What is Cloud Computing?

You hear about ‘the cloud’ a lot these days. The IT term has worked its way into popular culture, and most people have some idea of what cloud computing involves. But what exactly is the cloud? Where is the cloud? There’s an undeniable mystique surrounding cloud computing, but it’s not the strange and elusive technology many take it to be.

In this article, we’re going to answer the question ‘What is cloud computing?’ in simple and straightforward terms. It will be the first in a series of four blog posts on cloud computing. The second will take on the topic of how cloud-based services can help businesses grow, the third will focus on the three different types of cloud service models (IaaS, SaaS and PaaS), while the fourth will be about the importance of cloud computing in the managed service provider (MSP) space.

There is No Cloud

Perhaps you’ve seen this bit of tech humor displayed on a t-shirt:

There is no cloud. It’s just someone else’s computer.

They say the best jokes are rooted in truth, and this one is no exception. The truth in question is at the heart of cloud computing — what it is and how it works. Here’s a succinct definition of cloud computing:

Cloud computing refers to the delivery of IT services over the internet on a pay-as-you-go basis.

But here’s the thing, the IT services and resources that are commonly provided over the cloud — servers, databases, storage, networking, software, and more — do not exist in the ether, floating free of any physical basis. Like any computing technology, cloud services live on computers, and more precisely, on servers.

So what makes cloud computing so special? The answer to this question brings us back to the above joke: When you move certain IT functions to the cloud, you’re choosing to use someone else’s computers. More specifically, you’re choosing to store and access your data using servers that are located in huge datacenters owned by cloud providers such as Amazon (AWS), Microsoft (Azure), and Google (Google Cloud).

As opposed to what? Well, as opposed to your own computers (on-premises IT infrastructure). This contrast is at the heart of what makes cloud computing such a powerful technology, but it’s also a common reason why individuals and organizations are wary about moving to the cloud …

The Cloud is Nothing to Fear

A recent report on cloud security found that 75% of enterprises are either “very concerned” or “extremely concerned” about how secure their information is in the cloud. Moving essential IT resources to the cloud — to remote servers that you don’t have physical access to — can sound like a scary proposition; on an intuitive level, business owners might feel like they will have less control over their IT environment and

diminished security simply because there is an instinct to keep the things we care about close. It’s the same instinct that drives some people to store cash under their mattress instead of in a bank.

But migrating to the cloud can have huge benefits. Contrary to what some people think, when you move data, apps, and other IT resources to the cloud, you’re not trading security for convenience — it’s more nuanced than that. In fact, there are ways in which the cloud offers businesses a more secure place to store information, as datacenters owned by large cloud providers are protected by top-notch physical security.

On top of that, migrating to the cloud can be hugely beneficial to a growing business’s bottom line. Stay tuned for the second installment in our four-part series of blog posts on cloud computing, where we discuss in more depth how cloud computing can help businesses grow and flourish, while simultaneously protecting critical data.

Now that we’ve defined what cloud computing is, let’s take a look at the different types of cloud computing.

There is No Cloud … There are Many!

Public vs Private vs Hybrid

There are two ways to categorize different cloud-based services: by deployment model and by service model. Let’s start with the deployment categorization, which distinguishes between three types of cloud computing services:

  1. Public Cloud
  2. Private Cloud
  3. Hybrid Cloud

A public cloud is shared and utilized by multiple organizations, and the cloud infrastructure is owned and managed by a third-party cloud provider. Microsoft Azure is an example of a public cloud. The idea of sharing infrastructure with other organizations might give some business owners pause. But here’s the thing, moving certain IT resources and services to a public cloud doesn’t mean that your organization’s data will be accessible to other businesses. You’re only sharing infrastructure with other businesses, not data.

Two key benefits of migrating to a public cloud are cost and scalability. Letting remote servers host your organization’s IT resources means you don’t have to buy, set up, and manage your own on-premises infrastructure. This can save you a lot of money. A study done by Avasant Research found that companies fully utilizing cloud resources cut IT expenses by 15% on average.

Also, when you use a public cloud, you can scale up at the drop of a hat. Need more computing power? Rent more servers. Need less? Rent fewer. This allows you to flexibly and near instantly adjust the amount of IT resources you’re paying for based on your ever-changing needs.

Private clouds are used by a single organization. The IT infrastructure associated with a private cloud can be on-premises or remote, but the bottom line is that it is dedicated to one organization, which allows for greater control and customization compared to the public cloud. Businesses in the healthcare, financial, and governmental sectors frequently use private clouds for the sake of compliance with government and industry regulations.

Hybrid clouds involve elements of both public and private clouds. A hybrid cloud environment can allow organizations to utilize a private cloud for sensitive data or for minimizing latency (how quickly a network can process data), and a public cloud for workloads that require quick scalability. Hybrid cloud services can also enable a company to make a gradual transition from on-premises infrastructure to cloud computing, instead of migrating all at once.

IaaS vs PaaS vs SaaS

There are three types of service models in cloud computing:

  1. Infrastructure-as-a-Service (IaaS)
  2. Platform-as-a-Service (PaaS)
  3. Software-as-a-Service (SaaS)

These types of cloud services can be delivered via public or private clouds, and they can be understood as forming a hierarchy of responsibility. In plain English, each one represents a greater degree of outsourcing: IaaS hands over some IT resources to a third-party cloud provider. PaaS hands over more. SaaS hands over the most. So, going from IaaS to PaaS to SaaS can be thought of as moving further and further away from fully on-premises IT infrastructure.

So which one is the best?

It depends! Which service model makes sense for a particular business comes down to the particular needs and goals of that business. IT expert Paul Korzeniowski puts this point nicely: “Companies are looking to move daily business services to the cloud. That change is only possible if they can tailor cloud services to their own operations.”

