computers and resulting in the cancellation of over 7,000 flights, stranding 1.3 million customers.

[00:01:59] Delta claims that CrowdStrike's failure to properly test the update led to a catastrophic disruption, asserting that the incident was a result of the cybersecurity firm prioritizing profit over customer safety.

[00:02:11] In response, CrowdStrike refuted Delta's accusation, stating that the airline's outdated IT infrastructure contributed to its slow recovery.

[00:02:21] Cybersecurity expert Dr. Elia Kolchenko noted that proving negligence in court could be challenging for Delta, suggesting that an out-of-court settlement might be more beneficial for both parties.

[00:02:32] Why do we care?

[00:02:34] I'm not sure the work is done on Secure by Design and hoped this push would extend to more developers.

[00:02:40] Having the key platform providers commit is certainly a step forward.

[00:02:45] This shift underscores the importance of vetting software vendors on secure development practices.

[00:02:50] As the Secure by Design movement grows, providers may benefit from establishing internal policies that prioritize vendors compliant with Secure by Design practices.

[00:03:01] And the CrowdStrike case reinforces the need for meticulous testing, clear communication with clients regarding system compatibility, and proactive risk management when deploying updates.

[00:03:11] In light of this, providers should review service-level agreements and consider clauses that define responsibilities clearly, especially when supporting legacy infrastructure.

[00:03:22] Emphasizing rigorous testing and moving that to a software supplier requirement would shift the dynamic.

[00:03:28] In the way, are you and your clients tired of the time-consuming ticket tennis of coordinating meetings and help desk calls?

[00:03:39] Wouldn't it be better to automate this process with a tool that connects directly to ConnectWise Manage or Autotask?

[00:03:48] TimeZest offers scheduling automation that gives you complete control of your schedule and eliminates the hassle of calendar ping pong.

[00:03:56] As the only service designed specifically for MSPs, it integrates into your workflow and makes scheduling appointments easy on you and your clients.

[00:04:06] Plus, you can try TimeZest for free.

[00:04:10] Visit TimeZest.com slash MSP Radio and use the code MSP Radio to get 10% off your first year of TimeZest.

[00:04:20] 1. Apple has unveiled its Private Cloud Compute Virtual Research Environment, allowing security researchers to verify a company's privacy and security claims

[00:04:31] regarding its cloud intelligence system designed for artificial intelligence processing.

[00:04:36] This initiative includes the release of the Private Cloud Compute Security Guide and source code for select components, facilitating deeper security analysis.

[00:04:46] Researchers can utilize the virtual research environment, which is compatible with Macs featuring Apple Silicon and 16 gigs or more of unified memory,

[00:04:55] for tasks such as inspecting software releases and verifying transparency logs.

[00:05:00] Additionally, Apple is expanding its security mounting program, offering rewards of up to $1 million for researchers who uncover vulnerabilities that threaten the privacy and security of the private cloud computing system.

[00:05:13] Why do we care?

[00:05:16] Apple's architecture is very intriguing based on the approach to security.

[00:05:20] When offering source code for select components and allowing researchers to validate security claims,

[00:05:25] Apple is reinforcing its commitment to data privacy and security, which has been central to its brand identity.

[00:05:32] For security teams, providers, and privacy-focused organizations,

[00:05:35] Apple's VRE provides a viable platform to assess the security rigor of Apple's AI-driven cloud offerings,

[00:05:42] potentially guiding future vendor decisions as privacy and AI-related security becomes central to enterprise cloud strategies.

[00:05:50] It's a competitive pressure on other providers.

[00:05:56] Kaseya unveiled the user version of its Kaseya 365 subscription service,

[00:06:01] designed to enhance cybersecurity for managed service providers at its annual DattoCon event in Miami Beach.

[00:06:07] This new offering, separate from the endpoint-focused version launched earlier this year, aims to assist small businesses in safeguarding their data against identity threats.

[00:06:17] Kaseya has announced the acquisition of SaaS alerts, enhancing its Kaseya 365 offering by rolling that into the new user security option,

[00:06:25] priced at $2.79 per user per month.

[00:06:29] The SaaS alerts acquisition fills a gap in cloud-based user security and aims to provide providers with tools to counter out SaaS threats effectively.

[00:06:39] And Rich Freeman and Channelholic highlighted how Kaseya's CEO, Fred Volkola,

[00:06:44] noted that MSPs have shown a strong interest in the AI and automation features integrated into Kaseya 365,

[00:06:50] which could potentially allow automation of up to 70% of technicians' daily tasks by 2026.

[00:06:56] The company also revealed a $10 million investment in its backup concierge program and introduced AI-powered features to its PSA tools,

[00:07:05] enhancing service delivery to IT professionals.

[00:07:08] Enable has announced a series of global compliance initiatives aimed at enhancing cyber resilience for its partners.

[00:07:14] This move comes in response to the finalized Cybersecurity Maturity Model Certification, or CMMC 2.0.

[00:07:21] The initiatives include the NIST 800-171 attestation, which helps partners manage controlled, unclassified information,

[00:07:30] and an expansion of FIPS 140-3, incorporating federally approved encryption into Enable's core products.

[00:07:38] Enhanced audit logging will track logins and changes to digital assets, reinforcing Enable's commitment to secure practices.

[00:07:45] A dedicated compliance resource center will also provide expert content and checklists tailored for IT service providers.

[00:07:53] Enable already possesses other certifications, including SOC 2 Type 2, HIPAA Type 1, and ISO 27001.

[00:08:02] And CloudWorks Pro has launched Allison, an AI-powered assistant designed to transform work order management in the IT field service sector.

[00:08:12] The tool automates the creation and management of work orders, reducing setup time by up to 70% and significantly minimizing human error.

