Your checklist to maximizing vendor defensibility

Matt Lee, Pax8 Senior Director of Security and Compliance
A chain link that glows blue

Reduce your risk by choosing your vendors wisely.

Vulnerabilities exist in every technology stack. But as a managed service provider (MSP), you can minimize your clients’ risk by taking these steps and asking your SaaS vendors security questions to ensure they’ve done their due diligence when it comes to cybersecurity—so you can show that you’ve done yours.

What Is Vendor Defensibility?

Vendor defensibility refers to SaaS vendors’ ability to adequately secure user privacy and data. SaaS vendors are prime targets for bad actors because they store massive quantities of data in the cloud that users can access from multiple devices, exposing numerous vulnerabilities, so it’s critical that MSPs implement security frameworks and due care around the vendors they offer because it’s not a matter of if, but when attacks will occur.

Why Do I Need a Vendor Defensibility Checklist?

Technological advancement often happens before adequate safety protocols are put in place—think of the growing pains the aerospace and manufacturing industries went through before reaching modern standards, for example. Likewise, cloud-based technology presents a number of security issues, and new and existing vendors alike need to be up to date on the latest security protocols.

As an MSP, you represent a crucial part of your clients’ cybersecurity supply chain, as do the vendors whose products you offer. Security breaches through SaaS vendors can be very costly to both you and your clients. Not only do these breaches threaten to expose the sensitive data of anyone using the vendor’s technology, but they can also jeopardize your relationship with your clients—and your credibility.

No. 1: Check Your Vendor Against Cybersecurity Industry Standards

First things first: Make sure your vendors possess key general compliance measurements, such as a SOC 2 report and ISO 27001 certification. SOC 2, or Service Organizational Control 2, is a third-party audit that ensures organizations manage customer data based on five principles set forth by the American Institute of CPAs (AICPA): security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports help provide oversight to the organization, and the fact that a vendor has a SOC 2 report should be considered a starting point for judging its security health.

In addition, vendors should have an ISO 27001 (shorthand for ISO/IEC 27001:2022). It’s a security standard put forth by the International Organization for Standardization (ISO), an organization that includes representatives from the national standards organizations of several countries. ISO 27001 provides a framework and best practices for information security management and asks organizations to prove they have a functional information security management system (ISMS) in place. If the vendor is not ISO 27001 certified, it’s worth asking why they aren’t and reconsidering whether you want to work with them.

Another challenge when it comes to these certifications is determining their scope. Does their SOC 2 audit cover all the ways in which you and your clients will use this vendor? If the scope is too narrow, security risks could still exist and leave you and your clients’ business open to cyberattacks.

No. 2: Ask If the Vendor Will Share Their Security Documentation with You

The fact that a vendor has a SOC 2 report is a good starting place for judging their defensibility against attacks. Feel free to ask your vendor if they’ll share their SOC 2 report with you.

Not every vendor will want to share their SOC 2. That shouldn’t be a deal breaker for working with them because regularly sharing a SOC 2 with outside parties could reveal avenues that open them to attacks. The vendor could instead opt to share its SOC 3. A SOC 3 report includes much of the same information as a SOC 2 but in a more publicly digestible format, without the level of detail that could unintentionally open them up to attack. Look to see if the organization has posted a SOC 3 report on their website or ask if they can share it with you directly.

No. 3: Ask If the Vendor Has Had Its Code Reviewed

It’s worth asking a vendor if they’ve had their code reviewed by a third party to determine its health. Unhealthy code could appear in the form of legacy tech debt where the vendor is using deprecated services, for example, or if it’s too complex to consistently test, address faults, and make improvements.

To check an app’s code health, there’s a nonprofit called the Open Web Application Security Project (OWASP) dedicated specifically to improving software security. The OWASP provides a top 10 web application critical security risks, such as authentication and access control, as well as guidance to fix those risks if they are flagged. In addition, the organization’s Application Security Verification Standard (ASVS) gives developers a more formal way to test an app’s security. You can ask if the vendor has tested against this standard and what level they have achieved, from ASVS level 1 (the bare minimum) through level 2 and 3 (recommended for programs that store highly sensitive data, such as personally identifiable medical information).

No. 4: Ask about Any Additional Requirements You Need

Just as the federal government has set out new rules for MSPs, your clients who serve the government or other heavily regulated industries may have additional security requirements, such as FedRAMP or CMMC compliance for government agencies or CJIS for law enforcement. Find out if your clients have any specific security requirements based on their industry and then make sure your vendor can comply with them. If they can’t, find out if that specific industry compliance is on the vendor’s roadmap.

No. 5: Ask to Meet with the Vendor about Their Cybersecurity

One of the best ways to judge a vendor’s defensibility is to ask to meet with them specifically to discuss their cybersecurity. Request a meeting with the vendor’s CTO or head of cybersecurity and come prepared with your questions. Feel free to do your own research about any possible security issues the vendor has faced via Google, review sites, and trusted contacts—of course, take this information with a grain of salt, but also feel free to ask candid operational questions based on your findings.

Preparation Is Key

When it comes to cybersecurity, it’s always better to be safe than sorry. By using this checklist as a starting point, you can do your part to reduce risk for your clients and become a trusted partner.

At Pax8, we remain dedicated to providing MSPs with vetted solutions and deep expertise to help you grow your business. Browse hundreds of products from industry-leading vendors in the Pax8 cloud marketplace.

Explore solutions