Working with a trusted IT provider who truly understands your business and its goals can be tremendously helpful when it comes to investing in the right type of cloud service model. Watch out for the third installment in this series of blog posts about cloud computing, where we will do a deeper dive into IaaS, PaaS, and SaaS, and the respective benefits of each.

Concluding Remarks

The cloud isn’t so much a new technology as it is a new way of utilizing and mobilizing technology that has been around for decades. In other words, cloud computing isn’t a new kind of IT resource, but a new way of delivering familiar IT resources to individuals and organizations. The reason is exists, like any innovation, is that it helps solve certain problems. Namely, cloud computing provides faster, more flexible, and more cost-effective IT resources — benefits that we will discuss in more depth in our next installment on cloud computing here on The 20 blog: The Top 3 Benefits of Moving Your Business to the Cloud. Don’t miss it!

Written by: Crystal McFerran, CMO

It’s easy to see the value marketing provides when you work in marketing, but it can be a lot harder for others to see the true value of marketing. Marketing feeds into your sales process significantly by generating leads, growing brand awareness and nurturing industry awareness. One of the first steps to really see the return on investment (ROI) is to disconnect your marketing process from traditional, transactional sales. You need to make the intangible become tangible.

How you do this is highly contextual and variable, but it almost always helps to present the data, show the relationships you’ve grown, showcase how your marketing campaigns help sell and then help show how to recognize the intangible parts of what you’ve done throughout the process. What does a lead cost, and how was it fed by your marketing campaigns? By showing this to your company, you can prove your worth.

Seeing Data

The difference between understanding data and seeing data is the difference between dawn and dusk. Dawn marks the start of a new day with new potential, while dusk marks the end of the day, when you wrap up what you’re doing to prepare for the next. You can’t just see the data; you need to really take it in and absorb it.

Data makes up the raw ingredients in your recipe, but metrics are what you get after you cook everything. Raw data can be shaped in many ways, but metrics allow you to show just what the data truly means. There’s a hair’s distance between seeing data and it meaning something.

Seeing Relationships

If some random company remembers your birthday, do you remember that? When your birthday comes, will you think of a random company that didn’t reach out or the one company that actually did? The company that sends me a coupon has a much better chance of me thinking of it than the one that doesn’t. If you reach out, you have the chance of your customers thinking about you.

However, too much interaction can feel oppressive. My spam filter keeps getting smarter because some brands get lazier with their campaigns. Great — you know my birthday, and every day from my birthday to my half-birthday (which no one cares about), but all you’ve done is alienate me with your constant outreach. A relationship requires upkeep, but you can’t smother it to death.

Seeing Sales Shine

The sales process makes up your funnel, and your marketing campaign is the difference between the filter dealing with mud or water. One is easy to clear up; the other requires time and effort. What do you think your sales team’s time is worth? Marketing frees up your salespeople from dead ends and helps keep other parts of your workplace functioning with synergy instead of working against each other.

Your sales team truly shines when they’re handed leads that work with them rather than against them. Your marketing process should cut a lot of junk out of the sales funnel. What do the leads look like before and after you run your marketing campaign?

Seeing The Intangible

The problem with most of our modern marketing efforts is that they’re too intangible in many ways. Your boss doesn’t get that the extra lead came from Joan specifically because she needed a company to solve her issue and she thought of you because of a conference that she got your card from. She saw your number and thought of you, and now she’s directed her entire business toward your sales team. How much does that first domino in the chain weigh for you?

How much did that lead cost you? Can you quantify it easily, or is it something you need to sit down and think about? How many leads do you manage to pull in, and how much do you spend on your marketing? How much does your sales team spend? If you see the data and you really break it down, you can quickly figure out just what happens from your marketing campaigns.

Seeing The Process

What is your brand’s awareness worth? When James thinks of your field, does he think of you and your company? You can’t control what potential clients think, but you can control how they perceive you.

We work to make sure that when people think of scalable IT, they think of us. When they think of visionary, they think of our CEO. We think big from the ground up. The data means we can see exactly where we are and just where we want to go. We don’t just focus on the sales funnel; we focus on the people behind each sale. Sales can really shine when the whole process enables people to see each other on an equal level.

Seeing The Return On Investment

The difference between the pieces we started with and what we’ve created is the difference between six of one and half a dozen of the other. What about the subtlety between lilac and lavender? They’re both floral, but one is bright and alive in a way the other lacks. Make sure you’re brighter than your competitors.

The ROI you get from your marketing is going to depend on just how you approach the process and how you figure out your results. When you can actually differentiate the dawn from the dusk, you can see the implication of your efforts. Does it work for you, or does it just disappear?

What does each transaction get you? A lead is expensive, but what is it worth to you? Your marketing feeds, catalyzes and enables your sales team. Do you see value, or do you just hope for it? Once you can see the process, you have to comprehend it and help others make sense of it. Is marketing a black hole for you, or is it the process that separates you and your competition?

Meet Jerrod Ford, Videographer!

Jerrod Ford quickly became a tremendous asset to the entire team at The 20. Read below to find out more about Jerrod.

What do you do here at The 20?

I shoot, edit, and create video content. 

Describe The 20 in three words…

Collaborative. Interesting. Fun. 

As a kid, what did you want to be when you grew up? 

I’m sure I had quite a few ideas but it sticks out to me that I wanted to operate construction tractors and heavy machinery. 

What’s the most challenging thing about your job? 

Organizing terabytes of files. 

What do you consider your greatest achievement? 

Being able to provide for myself doing things I enjoy; however, I hope my greatest achievements still lie ahead of me. 

What do you think is the most important quality necessary for success? 

Consistency. 

What do you like most about The 20? 

The people. 

What do you like to do in your spare time? / What are your hobbies? 