[00:08:21] Utilizing advanced natural language processing, Allison generates comprehensive work order details from simple titles,

[00:08:28] adjusts tone for professional communication, and learns continuously to enhance accuracy.

[00:08:33] Why do we care?

[00:08:35] Three insights here.

[00:08:37] Kaseya is leading with price.

[00:08:38] They are using their market position and investment dollars to squeeze competitors with price.

[00:08:44] That's their play.

[00:08:45] Note that they didn't message with AI, despite Rich picking up on that growing demand in his conversation.

[00:08:51] This isn't about positioning features.

[00:08:53] It's a strategy to dominate on price.

[00:08:56] And there will be upstarts.

[00:08:59] CloudWorks isn't MSP-focused, and I included it to note that the obvious investments are happening in tools.

[00:09:04] And enable is what I might term a classic play.

[00:09:08] Disclosure, I'm a shareholder.

[00:09:09] By strengthening audit logs and centralizing compliance resources, enable is equipping MSPs with robust tools to maintain security in compliance-intensive environments.

[00:09:19] The idea?

[00:09:19] Take your tools and try and expand their markets.

[00:09:24] Grip Security has released its 2025 SaaS Security Risks Report, revealing alarming data about unmanaged SaaS applications.

[00:09:33] The report finds that 90% of SaaS applications and 91% of AI tools within organizations remain unmanaged, highlighting a significant security vulnerability.

[00:09:42] Key findings include a 40% increase in the number of SaaS applications used in enterprises over the past two years, and an 85% rise in accounts per user.

[00:09:53] Additionally, 73% of provisioned users never utilize their SaaS application licenses.

[00:10:00] The rise of shadow SaaS, where applications are used without IT's oversight, poses risks such as data breaches and compliance issues.

[00:10:08] According to Gartner, by 2027, 75% of employees will use technologies outside IT's control.

[00:10:16] Grip CEO Lior Iari emphasizes the need for real-time visibility into these applications and a risk governance strategy to mitigate these risks effectively.

[00:10:26] And a recent report by Channel Mastered, developed for SaaS Alerts, reveals that cloud vulnerabilities have overtaken ransomware as the top threat for managed service providers.

[00:10:36] The survey found that over 30% of MSPs reported moderate impacts from the shift to software-as-a-service, with 22% experienced significant disruption to their on-prem revenue streams.

[00:10:48] Despite these challenges, 65% of providers reported generating at least $50,000 in additional monthly recurring revenue from SaaS security solutions last year.

[00:10:59] However, the operational burden is notable, with 45% of providers spending at least five hours weekly managing SaaS security applications.

[00:11:09] And in a revealing report by App Omni, nearly 34% of security practitioners are unaware of how many SaaS applications their organizations use, highlighting that security blind spot.

[00:11:19] The report states that only 15% of organizations centralized SaaS security within their cyber teams, leading to a culture where security is overlooked.

[00:11:29] Alarmingly, 31% of security decision-makers reported that their organizations suffered a data breach, a five-point increase from the previous year.

[00:11:38] The report emphasizes the critical need for a proactive security culture where both business units and security teams collaborate to mitigate risks associated with decentralized SaaS app procurement.

[00:11:50] Why do we care?

[00:11:51] Well, the confluence of reports clearly signals that SaaS security is becoming an area of critical vulnerability, and the associated risks are rising faster than many organizations' ability to manage them exists.

[00:12:03] For MSPs, the implication is clear.

[00:12:05] There's a lucrative opportunity in specializing in SaaS security and governance services, but it demands investments in automation, policy standardization, and a proactive approach to client education on SaaS risks.

[00:12:18] This isn't groundbreaking, yet also clearly not solved.

[00:12:25] Today's episode is supported by CoreView.

[00:12:28] Your customers need your Microsoft 365 expertise, and CoreView has the only M365 management platform designed for MSPs.

[00:12:37] Manage hundreds of tenants, automate manual tasks, and monitor compliance, all while intelligently comparing to the baseline.

[00:12:44] With a no-code control approach, CoreView revolutionizes your Microsoft 365 administration.

[00:12:51] This powerful platform enables automatic reporting and remediation, ensuring optimal performance and security.

[00:12:58] The best part?

[00:12:59] You achieve this high level of service without the need for a large workforce, allowing you to focus on growing your business through efficiency.

[00:13:07] Want to know more?

[00:13:08] Visit coreview.com slash MSP and find out more.

[00:13:15] Thanks for listening.

[00:13:16] Today is National Candy Corn Day.

[00:13:19] It's also National Treat Your Pet Day.

[00:13:21] Don't treat your pet with candy corn.

[00:13:24] But if you don't like it, give it to me.

[00:13:26] I've always been a fan.

[00:13:27] If you've got a comment or a thought on a story, put it in the comments if you're on YouTube, or reach out on LinkedIn if you're listening to the podcast.

[00:13:33] I will be at IT Nation next week, so reach out if you want to connect.

[00:13:37] And if you enjoy the show, give a review and make sure you've subscribed or followed on your favorite platform.

[00:13:43] I'll talk to you again tomorrow.

[00:13:47] The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines, posted at businessof.tech.

[00:13:54] If you like the content, please make sure to hit that like button, follow or subscribe.

[00:14:00] It's free and easy and the best way to support the show and help us grow.

[00:14:05] You can also check out our Patreon where you can join the Business of Tech community at patreon.com slash MSP radio.

[00:14:13] Or buy our Why Do We Care merch at businessof.tech.

[00:14:17] Finally, if you're interested in advertising on this show, visit MSP radio.com slash engage.

[00:14:25] Once again, thanks for listening to me.

[00:14:27] I'll talk to you again on our next episode of the Business of Tech.

[00:14:34] Part of the MSP radio network.