I play drums, make music, and dabble with guitar and piano. I also enjoy mountain biking and running. 

Where are you going on your next vacation?

Not 100% sure but hopefully the beach! 

What’s your top life hack?

Taking care of your body takes care of your mind. 

Interested in working with Jerrod at The 20? We’re hiring! Check out our Careers page for more info.

Cyber insurance is simple in concept, but complicated (to put it lightly) for implementation. It’s a form of insurance which covers expenses related to a cybersecurity breach or similar. But, you’re also getting a cross of the pain points of insurance and cybersecurity. The points make sense when you abstract them a bit, but it’s understanding the what and the why that can be painful.

Business insurance contracts can be confusing and complicated for the exact rules and what pays out what, but cyber insurance can get even more complicated. It covers topics ranging from compliance, to encryption, MFA, security, backups, and outages. You get a little bit of everything on a level most businesses aren’t ready for. It’s not just a technical question, there are rules, and they don’t always make sense.

Compliance

Most businesses are familiar with PCI and HIPAA compliance, but there are even more standards you may or may not need to pay attention to. Which one does your cyber insurance solution use, prefer, or encourage? There are a lot of standards, but some are more pressing than others.

You also have to consider GDPR and CCPA compliance in some industries and economies. There are even more compliance solutions such as CMMC and similar popping up that are preferred. If these acronyms and letter jumbles aren’t ringing a bell, you may need to read up before applying for new insurance policies.

Cyber insurance providers are going to ask you how compliant you are. You might feel confident, but just how compliant are you actually? Are you actually compliant or do you just think you are? What level of third-party audits are you performing to make sure you’re doing what you need to? What compliance standards are you using and how close are you adhering to them? What are you auditing, what level are you auditing, and how often are you doing it?

Have you been certified for your compliance tasks? Who is the compliance officer for your business or client? What level of credentials do they have to make them able to fill this role? You may not need to answer all of these on the insurance form, but it’s best to have the answers available from a security and business liability standpoint.

Encryption

Is data wide open or is it encrypted? What about your backups? What level or type of encryption is in use? Cyber insurance companies are going to ask these questions, and dig much, much deeper.

Are you encrypting communications internally and externally? How about VPNs between sites and for remote workers? Or do you use an advanced SASE system instead?

Encryption is a fundamental part of security and one which will come up constantly with cyber insurance offerings. Some plans may not require it for some industries, but it’s always a good plan to have some level of encryption in your security stack. Data exfiltration isn’t just a liability from an insurance perspective; it’s a liability to a business.

At the very least, it’s near trivial to implement an encryption policy for individual devices including desktops, laptops, and phones. You can work to encrypt sensitive data in SQL and similar to protect sensitive applications. You need to also make sure backup solutions are encrypted where possible as well.

There isn’t a one size fits all approach to encryption. Some products you need for your industry may not work as expected with encryption on certain data. Other products may just not have encryption as an option. Cyber insurance providers are aware you may have your hands tied, but they need to know to properly assess liability.

Scope of Data

How much data are you managing? How many individual records are there and how are they classified? Do you have generic data on a million individuals or hugely in-depth, personal data on a smaller set? You don’t need to have exact numbers (necessarily), but you need to have a rough scope of what you’re working with.

The more data you have which is personally identifying, the more it can impact HIPAA, PCI, etc. compliance. How much data you have also impacts how likely you are to be a target. Personally Identifiable Information (PII) is worth a lot to certain groups. The right PII can be used to carry out social engineering attacks or even used to circumvent certain security systems (e.g. biometric data).

What type of data do you have and where are you storing it? Are you using cloud repositories such as Dropbox and OneDrive to store certain data or is it all local? The where is as important as the what, since an insecure onsite backup is less safe than a secured cloud system, but a private cloud (and properly secured) is the safest of the three.

Cyber insurance vendors want to know what kind of data you have and where it is. This determines how large your attack surface may be and what is potentially at stake for your business in the event of a breach.

Multi-Factor Authentication and Credentials

Do you apply Multi-Factor Authentication (MFA) across the site with everything possible? If not, is there a good reason (e.g. nothing of any real value) or is it due to a technical limitation of a service?

MFA solutions will help cut down on the value of a password substantially which increases the inherent security of a system. This leads to a harder time breaching a specific site or data repository. Some cyber insurance providers want MFA applied to virtually everything, others are a little more flexible with the right security setup. Either way, a lack of MFA on core infrastructure and important data sources is a serious security concern.

MFA blurs into protecting and limited access to privileged user accounts as well. Sometimes, you need a specific admin account while the person managing said service needs substantially less access to do their job. Are you using a single account or reducing the chance of being breached by having the admin account locked up somewhere?

Solutions like ITGlue (despite being a documentation product, it manages passwords as well) can help limit this access and provide a way to audit who has accessed a given resource. You get a system to account for who has what access and when they use it. This allows for better monitoring of credential usage and allows a gatekeeping process for privileged accounts.

Security

What AV solution are you using? Are you using a Next-Generation Antivirus (NGAV) solution, an Endpoint Detection and Response (EDR) system or similar across the business? What about next-generation firewalls like Palo Altos or similar which can work at layer 7? Are you using zero trust architecture?

Security may also include services or processes such as a SOC, NOC, SIEM, proactive monitoring, proactive auditing, etc. How aware are you of every change to every asset for your business and how do you make sure that everything is complying with your security policy? How often are you installing patches? What legacy software or solutions are in use? Are you using protective DNS services to prevent bottom-of-the-barrel attacks and similar? Do you have an isolation policy or the ability to easily isolate compromised assets?

Many cyber insurance vendors also dive into email and phishing. Are you using DKIM, SPF, and DMARC to help detect spoofed or otherwise questionable emails? Are you using advanced spam filters and similar to reduce the attack surface even further? There are far more questions any good MSP or security provider should be asking.

These questions are ones you should be asking yourself regularly anyway, but cyber insurance brings them to the forefront. Here at The 20, we try to have solutions to virtually all of these questions which fit the needs of secure industries without making work painful. Security requires a balancing act between absolute security and functionality. The right education and the right security solutions can keep your business running smoothly.

Backup

We touched on some parts of backups previously, but cyber insurance dives into this process deeply. The difference between a business with a good Disaster Recovery (DR) policy and one without getting ransomware is the difference between a bad day and bankruptcy. Are you backing up important infrastructure and data? Are you checking your backups and making sure that things are working as expected? Do you keep cold backups or an air-gapped solution to keep data safe? Are you encrypting your backups to prevent exfiltration or exposure in the event of a backup provider having a breach?

These are all best practices for backups at any level, and solutions like Unitrends and similar have made the process relatively easy. What backup provider are you using and how are you making sure it doesn’t become a liability? In the post-security world, it isn’t a matter of if but when you’re breached that makes all the difference. Downtime is extremely expensive.

Standard security policies need to be applied to backups as well. Are you making sure that there aren’t shared credentials or similar to prevent easy exfiltration? Do you use some kind of system to control access to credentials with correct privileges to prevent accidental access? Are you using MFA where possible to limit access to replication vaults or backup appliances where possible?

Uptime

How much uptime do you have? When is the last time your site went down and how long was it for? Why did you have downtime and what could you do differently? All of these are going to be lines of near-inquisition from a cyber insurance vendor.

You can tell them what you plan to do, but no plan survives an encounter with the enemy. What happened when you actually had to test your plan? Were you down for a few minutes or down for days? Are you making sure to shore up said issues or are there ticking time bombs at your business?

Security is meaningless if someone bypasses it or if the response doesn’t work. Post-security also means that prevention is only one half of the equation to a proper defense for your business. Do you have a track record of your assets going down or is your infrastructure resilient?

The more likely a business is to suffer negative downtime, the harder it is to justify insuring said business. You can have everything great in theory, but how has it been tested? Or has it?

Summary

The cyber insurance process is extremely complex, but all of the questions asked will make sense. They want to know what you do, how you do it, and how it’s worked out. Virtually every question on a cyber insurance application is one you should already have in your primary security and business plan for yourself or your client (even if the form isn’t the same).

Are you adhering to compliance standards which affect your industry? How do you know? Are you encrypting any and all data that makes sense? How much data are you working with and where is it? Do you use MFA where possible? What is your proactive and response security like and what all are you throwing at keeping your business safe? How good are your backups and are they actually functional? How much downtime have you had, what caused it, and how did you respond?

Asked this way, all of these questions boil down to a basic security plan. You just need to know every detail and every facet to ensure that your business is actually secure, and a way to put it in something that can be converted to financial details. Can you walk the walk or just talk the talk? Use a cyber insurance checklist (or ideally multiple checklists) as a roadmap for your own business success.

Contact us at The 20 to learn more about what we can do to make your business grow.

What is a SOC?

It’s good to be nervous about the recent explosion of cybercrime, but it’s even better to be prepared. If you’re a business owner, now is the time to invest in your organization’s security posture, but deciding how much to invest, and which tools, strategies, and solutions to invest in, can be difficult, confusing, and stressful. You want to be responsible and keep your business safe, but your budget is limited, which means you’ll have to make tough choices about where and how to spend it. This is especially true for small-to-medium sized business (SMB) owners, who can’t afford the same protective measures as corporate giants. This article is written with you in mind.

One security solution you might have heard about as an SMB owner is a security operations center (SOC — pronounced “sock”). The following discussion will help you answer two questions:

  1. What is a SOC?
  2. Should I establish a SOC for my SMB?

We can’t definitively answer the second question for you, as your business’s particular needs are just that — particular (i.e., unique to your situation). But we can provide general guidelines that will assist you in making an informed and responsible decision.

What is a SOC?

Defining a SOC

The term “SOC” is sometimes used to refer to a facility that houses a team of information security experts. But this definition is quickly becoming obsolete, as there are virtual SOCs which do not exist at a single location. A better definition equates a SOC with the cybersecurity personnel themselves, along with the processes and technology they employ to monitor and manage an organization’s security posture in real time (and generally on a 24/7 basis).

The overarching purpose of a SOC is to bolster an organization’s cybersecurity by identifying, mitigating, and preventing risks before they escalate into larger, business-disrupting problems. In our day and age, being proactive about cybersecurity — as opposed to reactive — is a must, and establishing a SOC means fully embracing the proactive philosophy.

Who is in a SOC?

The exact makeup of a SOC will vary, with larger SOCs containing more people and more specialized roles. But, generally speaking, a SOC team will include analysts, engineers, and managers.

Analysts’ primary responsibility is to detect potential security threats and assign them a level of urgency in order to trigger the appropriate response. Your SOC’s analysts are your first line of defense against malicious actors who want to penetrate your organization’s network.

A SOC’s engineers design, implement, and maintain the tools that constitute your organization’s security architecture. This means ensuring that your systems receive regular updates, as well as recommending any changes that seem necessary in light of the ever-evolving security landscape. Security engineers are also responsible for documenting security processes and protocols, which allows the rest of the SOC team to carry out their duties effectively and efficiently, as well as ensures that your organization remains compliant with relevant governmental and industry regulations.

Overseeing the entire SOC are security managers. A security manager’s duties are many, and include coordinating the activities of analysts and engineers, hiring/training new staff, working closely with management (e.g., the chief information security officer) to align security strategies with business goals, and spearheading responses to major security incidents.

Some SOCs will have personnel with highly specialized roles (e.g., compliance auditors and forensics investigators). Also, depending on the size of a SOC, a single person may take on multiple roles.

How does a SOC work?

Security Information and Event Management (SIEM)

A SOC protects your organization by proactively scanning your organization’s entire digital infrastructure — networks, databases, servers, endpoints, applications, websites, etc. — ideally on a 24/7/365 basis.

Most SOCs exhibit a “hub and spoke” architecture, where computer-generated log data from various systems in your organization is continuously collected and analyzed for anomalous (i.e., suspicious) activity. The amount of data we’re talking about here is vast, and the modern SOC employs a security information and event management (SIEM) system to corral all of this information and organize it in a way that makes it amenable to human analysis.

The power of SIEM software comes from its ability to sift through huge batches of data in mere seconds, and employ machine learning to define “normal” network activity. The latter is especially crucial for preventing “threat fatigue,” which arises when a SOC is overwhelmed by simply too many alerts, many of which are false alarms. With an effective SIEM solution, a SOC can rely on technology to weed out false positives, freeing up team members to focus on actual threats.

Incident Response

When a SOC does come across a legitimate threat, it’s all systems go. After the urgency of the threat is established, a sequence of responsive measures is initiated to shrink “breakout time” as much as possible (“breakout time” is the time it takes an intruder to move from the first compromised machine to other parts of your network). These measures can include isolating endpoints, deleting files, stopping harmful processes, and deploying backups to negate ransomware.

Prevention Techniques

In addition to detecting and responding to threats, a SOC is also tasked with preventing incidents from occurring in the first place. One way a SOC achieves this is by analyzing breaches and performing

“root-case analysis,” which allows security personnel to trace a cyberattack back to its source. Finding out where intruders were able to penetrate your network enables your SOC to shore up gaps in your security posture and prevent similar events from occurring in the future. A SOC can also prevent future attacks by proactively searching for weaknesses in your network and system. “Ethical hacking,” for example, involves members of your SOC attempting to breach your network to learn what will and won’t work when actual hackers make similar attempts.

Does Your Organization Need a SOC?

A SOC can do wonders for your organization’s security posture, which raises the question: why would any company choose not to have a SOC?

That one’s easy — a SOC is pricey! Paying the salaries of the personnel alone will set you back a good amount (security experts can command 6-figure salaries).

That said, times have changed, and the chances of experiencing a cyberattack have gone up exponentially in the past few years. The FBI’s Internet Crime Complaint Center received 791,790 cybercrime complaints in 2020, a 69% increase from 2019. These complaints caused more than $4.2 billion in losses. We live in dangerous times, and taking extra precautions to keep your business safe isn’t paranoid in the current climate — it’s sensible. Establishing a SOC for your business gives you something that’s hard to put a price tag on: peace of mind.

However, certain businesses need a SOC for more than peace of mind. If your company is in one of the following industries, a SOC isn’t just a good idea, but a necessity, as it will be vital to protecting highly sensitive client information and intellectual property:

  • Payment Card Industry
  • Healthcare
  • Manufacturing
  • Financial Services
  • Government Agencies
  • Education

To be clear, even if your business is not in one of the above industries, you should not automatically conclude that you don’t need a SOC. For instance, if you have ongoing security issues or if you’ve suffered a serious breach in the past, investing in a SOC might be a wise business decision. Another reason to seriously consider opting for a SOC is compliance. If you’re facing a bevvy of strict regulations, or if maintaining compliance is something your organization is struggling with, a SOC can help you put those issues to bed.

At the end of the day, deciding whether to set up a SOC is a complex cost-benefit analysis. Whatever decision you make for your business, it’s important to keep in mind the following: a SOC relies heavily on technology, but the strength of a SOC ultimately comes from people. Your organization’s security posture is something that needs to be actively maintained, as the threat landscape is in a state of continual flux. So, if you do opt for a SOC to keep your business protected, you want to focus on building a team of committed professionals who continually strive to keep abreast of trends in the cybersecurity world. Anything less isn’t worth the investment.

Meet Corey Staton, IT Support Desk Technician!

Corey Staton quickly became a tremendous asset to the entire team at The 20. Read below to find out more about Corey.

What do you do here at The 20?

 For the time being, I am a tier 1 support desk technician that services level 1 tickets with end users.

Describe The 20 in three words…

Like a family. 

As a kid, what did you want to be when you grew up? 

 I never had a particular job in mind growing up, just that I wanted to help everyone that I could. My main goal as a kid was to build an exo-suit style support system for the elderly/disabled to help with motor movements.

What’s the most challenging thing about your job? 

If I had to pick the “most challenging” aspect of my job, I’d have to say that it is just the nature of it being remote support and not involving any hands on support.

What do you consider your greatest achievement? 

I would have to say that my greatest achievement would have to be finding my wife in High School rather than having to search for her as an adult.

What do you think is the most important quality necessary for success? 

I believe that the most important quality that is needed for success in any field is going to be communication. Both the ability to speak up and relay a message effectively, while also being able to listen and understand what is being communicated to you are extremely crucial to anyone’s success at anything that they do.

What do you like most about The 20? 

As mentioned previously, The 20 feels so much like a family and there is genuine care from everyone I have interacted with here. I have had event after unfortunate event happen outside of work and have had nothing but support from those here at The 20 and it means so very much to me to have that kind of support from those who have nothing to do with said events.

What do you like to do in your spare time? / What are your hobbies? 

 I’m quite a social person but as my friends and I have gotten older and moved apart, the main way that we stay in communication and actually spend time together is in video games. In the event that we do get to spend time together physically we will camp, hike, party, and so many more less digital things.

Where are you going on your next vacation?

The next vacation that involves a trip somewhere will most likely just be to Galveston. I lived there and had many relatives that have since passed and have not been back since so I would like to see what all has changed.

What’s your top life hack?

Rice cookers. It’s one of those things that you really wish you had every time that you could use one but then you don’t think about it again until the next time you need it. They also make great wedding gifts if you need to get one.

Interested in working with Corey at The 20? We’re hiring! Check out our Careers page for more info.

Secure Access Service Edge, also called SASE (pronounced “sassy”), is an emerging technology to solve modern security problems in a scalable and efficient manner. The easiest way to think of this technology is as a next level VPN. This allows you to project a secure network out with a simple software client to connect in. You are given conditional access allowing the implementation of a zero trust architecture while having the process abstracted into XaaS.

While zero trust architecture is a strategy, SASE manifests as a solution. The general SASE stack combines solutions which address the following in some combination: Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Firewall as a Service (FwaaS), and Zero Trust Network Architecture (ZTNA). We’ll get into exactly what these all are and why they matter or benefit security in a bit. In short, you’re addressing many of the cost prohibitive points of the cloud with minimal effort at scale with the right solution.

With continuous threats across the globe, and new work paradigms, security has taken a turn. It’s neither better nor worse, it’s just more complex for people who haven’t kept up. It’s a lateral move if you have managed to stay relevant, but it’s a lot of catch-up otherwise.

Phishing is still alive and well. You have to address the human element of cybersecurity, avoid social engineering, and tackle all of the many technical concerns as well.

IaaS, XaaS, and Zero Trust

With infrastructure migrating to the cloud, the premium cost of a predictable bill has fallen below the risk of hardware failing. It can make sense to ensure that the liability is owned by a vendor even if it costs more long-term. We’ve reached the point that virtually everything technical is a service due to it being technically and economically feasible. Firewalls can live in the cloud because processing resources, bandwidth, and the cost of security have reached the point it’s commercially viable.

Infrastructure has gotten more abstract and more complex. You aren’t securing a site anymore, you’re securing a patchwork of vendors, clients, and even employee networks. A block of servers lives in Azure (some with Nerdio, a few with Crayon, others vanilla), another resource lives in AWS, and everything is tied in with a mixture of legacy on-premise systems and other cloud vendors. Throw in work from home, business travel needs, and ballooning security concerns and compliance measures and you get a recipe for complexity which can drive IT costs up rapidly.

It’s expensive and near impossible to build a system where every component can be trusted or even vetted. Add in external vendors and similar and traditional subnetting, VLANing, and similar measures break down quickly. This has led to the creation of zero trust architecture (as a strategy) and more technical SASE solutions implementing it (among other technologies).

The Technologies That Make Up SASE

SASE is IaaS on steroids with a focus on security which adds in zero trust architecture as a strategy with the technologies to enable everything to work seamlessly. Instead of your infrastructure being a network onsite where everyone needs to VPN in and deal with jump boxes and similar, they just use an application (for most solutions). You get something like a VPN where the rules just make sense and a network setup which makes the underlying infrastructure transparently in the cloud.

SD-WAN (Software Defined Wide Area Networking) has made it easy to tie together disparate LAN infrastructures and knit them together in a way which makes the process transparent. Networks have gotten more complex with BYOD, work from home, and branches all needing shared connectivity with enterprise resources. This connectivity can create a larger attack surface so companies turn to things like Secure Web Gateway (SWG) solutions to help block threats. Cloud Access Security Broker (CASB) solutions help control access to cloud resources to protect from internal threats.

Security continues to get more complicated with the need for layer 7 application firewalls. A Zero Trust Network Architecture (ZTNA) is virtually essential since there are so many moving parts that the best strategy is to never trust, always verify. Firewall as a Service (FwaaS) solutions help glue the security pieces together into an abstract network which jumps from cloud to cloud tying everything up to where there is secure access across the distributed network.

How SASE Solutions Work

With the complexity of the security landscapes, even security-oriented MSPs are having to leverage specialist solutions to build the right cybersecurity packages. SASE vendors like Palo Alto, Cato Networks, Cloudflare, Todyl (and more) have built easy, scalable, software-defined solutions to make everything easy. For many solutions, it feels like connecting to a VPN but it covers many security angles in one simple package. For instance, some tools cover SIEM (Security Information and Event Management) angles and more.

Cloud firewall solutions and SD-WAN solutions allow the service to unify disparate networks in an easy, scalable, ad-hoc method. Using a next-generation application firewall (our partner BLOKWORX uses Palo Alto firewalls) allows the infrastructure to become more locked down in a way that enables the establishment of a Zero Trust Architecture methodology that’s easily managed and easily scaled. CASB solutions help manage data in and out of the virtual network and between devices. SWG further protects the devices from the greater internet, but also limits their interaction with internal assets in a more granular, application-defined way.

The exact way they integrate with a site will vary depending on the vendor and what is available onsite. Some solutions may require an appliance for larger branches or similar, others may be completely cloud-based. The equipment required to get started is usually pretty minimal compared to trying to build your own solution to get the same results.

SASE isn’t really new, but the ability to manage so many disparate technologies in a unified manner makes it more practical to administer and scale for a business. You don’t need to jump between multiple consoles and tweak settings while tracking the changes between each and every item, it’s all done from a single pane of glass or at least in a single solution. This lowers the burden of setup and maintenance and makes it easier to audit changes.

 The 20 Named in the Dallas 100: The Fastest-Growing Private Companies in North Texas 

PLANO, TEXAS NOVEMBER 8, 2021

Leading MSP consortium The 20 is being acknowledged by The Caruth Institute for Entrepreneurship at Southern Methodist University’s Cox School of Business, in The Dallas 100: The Fastest-Growing Private Companies in North Texas. 

This annual list provides a conclusive list of the fastest-growing companies that are headquartered within the Dallas-Fort-Worth metroplex. To qualify for the Dallas 100, companies must be privately held corporations, proprietorships, or partnerships. The company must also be an operating company with at least three years history with sales of at least $500,000, but less than $75 million in the first of the three years. 

“We are honored to be recognized in the Dallas 100: The Fastest-Growing Private Companies in North Texas,” said Tim Conkle, CEO of The 20. “We’ve seen impressive growth in the company, and we’ve worked hard to design a partner program that reflects our dedication to their success. The 20’s success is inextricably linked to that of our MSP members.” 

The 20 MSP will attend The Dallas 100 Entrepreneur Awards on Thursday, November 18th at the Omni Dallas to accept their official award. 
 

About The 20 MSP 

The 20 is an exclusive business development group for Managed Service Providers (MSPs) aimed at dominating and revolutionizing the IT industry with its standardized all-in-one approach. The 20’s robust RMM, PSA, and documentation platform ensures superior service for its MSPs’ clients utilizing their completely US-based Help Desk and Network Operations Center. Extending beyond world-class tools and processes, The 20 touts a proven sales model, a community of industry-leaders, and ultimate scalability. For more information, visit: https://www.the20.com. 

Follow The 20 MSP: TwitterLinkedIn, and Facebook. 

What is an SLA?

A Service Level Agreement (SLA) is a written document that defines a set of services and the parameters for their delivery.

SLAs can exist between departments within a single organization. For instance, an IT provider might have an SLA that establishes the ‘services’ marketing owes sales each month (e.g., a certain number of qualified leads). However, an SLA most commonly refers to a written contract between a service provider and a client. Our focus here will be on SLAs that Managed Service Providers (MSPs) use with their clients.

If you’re an MSP, the purpose of your SLA is to define the type and scope of services you are committed to offering a client. In addition, your SLA should clearly establish the following items:

  • Desired/Expected Performance Levels (and attendant metrics)
  • Service Availability
  • Customer Responsibilities
  • Consequences of Breach

This list is not exhaustive, and we recommend that you look into working with legal counsel when crafting SLAs for your own organization. There are also a variety of templates available online. These can be helpful, but it’s important not to neglect the unique features of your business when drafting an SLA. After all, your SLA is the cornerstone of your documentation, in that it sets down a clear picture of what customers can expect from you. If your SLA is generic, misinterpretations — whether willful or not — can arise between you and your customers. If it’s unrealistic, you’re just setting your MSP up for failure.

So, when drafting an SLA, aim for two things: clarity and accuracy. You want to tell your customers exactly which services you’re providing, how you’ll be providing them, when you’ll be providing them, etc. Define your services clearly. But it’s just as important that the services you define are in fact your services — i.e., the services you know your MSP can deliver, not the ones you hope it can. It’s better to set modest goals in your SLA and then exceed them than it is to set ambitious ones and fall short.

Let’s take a closer look at SLAs. This article will help you understand what the standard components of an SLA are, what the purpose of each component is, and why your MSP needs a good SLA to operate at its best.

Standard Components of an SLA

Type and Scope of Services

What services can your client expect from your MSP? Your SLA needs to answer this question with total clarity. In fact, it can be a good idea to not only list and describe the services you’re offering, but also, certain exclusions. For instance, if you have reasonable grounds to believe that a particular client is expecting a service that your MSP is not willing to provide, establishing that the service in question is not your responsibility can help head off disputes further down the line. Of course, documentation should always be a supplement — and never a substitute — for verbal communication.

Defining your services in a precise fashion is a key part of managing client expectations; if you do not give your clients a clear idea of what they should expect, their expectations of your MSP can quickly outpace your capacities and become unmanageable.

Desired/Expected Performance Levels

Your SLA should define metrics for measuring service quality. Performance metrics in your SLA give your team performance levels to shoot for, and your clients clear standards by which to hold your MSP accountable. You can set up individual metrics for particular services, as well as more general metrics that reflect your MSP’s performance across multiple services and contexts. Your key performance indicators (KPIs) are core metrics that monitor the overall health of your business.

The metrics in your SLA should establish baseline performance levels that you’re confident your MSP can reliably achieve. In other words, set the bar at a realistic height. It’s important that you share your metrics with your clients, either through an online portal or through some other means, to underscore the value of your services. You can hardly utilize your metrics to that end if they reveal consistent failures to meet your own standards of service delivery.

Although showcasing your metrics can be a powerful business tactic, be careful not to give your numbers too much weight. Remember, achieving KPIs is not synonymous with “providing excellent service” or “making your clients happy.” There are aspects of your service that your metrics don’t capture, and it’s entirely possible to provide service that honors your SLA and still comes up short in some other respect. Metrics are useful for assessing service quality, but they’re not the whole story. And, at the end of the day, there’s no substitute for talking to your clients directly and taking their feedback seriously.

Service Availability

Your clients need to know when they can expect to receive support from your MSP. Include your support hours in your SLA, along with any scheduled maintenance, holidays, and other interruptions to service. Most MSPs give uptime guarantees as a percentage. When defining your MSP’s availability, explain in unambiguous language how your support hours relate to your response times, which are themselves an important component of your MSP’s service availability.

Many MSPs use a tiered system for response time guarantees. Tiers represent levels of urgency, with more urgent tickets receiving faster response times. You can look at how other MSPs do things to get ideas, but at the end of the day, the response times you promise your clients need to be what your MSP is capable of achieving on a regular basis. It can be tempting to promise dazzlingly speedy response and resolution times to win a new client, but if you don’t think your desk can reliably respond to critical

issues within 4 hours, don’t make that promise — even if it means losing a potential client. Remember: a dissatisfied and disappointed customer does more harm to your MSP business than failing to close a prospect.

Customer Responsibilities

Your SLA should clarify not only what your MSP owes clients, but what clients owe your MSP. What are their responsibilities? When they have a problem, how should they go about reporting it to you? Be specific. Should they call or email? Does it depend on the severity of their issue? What about your clients’ IT environments — do they need to be up to date in certain respects?

There’s room for negotiation when it comes to finalizing an SLA with a particular client, but make sure to arrive at clear expectations that will allow both parties to benefit from accountability.

Consequences of Breach

Your MSP should of course strive to meet — or exceed — the standards set down in your SLA, but things happen. Even the best MSPs can deviate from their contracts from time to time. What’s important is that you have a system in place for compensating clients in the event of a service failure. A popular approach among MSPs is to provide clients with service credits. But whatever method you adopt, it’s vital that you explain in your SLA exactly how your system of remediation works. If you wish to give out service credits as compensation for service failures, spell out how the service credits will be calculated and distributed. Pick a system that’s fair and stick to it.

Also worth including in your SLA is a “force majeure” clause. The purpose of such a clause is to suspend standard obligations and penalties in times of extraordinary circumstances, such as a natural disaster or an act of terrorism.

The Importance of SLAs to Your MSP

As an MSP, your business depends crucially on recurring revenue generated by long-term clients. In short, you need to build strong, lasting relationships with the people to whom you are providing IT services. A good SLA sets a tone of trust and accountability, establishes your commitment to professionalism, and emphasizes the centrality of transparency and clear communication to how your MSP functions. All of these things provide a solid foundation on which to build healthy and fruitful business partnerships with clients.

Having an SLA and honoring it consistently can go a long way toward preventing unpleasant disputes with your clients, but when tensions do arise, your SLA can serve as a critical de-escalation tool. When your commitments and agreements with clients are written down in clear, unambiguous language, you have something objective and concrete you can point to when emotions are running high. You don’t want to ‘weaponize’ your SLA and use it to disregard your clients’ experiences, but in times of conflict —especially conflict that reaches the level of a legal dispute — protecting your MSP is imperative, and your SLA can help shield you from costly and time-consuming battles with dissatisfied clients.

Finally, a word on how to approach writing SLAs for your MSP. Firstly, focus on getting your “Master SLA” ironed out. This will serve as the template from which you construct specific SLAs for individual

clients. A good Master SLA will include the nuts and bolts of your business, and will be easy to alter to fit the unique needs of different clients.

When writing SLAs for different clients, keep their unique needs in mind, as well as the condition of their IT infrastructures. Again, “under-promise and over-deliver” should be your guiding principle when drafting specific components of an SLA.

You also want to make sure you train your staff thoroughly on the protocols and procedures contained in your SLA. When everyone on your team knows what your SLA lays out, you can all sing from the same sheet of music and operate more efficiently and cohesively to secure client satisfaction and build your brand.

Concluding Thoughts

A mature MSP needs robust documentation, which starts with an effective SLA. Your SLA contains all of the important information about your service delivery, and plays a key role in setting and managing client expectations. When you take the time to craft a detailed and comprehensive SLA, you end up saving many hours — and headaches — in the long run. However, even the best SLA can’t prevent client dissatisfaction altogether, which makes it all the more vital that your SLA defines your services with the utmost clarity. In the unfortunate event of a legal dispute with a client, you want an SLA without unnecessary vagueness, because the more ‘wiggle room’ there is, the more an angry client (and their lawyers) can leverage your SLA against you.

Here at The 20, we work with the law firm Ciardi Ciardi & Astin to ensure that our MSP members’ SLAs pass muster, even under aggressive scrutiny. We recommend thinking seriously about consulting with legal counsel to help you draft your SLAs, or to shore up SLAs that you’ve already written. In our litigious age, you really can’t be too careful.

Drafting SLAs and other critical documents for your MSP can be intimidating. The 20 is a group of MSPs who work together to conquer the ‘business side’ of IT. With our guidance and the collective expertise of our community of IT pros, you can navigate the challenges of growing your business with confidence and a proven model for success. Get in touch with us today to learn how we can help.

Meet Robert of Eagle Secure Solutions!

 

Tell us a little about your MSP…

Eagle Secure Solutions was founded in 2005 in Lebanon, Pennsylvania. Our focus has been providing managed services to the small business and local government sectors. We currently hold PA COSTARS #3 Contract and the Master ITQ Contract, which allows us to directly sell products & services to the state of Pennsylvania. 

How long have you been a member of The 20?

Eagle Secure Solutions recently joined The 20 and the partnership has opened new doors for us that we wouldn’t have been able to compete with in the past.

Why did your MSP originally look to partner with The 20?

The 20 provided us a more efficient way to procure the necessary add-on products and services that would have costed more to provide internally. In addition to this, we partner with our 20 members to find strategic synergy between our MSP practices.

Tell us about the biggest change in your business since joining The 20.

We now offer so many new services that… it’s a matter of making the time to let the business world know what we can do!

What do you like most about being a member of The 20?

I feel like we are part of a community and we are all invested in each other’s well being.  Instead of seeing each other as  competition, we are strategic partners for our own company goals and directions.

What do you think is the most important quality necessary for success?

The most important quality for success is knowing when to say I need help.

What are your biggest business challenges?

My biggest business challenge is figuring out how to handle the level of growth that The 20 is helping me to achieve. 

What are your areas of focus for 2022?

The focus for 2022 is to continue focusing on local government and small businesses. 

What advice would you share with an MSP looking to scale their business?

Do not be afraid to partner with “competition” and challenge yourself to find partnerships with non-IT organizations; which can potentially provide synergy of your IT products and services.

What book are you currently reading?

I’m not currently reading any books other than those that I read to my first born child, Rebecca.  

 

Favorite blogs/podcasts

Business Radio on Sirius XM to keep my mind open on my 45 minute commute to work and home. 

 

 

Interested in becoming a member like Eagle Secure Solutions? Click here for more information!